# Flog Txt Version 1 # Analyzer Version: 2023.2.0 # Analyzer Build Date: Apr 13 2023 06:20:59 # Log Creation Date: 15.06.2023 03:37:26.326 Process: id = "1" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x68c3d000" os_pid = "0xcf8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x778" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fel=\"C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\tmp44rushjs\" /s" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 118 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 119 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 120 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 121 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 122 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 123 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 124 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 125 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 126 start_va = 0xc80000 end_va = 0xc81fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 127 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 128 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 129 start_va = 0x7f040000 end_va = 0x7f062fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f040000" filename = "" Region: id = 130 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 131 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 132 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 133 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 272 start_va = 0x400000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 273 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 274 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 275 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 276 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 277 start_va = 0xc90000 end_va = 0xf0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c90000" filename = "" Region: id = 278 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 279 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 280 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 281 start_va = 0x7ef40000 end_va = 0x7f03ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ef40000" filename = "" Region: id = 282 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 283 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 284 start_va = 0x742d0000 end_va = 0x74361fff monitored = 0 entry_point = 0x74310380 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll") Region: id = 285 start_va = 0x7eb90000 end_va = 0x7ef30fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\AppPatch\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\sysmain.sdb") Region: id = 286 start_va = 0xc80000 end_va = 0xc83fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 287 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 288 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 289 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 290 start_va = 0x560000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 291 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 292 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 293 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 294 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 295 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 296 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 297 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 298 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 299 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 300 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 301 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 302 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 303 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 304 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 305 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 306 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 307 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 308 start_va = 0x660000 end_va = 0x7e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 309 start_va = 0xc90000 end_va = 0xcb9fff monitored = 0 entry_point = 0xc95680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 310 start_va = 0xe10000 end_va = 0xf0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Region: id = 311 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 312 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 313 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 314 start_va = 0x7f0000 end_va = 0x970fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 315 start_va = 0xc90000 end_va = 0xc9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c90000" filename = "" Region: id = 316 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 317 start_va = 0xca0000 end_va = 0xd30fff monitored = 0 entry_point = 0xcd8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 318 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 319 start_va = 0xca0000 end_va = 0xd0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ca0000" filename = "" Region: id = 320 start_va = 0xf10000 end_va = 0x1246fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 321 start_va = 0xca0000 end_va = 0xca0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 322 start_va = 0xd00000 end_va = 0xd0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 323 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 324 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 325 start_va = 0x6fea0000 end_va = 0x6ffeafff monitored = 0 entry_point = 0x6ff01660 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll") Region: id = 326 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 327 start_va = 0xcb0000 end_va = 0xcb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cb0000" filename = "" Region: id = 328 start_va = 0x759b0000 end_va = 0x75a33fff monitored = 0 entry_point = 0x759d6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 329 start_va = 0xcc0000 end_va = 0xcc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cc0000" filename = "" Region: id = 330 start_va = 0xcd0000 end_va = 0xcd3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 331 start_va = 0xd10000 end_va = 0xd54fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000010.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000010.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000010.db") Region: id = 332 start_va = 0xce0000 end_va = 0xce3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 333 start_va = 0xd60000 end_va = 0xdedfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 334 start_va = 0xdf0000 end_va = 0xe00fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\propsys.dll.mui") Region: id = 335 start_va = 0xcf0000 end_va = 0xcf3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 336 start_va = 0x1250000 end_va = 0x1264fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001b.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000001b.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001b.db") Region: id = 337 start_va = 0x1270000 end_va = 0x1270fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001270000" filename = "" Region: id = 338 start_va = 0x510000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 339 start_va = 0xa80000 end_va = 0xb7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 340 start_va = 0xb80000 end_va = 0xbbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 341 start_va = 0x2740000 end_va = 0x283ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002740000" filename = "" Region: id = 342 start_va = 0xbc0000 end_va = 0xbfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bc0000" filename = "" Region: id = 343 start_va = 0x2840000 end_va = 0x293ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002840000" filename = "" Region: id = 344 start_va = 0xc00000 end_va = 0xc3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 345 start_va = 0xc40000 end_va = 0xc7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 346 start_va = 0x2940000 end_va = 0x2a3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002940000" filename = "" Region: id = 347 start_va = 0x2a40000 end_va = 0x2b3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a40000" filename = "" Region: id = 348 start_va = 0x71c00000 end_va = 0x71d7dfff monitored = 0 entry_point = 0x71c7c630 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 349 start_va = 0x73f60000 end_va = 0x7422afff monitored = 0 entry_point = 0x7419c4c0 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 350 start_va = 0xcf0000 end_va = 0xcf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 367 start_va = 0x6fd20000 end_va = 0x6fd2bfff monitored = 0 entry_point = 0x6fd24ad0 region_type = mapped_file name = "pcacli.dll" filename = "\\Windows\\SysWOW64\\pcacli.dll" (normalized: "c:\\windows\\syswow64\\pcacli.dll") Region: id = 368 start_va = 0x6fd00000 end_va = 0x6fd15fff monitored = 0 entry_point = 0x6fd021d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 369 start_va = 0x1280000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 370 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 414 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 415 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 485 start_va = 0x1280000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 486 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 551 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 552 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 569 start_va = 0x1280000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 570 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 705 start_va = 0x12c0000 end_va = 0x12fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012c0000" filename = "" Region: id = 706 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 753 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 754 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 886 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 887 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 999 start_va = 0x1280000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 1000 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 1017 start_va = 0x12c0000 end_va = 0x12c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012c0000" filename = "" Region: id = 1126 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 1127 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 1440 start_va = 0x1280000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 1441 start_va = 0x12d0000 end_va = 0x12d3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1442 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 1590 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 1591 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 1723 start_va = 0x1280000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 1724 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 1862 start_va = 0x2c40000 end_va = 0x2c7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 1863 start_va = 0x2c80000 end_va = 0x2d7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c80000" filename = "" Region: id = 1880 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 1881 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 2092 start_va = 0x1280000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 2093 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 2170 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 2171 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 2273 start_va = 0x1280000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 2274 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 2378 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 2379 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 2454 start_va = 0x1280000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 2455 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 2553 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 2554 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 2770 start_va = 0x1280000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 2771 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 2823 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 2824 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 2997 start_va = 0x2c40000 end_va = 0x2c7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 2998 start_va = 0x2c80000 end_va = 0x2d7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c80000" filename = "" Region: id = 3069 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 3070 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 3153 start_va = 0x1280000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 3154 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 3238 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 3239 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 3258 start_va = 0x1280000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 3259 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 3370 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 3371 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 3407 start_va = 0x2c40000 end_va = 0x2c7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 3408 start_va = 0x2c80000 end_va = 0x2d7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c80000" filename = "" Region: id = 3474 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 3475 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 3543 start_va = 0x1280000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 3544 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 3596 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 3597 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 3654 start_va = 0x1280000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 3655 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 3751 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 3752 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 4041 start_va = 0x1280000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 4042 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 4402 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 4403 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 4491 start_va = 0x1280000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 4492 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 5391 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 5392 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 5619 start_va = 0x1280000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 5620 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 5698 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 5699 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 5778 start_va = 0x1280000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 5779 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 5799 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 5800 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 5923 start_va = 0x1280000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 5924 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 6014 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 6015 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 6086 start_va = 0x1280000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 6087 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 6155 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 6156 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 6238 start_va = 0x1280000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 6239 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 6607 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 6608 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 6897 start_va = 0x1280000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 6898 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 7021 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 7022 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 7307 start_va = 0x1280000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 7308 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 7544 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 7545 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 7707 start_va = 0x1280000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 7708 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 7770 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 7771 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 8081 start_va = 0x1280000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 8082 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 8138 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 8139 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 8360 start_va = 0x1280000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 8361 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 8552 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 8553 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 8835 start_va = 0x1280000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 8836 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 9022 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 9023 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 9040 start_va = 0x1280000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 9041 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 9198 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 9199 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 9277 start_va = 0x1280000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 9278 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 9358 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 9359 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 9415 start_va = 0x1280000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 9416 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 9435 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 9436 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 9591 start_va = 0x1280000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 9592 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 9673 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 9674 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 9742 start_va = 0x1280000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 9743 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 9880 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 9881 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 9882 start_va = 0x1280000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 9883 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 10094 start_va = 0x2c40000 end_va = 0x2c7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 10095 start_va = 0x2c80000 end_va = 0x2d7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c80000" filename = "" Region: id = 10273 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 10274 start_va = 0x560000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 10374 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 10375 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 10392 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 10393 start_va = 0x560000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 10598 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 10599 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 10626 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 10627 start_va = 0x560000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 11006 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 11007 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 11045 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 11046 start_va = 0x560000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 11092 start_va = 0x1280000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 11093 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 11400 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 11401 start_va = 0x560000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 11554 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 11555 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 11684 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 11685 start_va = 0x560000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 11848 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 11849 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 11920 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 11921 start_va = 0x560000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 11956 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 11957 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 12093 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 12094 start_va = 0x560000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 12160 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 12161 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 12248 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 12249 start_va = 0x560000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 12325 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 12326 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 12343 start_va = 0x1c0000 end_va = 0x1c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 12400 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 12401 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 12502 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 12503 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 12569 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 12570 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 12608 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 12609 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 12780 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 12781 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 12937 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 12938 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 13153 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 13154 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 13234 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 13235 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 13498 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 13499 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 13630 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 13631 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 13909 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 13910 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 14095 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 14096 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 14375 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 14376 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 14918 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 14919 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 14994 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 14995 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 15211 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 15212 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 15647 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 15648 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 15731 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 15732 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 16000 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 16001 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 16128 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 16129 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 16147 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 16148 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 16313 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 16314 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 16396 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 16397 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 16398 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 16552 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 16553 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 16637 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 16638 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 16882 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 16883 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 16884 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 16885 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 17262 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 17263 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 17264 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 17265 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 17849 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 17850 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 18211 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 18212 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 18288 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 18289 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 18760 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 18761 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 18889 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 18890 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 19006 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 19007 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 19092 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 19093 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 19155 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 19156 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 19265 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 19266 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 19267 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 19268 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 19640 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 19641 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 19698 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 19699 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 19836 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 19837 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 19919 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 19920 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 20096 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 20097 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 20225 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 20226 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 20402 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 20403 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 20484 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 20485 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 20588 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 20589 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 20663 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 20664 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 20795 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 20796 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 20975 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 20976 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 21054 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 21055 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 21374 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 21375 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 21545 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 21546 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 21689 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 21690 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 21834 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 21835 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 21919 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 21920 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 22020 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 22021 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 22116 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 22117 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 22270 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 22271 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 22307 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 22308 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 22482 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 22483 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 22569 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 22570 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 22671 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 22672 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 22910 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 22911 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 23100 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 23101 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 23193 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 23194 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 23323 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 23324 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 23395 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 23396 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 23579 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 23580 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 23700 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 23701 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 23965 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 23966 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 23967 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 23968 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 24186 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 24187 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 24362 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 24363 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 24458 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 24459 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 24487 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 24488 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 24696 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 24697 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 24698 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 24699 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 24916 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 24917 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 25017 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 25018 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 25123 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 25124 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 25144 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 25145 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 25267 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 25268 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 25543 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 25544 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 25943 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 25944 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 26080 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 26081 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 26472 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 26473 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 26747 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 26748 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 27233 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 27234 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 27235 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 27236 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 27594 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 27595 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 27675 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 27676 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 27864 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 27865 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 28028 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 28029 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 28101 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 28102 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 28174 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 28175 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 28240 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 28241 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 28418 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 28419 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 28660 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 28661 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 28983 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 28984 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 29046 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 29047 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 29255 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 29256 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 29483 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 29484 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 29583 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 29584 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 29660 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 29661 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 29854 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 29855 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 29940 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 29941 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 30159 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 30160 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 30209 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 30210 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 30528 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 30529 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 30757 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 30758 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 30922 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 30923 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 30980 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 30981 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 31165 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 31166 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 31309 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 31310 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 31435 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 31436 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 31552 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 31553 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 31554 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 31555 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 31726 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 31727 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 31792 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 31793 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 31919 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 31920 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 31940 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 31941 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 32131 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 32132 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 32187 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 32188 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 32280 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 32281 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 32527 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 32528 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 32529 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 32530 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 32742 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 32743 start_va = 0x2b40000 end_va = 0x2c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 32770 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 32771 start_va = 0x2c40000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Thread: id = 1 os_tid = 0x7ac [0067.034] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0067.035] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0067.035] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0067.035] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0067.035] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0067.035] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0067.037] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0067.038] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0067.038] GetProcessHeap () returned 0xe10000 [0067.038] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0067.038] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0067.038] GetLastError () returned 0xcb [0067.038] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0067.039] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0067.039] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x364) returned 0xe2b968 [0067.039] SetLastError (dwErrCode=0xcb) [0067.040] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0xe00) returned 0xe2bcd8 [0067.042] GetStartupInfoW (in: lpStartupInfo=0x18fbf0 | out: lpStartupInfo=0x18fbf0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0067.042] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0067.042] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0067.042] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0067.042] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fel=\"C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\tmp44rushjs\" /s" [0067.042] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fel=\"C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\tmp44rushjs\" /s" [0067.043] GetACP () returned 0x4e4 [0067.043] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x220) returned 0xe280a0 [0067.043] IsValidCodePage (CodePage=0x4e4) returned 1 [0067.043] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fc10 | out: lpCPInfo=0x18fc10) returned 1 [0067.043] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f4d8 | out: lpCPInfo=0x18f4d8) returned 1 [0067.043] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18faec, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0067.043] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18faec, cbMultiByte=256, lpWideCharStr=0x18f278, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0067.043] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f4ec | out: lpCharType=0x18f4ec) returned 1 [0067.043] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18faec, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0067.044] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18faec, cbMultiByte=256, lpWideCharStr=0x18f228, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0067.044] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0067.044] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0067.044] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0067.044] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f018, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0067.044] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f9ec, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x82/b3(ü\x18", lpUsedDefaultChar=0x0) returned 256 [0067.044] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18faec, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0067.044] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18faec, cbMultiByte=256, lpWideCharStr=0x18f248, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0067.044] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0067.044] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f038, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0067.044] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f8ec, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x82/b3(ü\x18", lpUsedDefaultChar=0x0) returned 256 [0067.044] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x80) returned 0xe208a0 [0067.044] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0067.045] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x1a0) returned 0xe2cae0 [0067.045] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0067.045] GetLastError () returned 0x0 [0067.045] SetLastError (dwErrCode=0x0) [0067.045] GetEnvironmentStringsW () returned 0xe29e70* [0067.045] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0xa8c) returned 0xe2cc88 [0067.045] FreeEnvironmentStringsW (penv=0xe29e70) returned 1 [0067.045] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x90) returned 0xe1ed08 [0067.045] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x3e) returned 0xe22aa0 [0067.045] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x5c) returned 0xe21a80 [0067.045] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x6e) returned 0xe1efc0 [0067.045] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x78) returned 0xe1fc48 [0067.045] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x62) returned 0xe1e788 [0067.045] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x28) returned 0xe21e50 [0067.045] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x48) returned 0xe1f748 [0067.045] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x1a) returned 0xe1ac28 [0067.045] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x3a) returned 0xe22bc0 [0067.045] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x62) returned 0xe1e398 [0067.046] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x2a) returned 0xe1f668 [0067.046] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x2e) returned 0xe1f6a0 [0067.046] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x1c) returned 0xe1abb0 [0067.046] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x144) returned 0xe21c90 [0067.046] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x7c) returned 0xe222a0 [0067.046] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x36) returned 0xe252d0 [0067.046] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x3a) returned 0xe22a10 [0067.046] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x90) returned 0xe21998 [0067.046] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x24) returned 0xe1e538 [0067.046] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x30) returned 0xe1f320 [0067.046] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x36) returned 0xe25610 [0067.046] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x48) returned 0xe16b08 [0067.046] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x52) returned 0xe1eb40 [0067.046] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x3c) returned 0xe227d0 [0067.046] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0xd6) returned 0xe1de08 [0067.046] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x2e) returned 0xe1f390 [0067.046] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x1e) returned 0xe1ac50 [0067.046] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x2c) returned 0xe1f550 [0067.046] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x54) returned 0xe1e5b0 [0067.046] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x52) returned 0xe1e810 [0067.046] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x24) returned 0xe1e568 [0067.046] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x42) returned 0xe1e870 [0067.047] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x2c) returned 0xe1f438 [0067.047] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x44) returned 0xe22388 [0067.047] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x24) returned 0xe2d778 [0067.047] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe2cc88 | out: hHeap=0xe10000) returned 1 [0067.047] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x800) returned 0xe29160 [0067.048] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0067.048] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0067.048] GetStartupInfoW (in: lpStartupInfo=0x18fc54 | out: lpStartupInfo=0x18fc54*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0067.048] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fel=\"C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\tmp44rushjs\" /s" [0067.048] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fel=\"C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\tmp44rushjs\" /s", pNumArgs=0x18fc40 | out: pNumArgs=0x18fc40) returned 0xe2cc88*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0067.049] CoInitializeEx (pvReserved=0x0, dwCoInit=0x6) returned 0x0 [0067.083] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x38) returned 0xe25650 [0067.083] CreateFileW (lpFileName="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\tmp44rushjs" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmp44rushjs"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x18fa94, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0067.084] GetFileType (hFile=0x180) returned 0x1 [0067.084] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x4000) returned 0xe318f8 [0067.084] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x1000) returned 0xe35900 [0067.085] ReadFile (in: hFile=0x180, lpBuffer=0xe35900, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18fad0, lpOverlapped=0x0 | out: lpBuffer=0xe35900*, lpNumberOfBytesRead=0x18fad0*=0x1000, lpOverlapped=0x0) returned 1 [0067.085] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0067.085] GetLastError () returned 0x0 [0067.085] SetLastError (dwErrCode=0x0) [0067.086] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_addProvider", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_addProvider", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0067.548] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0067.549] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0067.549] GetLastError () returned 0x0 [0067.549] SetLastError (dwErrCode=0x0) [0067.549] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_create", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_create", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0067.645] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0067.646] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0067.646] GetLastError () returned 0x0 [0067.646] SetLastError (dwErrCode=0x0) [0067.646] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decrypt", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decrypt", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0067.769] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0067.769] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0067.769] GetLastError () returned 0x0 [0067.769] SetLastError (dwErrCode=0x0) [0067.769] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decryptAny", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decryptAny", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0067.917] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0067.918] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0067.918] GetLastError () returned 0x0 [0067.918] SetLastError (dwErrCode=0x0) [0067.918] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_deserializeCertificateId", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_deserializeCertificateId", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0068.117] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0068.118] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0068.119] GetLastError () returned 0x0 [0068.119] SetLastError (dwErrCode=0x0) [0068.119] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_duplicateCertificateId", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_duplicateCertificateId", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0068.365] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0068.365] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0068.366] GetLastError () returned 0x0 [0068.366] SetLastError (dwErrCode=0x0) [0068.366] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureCertificateAccess", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureCertificateAccess", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0068.835] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0068.836] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0068.837] GetLastError () returned 0x0 [0068.837] SetLastError (dwErrCode=0x0) [0068.837] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureKeyAccess", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureKeyAccess", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0069.349] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0069.350] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0069.350] GetLastError () returned 0x0 [0069.350] SetLastError (dwErrCode=0x0) [0069.350] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumCertificateIds", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumCertificateIds", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0070.000] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0070.000] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0070.001] GetLastError () returned 0x0 [0070.001] SetLastError (dwErrCode=0x0) [0070.001] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumTokenCertificateIds", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumTokenCertificateIds", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0070.440] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0070.440] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0070.440] GetLastError () returned 0x0 [0070.440] SetLastError (dwErrCode=0x0) [0070.440] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificate", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificate", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0070.915] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0070.915] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0070.915] GetLastError () returned 0x0 [0070.915] SetLastError (dwErrCode=0x0) [0070.916] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateId", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateId", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0071.305] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0071.305] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0071.305] GetLastError () returned 0x0 [0071.305] SetLastError (dwErrCode=0x0) [0071.305] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateIdList", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateIdList", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0071.929] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0071.930] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0071.930] GetLastError () returned 0x0 [0071.930] SetLastError (dwErrCode=0x0) [0071.931] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateBlob", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateBlob", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0072.872] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0072.873] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0072.874] GetLastError () returned 0x0 [0072.874] SetLastError (dwErrCode=0x0) [0072.874] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateId", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateId", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0073.566] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0073.568] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0073.568] GetLastError () returned 0x0 [0073.568] SetLastError (dwErrCode=0x0) [0073.568] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getPromptMask", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getPromptMask", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0074.091] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0074.091] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0074.091] GetLastError () returned 0x0 [0074.091] SetLastError (dwErrCode=0x0) [0074.091] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getUserData", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getUserData", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0074.765] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0074.766] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0074.766] GetLastError () returned 0x0 [0074.766] SetLastError (dwErrCode=0x0) [0074.766] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_lockSession", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_lockSession", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0076.094] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0076.095] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0076.095] GetLastError () returned 0x0 [0076.095] SetLastError (dwErrCode=0x0) [0076.095] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_releaseSession", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_releaseSession", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0076.573] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0076.573] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0076.573] GetLastError () returned 0x0 [0076.574] SetLastError (dwErrCode=0x0) [0076.574] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_serializeCertificateId", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_serializeCertificateId", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0077.228] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0077.229] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0077.229] GetLastError () returned 0x0 [0077.229] SetLastError (dwErrCode=0x0) [0077.229] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setCertificateIdCertificateBlob", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setCertificateIdCertificateBlob", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0078.546] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0078.547] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0078.547] GetLastError () returned 0x0 [0078.547] SetLastError (dwErrCode=0x0) [0078.547] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setPromptMask", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setPromptMask", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0079.278] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0079.279] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0079.279] GetLastError () returned 0x0 [0079.279] SetLastError (dwErrCode=0x0) [0079.279] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setUserData", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setUserData", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0079.695] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0079.696] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0079.697] GetLastError () returned 0x0 [0079.697] SetLastError (dwErrCode=0x0) [0079.697] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_sign", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_sign", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0080.462] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0080.463] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0080.463] GetLastError () returned 0x0 [0080.463] SetLastError (dwErrCode=0x0) [0080.464] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signAny", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signAny", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0082.395] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0082.396] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0082.396] GetLastError () returned 0x0 [0082.397] SetLastError (dwErrCode=0x0) [0082.397] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signRecover", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signRecover", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0083.660] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0083.661] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0083.662] GetLastError () returned 0x0 [0083.662] SetLastError (dwErrCode=0x0) [0083.662] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_unwrap", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_unwrap", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0085.119] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0085.120] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0085.120] GetLastError () returned 0x0 [0085.120] SetLastError (dwErrCode=0x0) [0085.120] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_del", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_del", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0086.821] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0086.822] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0086.822] GetLastError () returned 0x0 [0086.822] SetLastError (dwErrCode=0x0) [0086.822] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_enumDataObjects", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_enumDataObjects", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0088.343] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0088.344] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0088.345] GetLastError () returned 0x0 [0088.345] SetLastError (dwErrCode=0x0) [0088.345] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_freeDataIdList", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_freeDataIdList", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0089.476] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0089.477] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0089.478] GetLastError () returned 0x0 [0089.478] SetLastError (dwErrCode=0x0) [0089.478] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_get", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_get", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0090.098] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0090.099] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0090.099] GetLastError () returned 0x0 [0090.099] SetLastError (dwErrCode=0x0) [0090.099] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_put", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_put", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0090.461] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0090.461] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0090.461] GetLastError () returned 0x0 [0090.461] SetLastError (dwErrCode=0x0) [0090.461] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setCrypto", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setCrypto", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0090.797] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0090.797] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0090.798] GetLastError () returned 0x0 [0090.798] SetLastError (dwErrCode=0x0) [0090.798] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setSystem", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setSystem", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0091.111] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0091.112] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0091.112] GetLastError () returned 0x0 [0091.112] SetLastError (dwErrCode=0x0) [0091.112] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_forkFixup", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_forkFixup", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0091.432] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0091.433] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0091.433] GetLastError () returned 0x0 [0091.433] SetLastError (dwErrCode=0x0) [0091.433] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getFeatures", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getFeatures", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0091.695] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0091.696] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0091.696] GetLastError () returned 0x0 [0091.696] SetLastError (dwErrCode=0x0) [0091.696] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getLogLevel", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getLogLevel", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0092.273] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0092.274] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0092.274] GetLastError () returned 0x0 [0092.274] SetLastError (dwErrCode=0x0) [0092.274] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getMessage", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getMessage", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0092.810] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0092.810] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0092.810] GetLastError () returned 0x0 [0092.811] SetLastError (dwErrCode=0x0) [0092.811] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getVersion", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getVersion", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0093.421] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0093.422] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0093.422] GetLastError () returned 0x0 [0093.422] SetLastError (dwErrCode=0x0) [0093.422] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_initialize", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_initialize", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0093.814] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0093.814] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0093.814] GetLastError () returned 0x0 [0093.814] SetLastError (dwErrCode=0x0) [0093.814] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_logout", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_logout", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0094.902] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0094.903] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0094.903] GetLastError () returned 0x0 [0094.903] SetLastError (dwErrCode=0x0) [0094.903] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_createSession", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_createSession", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0096.279] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0096.281] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0096.281] GetLastError () returned 0x0 [0096.281] SetLastError (dwErrCode=0x0) [0096.281] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_freeSession", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_freeSession", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0098.011] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0098.011] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0098.012] GetLastError () returned 0x0 [0098.012] SetLastError (dwErrCode=0x0) [0098.012] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getCleanupHook", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getCleanupHook", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0098.888] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0098.888] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0098.889] GetLastError () returned 0x0 [0098.889] SetLastError (dwErrCode=0x0) [0098.889] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getX509", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getX509", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0099.779] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0099.780] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0099.780] GetLastError () returned 0x0 [0099.780] SetLastError (dwErrCode=0x0) [0099.780] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getEVP", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getEVP", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0100.466] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0100.467] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0100.467] GetLastError () returned 0x0 [0100.467] SetLastError (dwErrCode=0x0) [0100.467] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getRSA", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getRSA", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0101.694] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0101.694] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0101.694] GetLastError () returned 0x0 [0101.694] SetLastError (dwErrCode=0x0) [0101.694] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getX509", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getX509", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0102.729] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0102.730] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0102.730] GetLastError () returned 0x0 [0102.730] SetLastError (dwErrCode=0x0) [0102.730] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_setCleanupHook", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_setCleanupHook", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0103.227] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0103.227] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0103.227] GetLastError () returned 0x0 [0103.227] SetLastError (dwErrCode=0x0) [0103.227] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_plugAndPlay", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_plugAndPlay", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0104.044] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0104.044] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0104.045] GetLastError () returned 0x0 [0104.045] SetLastError (dwErrCode=0x0) [0104.045] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_removeProvider", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_removeProvider", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0105.146] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0105.147] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0105.147] GetLastError () returned 0x0 [0105.147] SetLastError (dwErrCode=0x0) [0105.147] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setForkMode", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setForkMode", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0106.146] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0106.147] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0106.148] GetLastError () returned 0x0 [0106.148] SetLastError (dwErrCode=0x0) [0106.148] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogHook", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogHook", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0107.343] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0107.343] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0107.344] GetLastError () returned 0x0 [0107.344] SetLastError (dwErrCode=0x0) [0107.344] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogLevel", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogLevel", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0109.082] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0109.082] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0109.082] GetLastError () returned 0x0 [0109.082] SetLastError (dwErrCode=0x0) [0109.082] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setMaxLoginRetries", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setMaxLoginRetries", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0109.916] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0109.916] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0109.917] GetLastError () returned 0x0 [0109.917] SetLastError (dwErrCode=0x0) [0109.917] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINCachePeriod", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINCachePeriod", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0111.142] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0111.143] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0111.143] GetLastError () returned 0x0 [0111.143] SetLastError (dwErrCode=0x0) [0111.143] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINPromptHook", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINPromptHook", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0111.899] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0111.900] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0111.900] GetLastError () returned 0x0 [0111.900] SetLastError (dwErrCode=0x0) [0111.900] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setProtectedAuthentication", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setProtectedAuthentication", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0112.866] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0112.867] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0112.868] GetLastError () returned 0x0 [0112.868] SetLastError (dwErrCode=0x0) [0112.868] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setSlotEventHook", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setSlotEventHook", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0113.622] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0113.624] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0113.624] GetLastError () returned 0x0 [0113.624] SetLastError (dwErrCode=0x0) [0113.624] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setTokenPromptHook", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setTokenPromptHook", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0114.969] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0114.970] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0114.970] GetLastError () returned 0x0 [0114.970] SetLastError (dwErrCode=0x0) [0114.970] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_terminate", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_terminate", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0115.583] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0115.584] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0115.584] GetLastError () returned 0x0 [0115.584] SetLastError (dwErrCode=0x0) [0115.584] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_deserializeTokenId", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_deserializeTokenId", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0116.563] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0116.564] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0116.565] GetLastError () returned 0x0 [0116.565] SetLastError (dwErrCode=0x0) [0116.565] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_duplicateTokenId", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_duplicateTokenId", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0117.510] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0117.511] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0117.511] GetLastError () returned 0x0 [0117.512] SetLastError (dwErrCode=0x0) [0117.512] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_ensureAccess", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_ensureAccess", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0117.969] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0117.970] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0117.971] GetLastError () returned 0x0 [0117.971] SetLastError (dwErrCode=0x0) [0117.971] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_enumTokenIds", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_enumTokenIds", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0118.350] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0118.350] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0118.351] GetLastError () returned 0x0 [0118.351] SetLastError (dwErrCode=0x0) [0118.351] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenId", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenId", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0118.714] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0118.715] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0118.715] GetLastError () returned 0x0 [0118.715] SetLastError (dwErrCode=0x0) [0118.715] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenIdList", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenIdList", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0119.132] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0119.132] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0119.132] GetLastError () returned 0x0 [0119.132] SetLastError (dwErrCode=0x0) [0119.132] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_login", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_login", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0119.600] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0119.601] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0119.601] GetLastError () returned 0x0 [0119.601] SetLastError (dwErrCode=0x0) [0119.602] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_logout", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_logout", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0119.972] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0119.973] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0119.973] GetLastError () returned 0x0 [0119.973] SetLastError (dwErrCode=0x0) [0119.973] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_sameTokenId", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_sameTokenId", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0120.539] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0120.540] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0120.540] GetLastError () returned 0x0 [0120.540] SetLastError (dwErrCode=0x0) [0120.540] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=must", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=must", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0121.135] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0121.136] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0121.136] GetLastError () returned 0x0 [0121.136] SetLastError (dwErrCode=0x0) [0121.136] GetLastError () returned 0x0 [0121.136] SetLastError (dwErrCode=0x0) [0121.136] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_addProvider /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_addProvider /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0121.582] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0121.582] ReadFile (in: hFile=0x180, lpBuffer=0xe35900, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18fad0, lpOverlapped=0x0 | out: lpBuffer=0xe35900*, lpNumberOfBytesRead=0x18fad0*=0x1000, lpOverlapped=0x0) returned 1 [0121.583] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0121.583] GetLastError () returned 0x0 [0121.583] SetLastError (dwErrCode=0x0) [0121.583] GetLastError () returned 0x0 [0121.583] SetLastError (dwErrCode=0x0) [0121.583] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_create /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_create /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0122.354] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0122.354] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0122.355] GetLastError () returned 0x0 [0122.355] SetLastError (dwErrCode=0x0) [0122.355] GetLastError () returned 0x0 [0122.355] SetLastError (dwErrCode=0x0) [0122.355] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decrypt /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decrypt /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0123.187] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0123.189] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0123.189] GetLastError () returned 0x0 [0123.189] SetLastError (dwErrCode=0x0) [0123.189] GetLastError () returned 0x0 [0123.189] SetLastError (dwErrCode=0x0) [0123.189] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decryptAny /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decryptAny /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0123.928] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0123.929] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0123.929] GetLastError () returned 0x0 [0123.930] SetLastError (dwErrCode=0x0) [0123.930] GetLastError () returned 0x0 [0123.930] SetLastError (dwErrCode=0x0) [0123.930] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_deserializeCertificateId /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_deserializeCertificateId /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0124.900] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0124.901] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0124.901] GetLastError () returned 0x0 [0124.902] SetLastError (dwErrCode=0x0) [0124.902] GetLastError () returned 0x0 [0124.902] SetLastError (dwErrCode=0x0) [0124.902] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_duplicateCertificateId /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_duplicateCertificateId /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0125.968] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0125.968] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0125.968] GetLastError () returned 0x0 [0125.968] SetLastError (dwErrCode=0x0) [0125.968] GetLastError () returned 0x0 [0125.968] SetLastError (dwErrCode=0x0) [0125.968] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureCertificateAccess /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureCertificateAccess /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0126.643] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0126.644] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0126.644] GetLastError () returned 0x0 [0126.644] SetLastError (dwErrCode=0x0) [0126.644] GetLastError () returned 0x0 [0126.644] SetLastError (dwErrCode=0x0) [0126.644] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureKeyAccess /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureKeyAccess /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0127.305] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0127.306] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0127.306] GetLastError () returned 0x0 [0127.306] SetLastError (dwErrCode=0x0) [0127.306] GetLastError () returned 0x0 [0127.306] SetLastError (dwErrCode=0x0) [0127.306] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumCertificateIds /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumCertificateIds /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0128.441] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0128.442] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0128.443] GetLastError () returned 0x0 [0128.443] SetLastError (dwErrCode=0x0) [0128.443] GetLastError () returned 0x0 [0128.443] SetLastError (dwErrCode=0x0) [0128.443] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumTokenCertificateIds /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumTokenCertificateIds /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0129.641] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0129.642] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0129.642] GetLastError () returned 0x0 [0129.642] SetLastError (dwErrCode=0x0) [0129.642] GetLastError () returned 0x0 [0129.642] SetLastError (dwErrCode=0x0) [0129.642] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificate /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificate /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0130.318] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0130.320] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0130.320] GetLastError () returned 0x0 [0130.320] SetLastError (dwErrCode=0x0) [0130.320] GetLastError () returned 0x0 [0130.320] SetLastError (dwErrCode=0x0) [0130.320] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateId /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateId /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0130.519] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0130.520] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0130.520] GetLastError () returned 0x0 [0130.520] SetLastError (dwErrCode=0x0) [0130.520] GetLastError () returned 0x0 [0130.520] SetLastError (dwErrCode=0x0) [0130.520] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateIdList /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateIdList /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0131.969] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0131.969] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0131.969] GetLastError () returned 0x0 [0131.969] SetLastError (dwErrCode=0x0) [0131.969] GetLastError () returned 0x0 [0131.969] SetLastError (dwErrCode=0x0) [0131.969] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateBlob /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateBlob /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0133.773] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0133.775] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0133.775] GetLastError () returned 0x0 [0133.775] SetLastError (dwErrCode=0x0) [0133.775] GetLastError () returned 0x0 [0133.775] SetLastError (dwErrCode=0x0) [0133.775] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateId /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateId /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0135.174] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0135.175] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0135.176] GetLastError () returned 0x0 [0135.176] SetLastError (dwErrCode=0x0) [0135.176] GetLastError () returned 0x0 [0135.176] SetLastError (dwErrCode=0x0) [0135.176] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getPromptMask /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getPromptMask /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0136.314] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0136.314] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0136.314] GetLastError () returned 0x0 [0136.314] SetLastError (dwErrCode=0x0) [0136.314] GetLastError () returned 0x0 [0136.314] SetLastError (dwErrCode=0x0) [0136.314] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getUserData /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getUserData /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0136.997] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0136.999] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0137.000] GetLastError () returned 0x0 [0137.000] SetLastError (dwErrCode=0x0) [0137.000] GetLastError () returned 0x0 [0137.000] SetLastError (dwErrCode=0x0) [0137.000] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_lockSession /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_lockSession /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0137.603] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0137.604] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0137.605] GetLastError () returned 0x0 [0137.605] SetLastError (dwErrCode=0x0) [0137.605] GetLastError () returned 0x0 [0137.605] SetLastError (dwErrCode=0x0) [0137.605] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_releaseSession /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_releaseSession /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0137.918] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0137.920] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0137.920] GetLastError () returned 0x0 [0137.920] SetLastError (dwErrCode=0x0) [0137.920] GetLastError () returned 0x0 [0137.920] SetLastError (dwErrCode=0x0) [0137.920] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_serializeCertificateId /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_serializeCertificateId /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0138.421] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0138.423] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0138.424] GetLastError () returned 0x0 [0138.424] SetLastError (dwErrCode=0x0) [0138.424] GetLastError () returned 0x0 [0138.424] SetLastError (dwErrCode=0x0) [0138.424] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setCertificateIdCertificateBlob /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setCertificateIdCertificateBlob /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0138.777] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0138.778] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0138.779] GetLastError () returned 0x0 [0138.779] SetLastError (dwErrCode=0x0) [0138.779] GetLastError () returned 0x0 [0138.779] SetLastError (dwErrCode=0x0) [0138.779] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setPromptMask /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setPromptMask /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0139.509] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0139.510] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0139.511] GetLastError () returned 0x0 [0139.511] SetLastError (dwErrCode=0x0) [0139.511] GetLastError () returned 0x0 [0139.511] SetLastError (dwErrCode=0x0) [0139.511] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setUserData /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setUserData /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0139.886] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0139.887] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0139.887] GetLastError () returned 0x0 [0139.887] SetLastError (dwErrCode=0x0) [0139.887] GetLastError () returned 0x0 [0139.887] SetLastError (dwErrCode=0x0) [0139.887] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_sign /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_sign /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0140.384] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0140.386] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0140.387] GetLastError () returned 0x0 [0140.387] SetLastError (dwErrCode=0x0) [0140.387] GetLastError () returned 0x0 [0140.387] SetLastError (dwErrCode=0x0) [0140.387] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signAny /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signAny /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0141.672] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0141.673] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0141.673] GetLastError () returned 0x0 [0141.674] SetLastError (dwErrCode=0x0) [0141.674] GetLastError () returned 0x0 [0141.674] SetLastError (dwErrCode=0x0) [0141.674] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signRecover /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signRecover /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0142.701] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0142.702] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0142.702] GetLastError () returned 0x0 [0142.702] SetLastError (dwErrCode=0x0) [0142.702] GetLastError () returned 0x0 [0142.702] SetLastError (dwErrCode=0x0) [0142.702] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_unwrap /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_unwrap /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0143.225] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0143.226] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0143.226] GetLastError () returned 0x0 [0143.226] SetLastError (dwErrCode=0x0) [0143.226] GetLastError () returned 0x0 [0143.226] SetLastError (dwErrCode=0x0) [0143.226] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_del /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_del /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0144.087] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0144.088] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0144.088] GetLastError () returned 0x0 [0144.088] SetLastError (dwErrCode=0x0) [0144.088] GetLastError () returned 0x0 [0144.088] SetLastError (dwErrCode=0x0) [0144.089] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_enumDataObjects /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_enumDataObjects /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0144.930] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0144.931] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0144.931] GetLastError () returned 0x0 [0144.931] SetLastError (dwErrCode=0x0) [0144.932] GetLastError () returned 0x0 [0144.932] SetLastError (dwErrCode=0x0) [0144.932] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_freeDataIdList /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_freeDataIdList /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0147.225] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0147.226] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0147.226] GetLastError () returned 0x0 [0147.226] SetLastError (dwErrCode=0x0) [0147.226] GetLastError () returned 0x0 [0147.226] SetLastError (dwErrCode=0x0) [0147.226] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_get /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_get /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0149.647] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0149.648] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0149.649] GetLastError () returned 0x0 [0149.649] SetLastError (dwErrCode=0x0) [0149.649] GetLastError () returned 0x0 [0149.649] SetLastError (dwErrCode=0x0) [0149.649] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_put /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_put /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0150.608] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0150.608] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0150.609] GetLastError () returned 0x0 [0150.609] SetLastError (dwErrCode=0x0) [0150.609] GetLastError () returned 0x0 [0150.609] SetLastError (dwErrCode=0x0) [0150.609] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setCrypto /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setCrypto /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0151.684] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0151.685] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0151.686] GetLastError () returned 0x0 [0151.686] SetLastError (dwErrCode=0x0) [0151.686] GetLastError () returned 0x0 [0151.686] SetLastError (dwErrCode=0x0) [0151.686] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setSystem /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setSystem /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0154.716] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0154.717] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0154.717] GetLastError () returned 0x0 [0154.717] SetLastError (dwErrCode=0x0) [0154.717] GetLastError () returned 0x0 [0154.718] SetLastError (dwErrCode=0x0) [0154.718] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_forkFixup /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_forkFixup /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0157.949] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0157.950] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0157.950] GetLastError () returned 0x0 [0157.951] SetLastError (dwErrCode=0x0) [0157.951] GetLastError () returned 0x0 [0157.951] SetLastError (dwErrCode=0x0) [0157.951] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getFeatures /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getFeatures /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0159.818] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0159.819] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0159.819] GetLastError () returned 0x0 [0159.820] SetLastError (dwErrCode=0x0) [0159.820] GetLastError () returned 0x0 [0159.820] SetLastError (dwErrCode=0x0) [0159.820] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getLogLevel /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getLogLevel /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0161.404] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0161.405] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0161.405] GetLastError () returned 0x0 [0161.405] SetLastError (dwErrCode=0x0) [0161.405] GetLastError () returned 0x0 [0161.405] SetLastError (dwErrCode=0x0) [0161.405] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getMessage /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getMessage /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0161.872] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0161.872] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0161.873] GetLastError () returned 0x0 [0161.873] SetLastError (dwErrCode=0x0) [0161.873] GetLastError () returned 0x0 [0161.873] SetLastError (dwErrCode=0x0) [0161.873] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getVersion /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getVersion /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0162.975] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0162.976] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0162.976] GetLastError () returned 0x0 [0162.976] SetLastError (dwErrCode=0x0) [0162.976] GetLastError () returned 0x0 [0162.976] SetLastError (dwErrCode=0x0) [0162.976] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_initialize /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_initialize /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0163.780] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0163.781] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0163.781] GetLastError () returned 0x0 [0163.781] SetLastError (dwErrCode=0x0) [0163.781] GetLastError () returned 0x0 [0163.782] SetLastError (dwErrCode=0x0) [0163.782] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_logout /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_logout /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0164.480] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0164.481] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0164.481] GetLastError () returned 0x0 [0164.481] SetLastError (dwErrCode=0x0) [0164.481] GetLastError () returned 0x0 [0164.481] SetLastError (dwErrCode=0x0) [0164.481] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_createSession /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_createSession /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0165.483] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0165.483] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0165.483] GetLastError () returned 0x0 [0165.483] SetLastError (dwErrCode=0x0) [0165.484] GetLastError () returned 0x0 [0165.484] SetLastError (dwErrCode=0x0) [0165.484] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_freeSession /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_freeSession /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0165.926] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0165.926] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0165.927] GetLastError () returned 0x0 [0165.927] SetLastError (dwErrCode=0x0) [0165.927] GetLastError () returned 0x0 [0165.927] SetLastError (dwErrCode=0x0) [0165.927] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getCleanupHook /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getCleanupHook /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0166.319] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0166.320] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0166.320] GetLastError () returned 0x0 [0166.320] SetLastError (dwErrCode=0x0) [0166.320] GetLastError () returned 0x0 [0166.320] SetLastError (dwErrCode=0x0) [0166.320] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getX509 /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getX509 /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0168.366] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0168.367] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0168.368] GetLastError () returned 0x0 [0168.368] SetLastError (dwErrCode=0x0) [0168.368] GetLastError () returned 0x0 [0168.368] SetLastError (dwErrCode=0x0) [0168.368] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getEVP /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getEVP /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0168.995] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0168.996] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0168.996] GetLastError () returned 0x0 [0168.996] SetLastError (dwErrCode=0x0) [0168.996] GetLastError () returned 0x0 [0168.996] SetLastError (dwErrCode=0x0) [0168.996] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getRSA /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getRSA /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0170.591] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0170.592] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0170.592] GetLastError () returned 0x0 [0170.592] SetLastError (dwErrCode=0x0) [0170.592] GetLastError () returned 0x0 [0170.592] SetLastError (dwErrCode=0x0) [0170.592] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getX509 /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getX509 /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0171.912] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0171.914] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0171.914] GetLastError () returned 0x0 [0171.914] SetLastError (dwErrCode=0x0) [0171.915] GetLastError () returned 0x0 [0171.915] SetLastError (dwErrCode=0x0) [0171.915] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_setCleanupHook /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_setCleanupHook /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0174.184] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0174.185] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0174.185] GetLastError () returned 0x0 [0174.185] SetLastError (dwErrCode=0x0) [0174.185] GetLastError () returned 0x0 [0174.185] SetLastError (dwErrCode=0x0) [0174.185] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_plugAndPlay /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_plugAndPlay /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0175.379] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0175.380] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0175.380] GetLastError () returned 0x0 [0175.380] SetLastError (dwErrCode=0x0) [0175.380] GetLastError () returned 0x0 [0175.380] SetLastError (dwErrCode=0x0) [0175.380] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_removeProvider /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_removeProvider /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0177.404] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0177.406] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0177.406] GetLastError () returned 0x0 [0177.406] SetLastError (dwErrCode=0x0) [0177.406] GetLastError () returned 0x0 [0177.406] SetLastError (dwErrCode=0x0) [0177.406] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setForkMode /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setForkMode /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0179.433] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0179.433] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0179.434] GetLastError () returned 0x0 [0179.434] SetLastError (dwErrCode=0x0) [0179.434] GetLastError () returned 0x0 [0179.434] SetLastError (dwErrCode=0x0) [0179.434] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogHook /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogHook /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0180.816] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0180.819] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0180.819] GetLastError () returned 0x0 [0180.819] SetLastError (dwErrCode=0x0) [0180.819] GetLastError () returned 0x0 [0180.820] SetLastError (dwErrCode=0x0) [0180.820] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogLevel /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogLevel /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0181.432] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0181.433] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0181.433] GetLastError () returned 0x0 [0181.433] SetLastError (dwErrCode=0x0) [0181.433] GetLastError () returned 0x0 [0181.433] SetLastError (dwErrCode=0x0) [0181.433] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setMaxLoginRetries /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setMaxLoginRetries /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0182.486] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0182.487] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0182.487] GetLastError () returned 0x0 [0182.487] SetLastError (dwErrCode=0x0) [0182.487] GetLastError () returned 0x0 [0182.488] SetLastError (dwErrCode=0x0) [0182.488] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINCachePeriod /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINCachePeriod /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0183.739] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0183.740] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0183.740] GetLastError () returned 0x0 [0183.740] SetLastError (dwErrCode=0x0) [0183.740] GetLastError () returned 0x0 [0183.740] SetLastError (dwErrCode=0x0) [0183.741] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINPromptHook /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINPromptHook /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0184.440] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0184.441] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0184.442] GetLastError () returned 0x0 [0184.442] SetLastError (dwErrCode=0x0) [0184.442] GetLastError () returned 0x0 [0184.442] SetLastError (dwErrCode=0x0) [0184.442] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setProtectedAuthentication /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setProtectedAuthentication /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0185.497] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0185.498] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0185.499] GetLastError () returned 0x0 [0185.499] SetLastError (dwErrCode=0x0) [0185.499] GetLastError () returned 0x0 [0185.499] SetLastError (dwErrCode=0x0) [0185.499] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setSlotEventHook /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setSlotEventHook /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0186.069] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0186.070] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0186.070] GetLastError () returned 0x0 [0186.070] SetLastError (dwErrCode=0x0) [0186.070] GetLastError () returned 0x0 [0186.070] SetLastError (dwErrCode=0x0) [0186.070] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setTokenPromptHook /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setTokenPromptHook /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0186.530] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0186.531] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0186.531] GetLastError () returned 0x0 [0186.531] SetLastError (dwErrCode=0x0) [0186.531] GetLastError () returned 0x0 [0186.531] SetLastError (dwErrCode=0x0) [0186.531] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_terminate /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_terminate /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0187.024] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0187.025] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0187.026] GetLastError () returned 0x0 [0187.026] SetLastError (dwErrCode=0x0) [0187.026] GetLastError () returned 0x0 [0187.026] SetLastError (dwErrCode=0x0) [0187.026] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_deserializeTokenId /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_deserializeTokenId /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0187.595] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0187.596] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0187.596] GetLastError () returned 0x0 [0187.596] SetLastError (dwErrCode=0x0) [0187.596] GetLastError () returned 0x0 [0187.596] SetLastError (dwErrCode=0x0) [0187.596] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_duplicateTokenId /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_duplicateTokenId /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0188.206] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0188.207] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0188.207] GetLastError () returned 0x0 [0188.207] SetLastError (dwErrCode=0x0) [0188.207] GetLastError () returned 0x0 [0188.207] SetLastError (dwErrCode=0x0) [0188.207] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_ensureAccess /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_ensureAccess /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0188.615] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0188.616] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0188.616] GetLastError () returned 0x0 [0188.616] SetLastError (dwErrCode=0x0) [0188.616] GetLastError () returned 0x0 [0188.616] SetLastError (dwErrCode=0x0) [0188.616] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_enumTokenIds /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_enumTokenIds /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0189.547] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0189.548] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0189.548] GetLastError () returned 0x0 [0189.548] SetLastError (dwErrCode=0x0) [0189.548] GetLastError () returned 0x0 [0189.548] SetLastError (dwErrCode=0x0) [0189.548] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenId /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenId /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0190.294] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0190.295] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0190.295] GetLastError () returned 0x0 [0190.295] SetLastError (dwErrCode=0x0) [0190.295] GetLastError () returned 0x0 [0190.296] SetLastError (dwErrCode=0x0) [0190.296] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenIdList /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenIdList /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0191.542] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0191.543] ReadFile (in: hFile=0x180, lpBuffer=0xe35900, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18fad0, lpOverlapped=0x0 | out: lpBuffer=0xe35900*, lpNumberOfBytesRead=0x18fad0*=0x1000, lpOverlapped=0x0) returned 1 [0191.543] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0191.543] GetLastError () returned 0x0 [0191.543] SetLastError (dwErrCode=0x0) [0191.544] GetLastError () returned 0x0 [0191.544] SetLastError (dwErrCode=0x0) [0191.544] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_login /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_login /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0192.707] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0192.708] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0192.709] GetLastError () returned 0x0 [0192.709] SetLastError (dwErrCode=0x0) [0192.709] GetLastError () returned 0x0 [0192.709] SetLastError (dwErrCode=0x0) [0192.709] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_logout /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_logout /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0193.824] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0193.824] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0193.825] GetLastError () returned 0x0 [0193.825] SetLastError (dwErrCode=0x0) [0193.825] GetLastError () returned 0x0 [0193.825] SetLastError (dwErrCode=0x0) [0193.825] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_sameTokenId /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_sameTokenId /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0195.085] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0195.086] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0195.086] GetLastError () returned 0x0 [0195.086] SetLastError (dwErrCode=0x0) [0195.086] GetLastError () returned 0x0 [0195.086] SetLastError (dwErrCode=0x0) [0195.086] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=must /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=must /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0196.658] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0196.659] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0196.659] GetLastError () returned 0x0 [0196.659] SetLastError (dwErrCode=0x0) [0196.659] GetLastError () returned 0x0 [0196.659] SetLastError (dwErrCode=0x0) [0196.659] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_addProvider /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_addProvider /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0197.566] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0197.567] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0197.567] GetLastError () returned 0x0 [0197.567] SetLastError (dwErrCode=0x0) [0197.567] GetLastError () returned 0x0 [0197.567] SetLastError (dwErrCode=0x0) [0197.567] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_create /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_create /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0198.247] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0198.247] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0198.248] GetLastError () returned 0x0 [0198.248] SetLastError (dwErrCode=0x0) [0198.248] GetLastError () returned 0x0 [0198.248] SetLastError (dwErrCode=0x0) [0198.248] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decrypt /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decrypt /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0200.197] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0200.198] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0200.198] GetLastError () returned 0x0 [0200.199] SetLastError (dwErrCode=0x0) [0200.199] GetLastError () returned 0x0 [0200.199] SetLastError (dwErrCode=0x0) [0200.199] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decryptAny /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decryptAny /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0201.927] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0201.928] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0201.928] GetLastError () returned 0x0 [0201.928] SetLastError (dwErrCode=0x0) [0201.928] GetLastError () returned 0x0 [0201.928] SetLastError (dwErrCode=0x0) [0201.928] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_deserializeCertificateId /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_deserializeCertificateId /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0203.864] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0203.865] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0203.866] GetLastError () returned 0x0 [0203.866] SetLastError (dwErrCode=0x0) [0203.866] GetLastError () returned 0x0 [0203.866] SetLastError (dwErrCode=0x0) [0203.866] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_duplicateCertificateId /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_duplicateCertificateId /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0205.617] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0205.619] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0205.619] GetLastError () returned 0x0 [0205.619] SetLastError (dwErrCode=0x0) [0205.619] GetLastError () returned 0x0 [0205.619] SetLastError (dwErrCode=0x0) [0205.619] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureCertificateAccess /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureCertificateAccess /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0207.038] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0207.040] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0207.040] GetLastError () returned 0x0 [0207.040] SetLastError (dwErrCode=0x0) [0207.040] GetLastError () returned 0x0 [0207.040] SetLastError (dwErrCode=0x0) [0207.040] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureKeyAccess /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureKeyAccess /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0208.137] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0208.138] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0208.138] GetLastError () returned 0x0 [0208.138] SetLastError (dwErrCode=0x0) [0208.138] GetLastError () returned 0x0 [0208.138] SetLastError (dwErrCode=0x0) [0208.139] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumCertificateIds /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumCertificateIds /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0209.402] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0209.403] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0209.403] GetLastError () returned 0x0 [0209.403] SetLastError (dwErrCode=0x0) [0209.403] GetLastError () returned 0x0 [0209.403] SetLastError (dwErrCode=0x0) [0209.403] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumTokenCertificateIds /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumTokenCertificateIds /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0211.042] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0211.043] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0211.043] GetLastError () returned 0x0 [0211.043] SetLastError (dwErrCode=0x0) [0211.043] GetLastError () returned 0x0 [0211.043] SetLastError (dwErrCode=0x0) [0211.043] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificate /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificate /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0212.880] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0212.881] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0212.881] GetLastError () returned 0x0 [0212.881] SetLastError (dwErrCode=0x0) [0212.881] GetLastError () returned 0x0 [0212.881] SetLastError (dwErrCode=0x0) [0212.881] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateId /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateId /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0214.049] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0214.050] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0214.050] GetLastError () returned 0x0 [0214.051] SetLastError (dwErrCode=0x0) [0214.051] GetLastError () returned 0x0 [0214.051] SetLastError (dwErrCode=0x0) [0214.051] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateIdList /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateIdList /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0215.754] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0215.756] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0215.756] GetLastError () returned 0x0 [0215.756] SetLastError (dwErrCode=0x0) [0215.756] GetLastError () returned 0x0 [0215.756] SetLastError (dwErrCode=0x0) [0215.756] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateBlob /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateBlob /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0217.505] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0217.506] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0217.506] GetLastError () returned 0x0 [0217.506] SetLastError (dwErrCode=0x0) [0217.506] GetLastError () returned 0x0 [0217.506] SetLastError (dwErrCode=0x0) [0217.506] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateId /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateId /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0219.561] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0219.562] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0219.562] GetLastError () returned 0x0 [0219.562] SetLastError (dwErrCode=0x0) [0219.562] GetLastError () returned 0x0 [0219.562] SetLastError (dwErrCode=0x0) [0219.562] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getPromptMask /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getPromptMask /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0221.857] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0221.858] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0221.858] GetLastError () returned 0x0 [0221.858] SetLastError (dwErrCode=0x0) [0221.858] GetLastError () returned 0x0 [0221.858] SetLastError (dwErrCode=0x0) [0221.858] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getUserData /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getUserData /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0224.110] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0224.111] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0224.111] GetLastError () returned 0x0 [0224.112] SetLastError (dwErrCode=0x0) [0224.112] GetLastError () returned 0x0 [0224.112] SetLastError (dwErrCode=0x0) [0224.112] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_lockSession /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_lockSession /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0226.355] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0226.356] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0226.356] GetLastError () returned 0x0 [0226.356] SetLastError (dwErrCode=0x0) [0226.357] GetLastError () returned 0x0 [0226.357] SetLastError (dwErrCode=0x0) [0226.357] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_releaseSession /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_releaseSession /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0227.935] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0227.936] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0227.937] GetLastError () returned 0x0 [0227.937] SetLastError (dwErrCode=0x0) [0227.937] GetLastError () returned 0x0 [0227.937] SetLastError (dwErrCode=0x0) [0227.937] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_serializeCertificateId /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_serializeCertificateId /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0230.055] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0230.056] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0230.056] GetLastError () returned 0x0 [0230.057] SetLastError (dwErrCode=0x0) [0230.057] GetLastError () returned 0x0 [0230.057] SetLastError (dwErrCode=0x0) [0230.057] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setCertificateIdCertificateBlob /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setCertificateIdCertificateBlob /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0231.418] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0231.419] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0231.419] GetLastError () returned 0x0 [0231.420] SetLastError (dwErrCode=0x0) [0231.420] GetLastError () returned 0x0 [0231.420] SetLastError (dwErrCode=0x0) [0231.420] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setPromptMask /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setPromptMask /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0233.579] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0233.580] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0233.580] GetLastError () returned 0x0 [0233.581] SetLastError (dwErrCode=0x0) [0233.581] GetLastError () returned 0x0 [0233.581] SetLastError (dwErrCode=0x0) [0233.581] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setUserData /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setUserData /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0234.918] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0234.918] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0234.918] GetLastError () returned 0x0 [0234.919] SetLastError (dwErrCode=0x0) [0234.919] GetLastError () returned 0x0 [0234.919] SetLastError (dwErrCode=0x0) [0234.919] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_sign /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_sign /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0236.117] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0236.118] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0236.119] GetLastError () returned 0x0 [0236.120] SetLastError (dwErrCode=0x0) [0236.120] GetLastError () returned 0x0 [0236.120] SetLastError (dwErrCode=0x0) [0236.120] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signAny /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signAny /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0238.272] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0238.273] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0238.274] GetLastError () returned 0x0 [0238.274] SetLastError (dwErrCode=0x0) [0238.275] GetLastError () returned 0x0 [0238.275] SetLastError (dwErrCode=0x0) [0238.275] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signRecover /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signRecover /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0240.161] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0240.162] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0240.163] GetLastError () returned 0x0 [0240.163] SetLastError (dwErrCode=0x0) [0240.163] GetLastError () returned 0x0 [0240.164] SetLastError (dwErrCode=0x0) [0240.164] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_unwrap /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_unwrap /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0242.117] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0242.117] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0242.118] GetLastError () returned 0x0 [0242.118] SetLastError (dwErrCode=0x0) [0242.118] GetLastError () returned 0x0 [0242.118] SetLastError (dwErrCode=0x0) [0242.118] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_del /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_del /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0243.764] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0243.764] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0243.765] GetLastError () returned 0x0 [0243.765] SetLastError (dwErrCode=0x0) [0243.765] GetLastError () returned 0x0 [0243.765] SetLastError (dwErrCode=0x0) [0243.765] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_enumDataObjects /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_enumDataObjects /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0245.201] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0245.201] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0245.202] GetLastError () returned 0x0 [0245.202] SetLastError (dwErrCode=0x0) [0245.202] GetLastError () returned 0x0 [0245.203] SetLastError (dwErrCode=0x0) [0245.203] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_freeDataIdList /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_freeDataIdList /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0246.584] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0246.585] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0246.585] GetLastError () returned 0x0 [0246.585] SetLastError (dwErrCode=0x0) [0246.585] GetLastError () returned 0x0 [0246.585] SetLastError (dwErrCode=0x0) [0246.585] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_get /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_get /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0248.183] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0248.184] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0248.184] GetLastError () returned 0x0 [0248.185] SetLastError (dwErrCode=0x0) [0248.185] GetLastError () returned 0x0 [0248.185] SetLastError (dwErrCode=0x0) [0248.185] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_put /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_put /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0249.533] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0249.534] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0249.534] GetLastError () returned 0x0 [0249.535] SetLastError (dwErrCode=0x0) [0249.535] GetLastError () returned 0x0 [0249.535] SetLastError (dwErrCode=0x0) [0249.535] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setCrypto /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setCrypto /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0250.775] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0250.776] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0250.777] GetLastError () returned 0x0 [0250.777] SetLastError (dwErrCode=0x0) [0250.777] GetLastError () returned 0x0 [0250.777] SetLastError (dwErrCode=0x0) [0250.777] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setSystem /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setSystem /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0251.584] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0251.585] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0251.585] GetLastError () returned 0x0 [0251.586] SetLastError (dwErrCode=0x0) [0251.586] GetLastError () returned 0x0 [0251.586] SetLastError (dwErrCode=0x0) [0251.586] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_forkFixup /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_forkFixup /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0251.991] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0251.991] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0251.991] GetLastError () returned 0x0 [0251.992] SetLastError (dwErrCode=0x0) [0251.992] GetLastError () returned 0x0 [0251.992] SetLastError (dwErrCode=0x0) [0251.992] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getFeatures /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getFeatures /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0253.012] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0253.013] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0253.013] GetLastError () returned 0x0 [0253.013] SetLastError (dwErrCode=0x0) [0253.013] GetLastError () returned 0x0 [0253.013] SetLastError (dwErrCode=0x0) [0253.013] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getLogLevel /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getLogLevel /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0253.717] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0253.717] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0253.718] GetLastError () returned 0x0 [0253.718] SetLastError (dwErrCode=0x0) [0253.718] GetLastError () returned 0x0 [0253.718] SetLastError (dwErrCode=0x0) [0253.718] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getMessage /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getMessage /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0254.342] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0254.343] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0254.343] GetLastError () returned 0x0 [0254.343] SetLastError (dwErrCode=0x0) [0254.344] GetLastError () returned 0x0 [0254.344] SetLastError (dwErrCode=0x0) [0254.344] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getVersion /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getVersion /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0255.523] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0255.524] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0255.524] GetLastError () returned 0x0 [0255.535] SetLastError (dwErrCode=0x0) [0255.535] GetLastError () returned 0x0 [0255.535] SetLastError (dwErrCode=0x0) [0255.535] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_initialize /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_initialize /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0256.685] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0256.686] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0256.686] GetLastError () returned 0x0 [0256.686] SetLastError (dwErrCode=0x0) [0256.686] GetLastError () returned 0x0 [0256.687] SetLastError (dwErrCode=0x0) [0256.687] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_logout /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_logout /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0257.655] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0257.656] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0257.656] GetLastError () returned 0x0 [0257.656] SetLastError (dwErrCode=0x0) [0257.656] GetLastError () returned 0x0 [0257.657] SetLastError (dwErrCode=0x0) [0257.657] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_createSession /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_createSession /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0259.129] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0259.130] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0259.130] GetLastError () returned 0x0 [0259.131] SetLastError (dwErrCode=0x0) [0259.131] GetLastError () returned 0x0 [0259.131] SetLastError (dwErrCode=0x0) [0259.131] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_freeSession /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_freeSession /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0260.524] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0260.525] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0260.526] GetLastError () returned 0x0 [0260.526] SetLastError (dwErrCode=0x0) [0260.526] GetLastError () returned 0x0 [0260.526] SetLastError (dwErrCode=0x0) [0260.526] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getCleanupHook /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getCleanupHook /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0261.531] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0261.532] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0261.532] GetLastError () returned 0x0 [0261.533] SetLastError (dwErrCode=0x0) [0261.533] GetLastError () returned 0x0 [0261.533] SetLastError (dwErrCode=0x0) [0261.533] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getX509 /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getX509 /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0262.612] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0262.613] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0262.613] GetLastError () returned 0x0 [0262.614] SetLastError (dwErrCode=0x0) [0262.614] GetLastError () returned 0x0 [0262.614] SetLastError (dwErrCode=0x0) [0262.614] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getEVP /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getEVP /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0263.872] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0263.889] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0263.890] GetLastError () returned 0x0 [0263.890] SetLastError (dwErrCode=0x0) [0263.890] GetLastError () returned 0x0 [0263.890] SetLastError (dwErrCode=0x0) [0263.890] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getRSA /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getRSA /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0264.579] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0264.580] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0264.580] GetLastError () returned 0x0 [0264.581] SetLastError (dwErrCode=0x0) [0264.581] GetLastError () returned 0x0 [0264.581] SetLastError (dwErrCode=0x0) [0264.581] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getX509 /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getX509 /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0265.031] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0265.032] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0265.032] GetLastError () returned 0x0 [0265.033] SetLastError (dwErrCode=0x0) [0265.033] GetLastError () returned 0x0 [0265.033] SetLastError (dwErrCode=0x0) [0265.033] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_setCleanupHook /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_setCleanupHook /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0265.493] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0265.495] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0265.495] GetLastError () returned 0x0 [0265.495] SetLastError (dwErrCode=0x0) [0265.495] GetLastError () returned 0x0 [0265.496] SetLastError (dwErrCode=0x0) [0265.496] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_plugAndPlay /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_plugAndPlay /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0266.075] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0266.076] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0266.076] GetLastError () returned 0x0 [0266.076] SetLastError (dwErrCode=0x0) [0266.076] GetLastError () returned 0x0 [0266.077] SetLastError (dwErrCode=0x0) [0266.077] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_removeProvider /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_removeProvider /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0266.782] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0266.783] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0266.783] GetLastError () returned 0x0 [0266.783] SetLastError (dwErrCode=0x0) [0266.783] GetLastError () returned 0x0 [0266.784] SetLastError (dwErrCode=0x0) [0266.784] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setForkMode /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setForkMode /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0267.389] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0267.391] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0267.391] GetLastError () returned 0x0 [0267.392] SetLastError (dwErrCode=0x0) [0267.392] GetLastError () returned 0x0 [0267.392] SetLastError (dwErrCode=0x0) [0267.392] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogHook /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogHook /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0268.172] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0268.173] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0268.174] GetLastError () returned 0x0 [0268.174] SetLastError (dwErrCode=0x0) [0268.174] GetLastError () returned 0x0 [0268.174] SetLastError (dwErrCode=0x0) [0268.174] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogLevel /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogLevel /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0268.749] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0268.752] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0268.753] GetLastError () returned 0x0 [0268.753] SetLastError (dwErrCode=0x0) [0268.753] GetLastError () returned 0x0 [0268.754] SetLastError (dwErrCode=0x0) [0268.754] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setMaxLoginRetries /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setMaxLoginRetries /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0269.455] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0269.456] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0269.456] GetLastError () returned 0x0 [0269.456] SetLastError (dwErrCode=0x0) [0269.456] GetLastError () returned 0x0 [0269.457] SetLastError (dwErrCode=0x0) [0269.457] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINCachePeriod /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINCachePeriod /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0270.356] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0270.360] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0270.360] GetLastError () returned 0x0 [0270.361] SetLastError (dwErrCode=0x0) [0270.361] GetLastError () returned 0x0 [0270.361] SetLastError (dwErrCode=0x0) [0270.361] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINPromptHook /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINPromptHook /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0271.199] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0271.200] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0271.201] GetLastError () returned 0x0 [0271.201] SetLastError (dwErrCode=0x0) [0271.201] GetLastError () returned 0x0 [0271.202] SetLastError (dwErrCode=0x0) [0271.202] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setProtectedAuthentication /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setProtectedAuthentication /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0271.957] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0271.959] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0271.960] GetLastError () returned 0x0 [0271.960] SetLastError (dwErrCode=0x0) [0271.960] GetLastError () returned 0x0 [0271.961] SetLastError (dwErrCode=0x0) [0271.961] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setSlotEventHook /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setSlotEventHook /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0272.597] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0272.598] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0272.599] GetLastError () returned 0x0 [0272.599] SetLastError (dwErrCode=0x0) [0272.599] GetLastError () returned 0x0 [0272.599] SetLastError (dwErrCode=0x0) [0272.599] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setTokenPromptHook /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setTokenPromptHook /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0273.081] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0273.081] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0273.081] GetLastError () returned 0x0 [0273.082] SetLastError (dwErrCode=0x0) [0273.082] GetLastError () returned 0x0 [0273.082] SetLastError (dwErrCode=0x0) [0273.082] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_terminate /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_terminate /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0274.382] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0274.383] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0274.383] GetLastError () returned 0x0 [0274.384] SetLastError (dwErrCode=0x0) [0274.384] GetLastError () returned 0x0 [0274.384] SetLastError (dwErrCode=0x0) [0274.384] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_deserializeTokenId /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_deserializeTokenId /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0275.899] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0275.900] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0275.900] GetLastError () returned 0x0 [0275.901] SetLastError (dwErrCode=0x0) [0275.901] GetLastError () returned 0x0 [0275.901] SetLastError (dwErrCode=0x0) [0275.901] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_duplicateTokenId /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_duplicateTokenId /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0276.487] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0276.488] ReadFile (in: hFile=0x180, lpBuffer=0xe35900, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18fad0, lpOverlapped=0x0 | out: lpBuffer=0xe35900*, lpNumberOfBytesRead=0x18fad0*=0x1000, lpOverlapped=0x0) returned 1 [0276.488] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0276.488] GetLastError () returned 0x0 [0276.489] SetLastError (dwErrCode=0x0) [0276.489] GetLastError () returned 0x0 [0276.489] SetLastError (dwErrCode=0x0) [0276.489] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_ensureAccess /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_ensureAccess /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0277.105] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0277.106] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0277.107] GetLastError () returned 0x0 [0277.108] SetLastError (dwErrCode=0x0) [0277.108] GetLastError () returned 0x0 [0277.108] SetLastError (dwErrCode=0x0) [0277.108] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_enumTokenIds /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_enumTokenIds /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0277.993] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0277.994] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0277.994] GetLastError () returned 0x0 [0277.994] SetLastError (dwErrCode=0x0) [0277.995] GetLastError () returned 0x0 [0277.995] SetLastError (dwErrCode=0x0) [0277.995] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenId /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenId /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0279.039] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0279.040] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0279.040] GetLastError () returned 0x0 [0279.041] SetLastError (dwErrCode=0x0) [0279.041] GetLastError () returned 0x0 [0279.041] SetLastError (dwErrCode=0x0) [0279.041] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenIdList /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenIdList /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0280.197] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0280.198] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0280.198] GetLastError () returned 0x0 [0280.199] SetLastError (dwErrCode=0x0) [0280.199] GetLastError () returned 0x0 [0280.199] SetLastError (dwErrCode=0x0) [0280.199] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_login /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_login /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0288.830] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0288.831] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0288.831] GetLastError () returned 0x0 [0288.832] SetLastError (dwErrCode=0x0) [0288.832] GetLastError () returned 0x0 [0288.832] SetLastError (dwErrCode=0x0) [0288.832] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_logout /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_logout /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0291.905] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0291.906] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0291.906] GetLastError () returned 0x0 [0291.907] SetLastError (dwErrCode=0x0) [0291.907] GetLastError () returned 0x0 [0291.907] SetLastError (dwErrCode=0x0) [0291.907] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_sameTokenId /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_sameTokenId /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0292.536] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0292.537] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0292.537] GetLastError () returned 0x0 [0292.538] SetLastError (dwErrCode=0x0) [0292.538] GetLastError () returned 0x0 [0292.538] SetLastError (dwErrCode=0x0) [0292.538] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=must /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=must /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0293.007] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0293.008] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0293.008] GetLastError () returned 0x0 [0293.009] SetLastError (dwErrCode=0x0) [0293.009] GetLastError () returned 0x0 [0293.009] SetLastError (dwErrCode=0x0) [0293.009] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_addProvider /fn_args=\"Install\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_addProvider /fn_args=\"Install\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0293.727] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0293.728] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0293.729] GetLastError () returned 0x0 [0293.729] SetLastError (dwErrCode=0x0) [0293.729] GetLastError () returned 0x0 [0293.729] SetLastError (dwErrCode=0x0) [0293.730] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_create /fn_args=\"Install\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_create /fn_args=\"Install\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0294.373] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0294.374] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0294.374] GetLastError () returned 0x0 [0294.374] SetLastError (dwErrCode=0x0) [0294.375] GetLastError () returned 0x0 [0294.375] SetLastError (dwErrCode=0x0) [0294.375] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decrypt /fn_args=\"Install\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decrypt /fn_args=\"Install\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0295.002] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0295.003] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0295.003] GetLastError () returned 0x0 [0295.003] SetLastError (dwErrCode=0x0) [0295.004] GetLastError () returned 0x0 [0295.004] SetLastError (dwErrCode=0x0) [0295.004] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decryptAny /fn_args=\"Install\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decryptAny /fn_args=\"Install\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0295.405] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0295.406] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0295.406] GetLastError () returned 0x0 [0295.406] SetLastError (dwErrCode=0x0) [0295.406] GetLastError () returned 0x0 [0295.407] SetLastError (dwErrCode=0x0) [0295.407] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_deserializeCertificateId /fn_args=\"Install\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_deserializeCertificateId /fn_args=\"Install\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0296.077] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0296.078] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0296.078] GetLastError () returned 0x0 [0296.079] SetLastError (dwErrCode=0x0) [0296.079] GetLastError () returned 0x0 [0296.079] SetLastError (dwErrCode=0x0) [0296.079] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_duplicateCertificateId /fn_args=\"Install\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_duplicateCertificateId /fn_args=\"Install\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0297.078] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0297.079] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0297.080] GetLastError () returned 0x0 [0297.080] SetLastError (dwErrCode=0x0) [0297.080] GetLastError () returned 0x0 [0297.081] SetLastError (dwErrCode=0x0) [0297.081] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureCertificateAccess /fn_args=\"Install\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureCertificateAccess /fn_args=\"Install\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0298.102] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0298.103] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0298.103] GetLastError () returned 0x0 [0298.104] SetLastError (dwErrCode=0x0) [0298.104] GetLastError () returned 0x0 [0298.104] SetLastError (dwErrCode=0x0) [0298.104] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureKeyAccess /fn_args=\"Install\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureKeyAccess /fn_args=\"Install\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0298.979] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0298.980] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0298.981] GetLastError () returned 0x0 [0298.981] SetLastError (dwErrCode=0x0) [0298.981] GetLastError () returned 0x0 [0298.981] SetLastError (dwErrCode=0x0) [0298.981] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumCertificateIds /fn_args=\"Install\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumCertificateIds /fn_args=\"Install\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0300.133] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0300.134] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0300.134] GetLastError () returned 0x0 [0300.135] SetLastError (dwErrCode=0x0) [0300.135] GetLastError () returned 0x0 [0300.135] SetLastError (dwErrCode=0x0) [0300.135] ShellExecuteExW (in: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumTokenCertificateIds /fn_args=\"Install\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumTokenCertificateIds /fn_args=\"Install\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0300.674] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe36908 | out: hHeap=0xe10000) returned 1 [0300.675] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x6000) returned 0xe36908 [0300.675] GetLastError () returned 0x0 [0300.675] SetLastError (dwErrCode=0x0) [0300.675] GetLastError () returned 0x0 [0300.676] SetLastError (dwErrCode=0x0) [0300.676] ShellExecuteExW (pExecInfo=0x18fb6c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpParameters="/dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificate /fn_args=\"Install\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) Thread: id = 2 os_tid = 0xdcc Thread: id = 3 os_tid = 0xdc4 Thread: id = 4 os_tid = 0xdbc Thread: id = 5 os_tid = 0xdc0 Thread: id = 6 os_tid = 0xcdc Thread: id = 7 os_tid = 0x1190 Thread: id = 8 os_tid = 0x11b4 Thread: id = 10 os_tid = 0x118c Thread: id = 13 os_tid = 0xd08 Thread: id = 15 os_tid = 0x11e0 Thread: id = 18 os_tid = 0xd0c Thread: id = 21 os_tid = 0xd14 Thread: id = 24 os_tid = 0x11d8 Thread: id = 27 os_tid = 0x970 Thread: id = 31 os_tid = 0x1298 Thread: id = 34 os_tid = 0x11c0 Thread: id = 40 os_tid = 0xa88 Thread: id = 44 os_tid = 0x12c4 Thread: id = 50 os_tid = 0x12e8 Thread: id = 57 os_tid = 0x131c Thread: id = 61 os_tid = 0x1300 Thread: id = 65 os_tid = 0xbbc Thread: id = 68 os_tid = 0x138c Thread: id = 73 os_tid = 0x13b8 Thread: id = 77 os_tid = 0x13cc Thread: id = 80 os_tid = 0x6a8 Thread: id = 83 os_tid = 0x4ec Thread: id = 86 os_tid = 0x960 Thread: id = 89 os_tid = 0x4f8 Thread: id = 91 os_tid = 0xc08 Thread: id = 94 os_tid = 0xc1c Thread: id = 98 os_tid = 0xc34 Thread: id = 101 os_tid = 0xc4c Thread: id = 104 os_tid = 0xc64 Thread: id = 107 os_tid = 0xc78 Thread: id = 116 os_tid = 0xca4 Thread: id = 125 os_tid = 0xb60 Thread: id = 128 os_tid = 0xb68 Thread: id = 131 os_tid = 0xd4c Thread: id = 134 os_tid = 0xcbc Thread: id = 136 os_tid = 0xd98 Thread: id = 139 os_tid = 0xdac Thread: id = 142 os_tid = 0x13ec Thread: id = 146 os_tid = 0x1338 Thread: id = 149 os_tid = 0x114c Thread: id = 152 os_tid = 0xd38 Thread: id = 154 os_tid = 0x1178 Thread: id = 158 os_tid = 0xd44 Thread: id = 161 os_tid = 0xd0c Thread: id = 164 os_tid = 0x970 Thread: id = 167 os_tid = 0x11c0 Thread: id = 170 os_tid = 0x1200 Thread: id = 173 os_tid = 0x13e0 Thread: id = 177 os_tid = 0x136c Thread: id = 181 os_tid = 0x123c Thread: id = 185 os_tid = 0x11e4 Thread: id = 191 os_tid = 0x137c Thread: id = 194 os_tid = 0xe28 Thread: id = 197 os_tid = 0x1374 Thread: id = 201 os_tid = 0x1314 Thread: id = 206 os_tid = 0x11f8 Thread: id = 211 os_tid = 0x13cc Thread: id = 215 os_tid = 0x13a0 Thread: id = 221 os_tid = 0x824 Thread: id = 226 os_tid = 0x1344 Thread: id = 230 os_tid = 0x464 Thread: id = 233 os_tid = 0x13a8 Thread: id = 239 os_tid = 0xc40 Thread: id = 245 os_tid = 0xc14 Thread: id = 248 os_tid = 0xe1c Thread: id = 257 os_tid = 0xc48 Thread: id = 260 os_tid = 0xc44 Thread: id = 263 os_tid = 0xed8 Thread: id = 269 os_tid = 0xf28 Thread: id = 272 os_tid = 0xf54 Thread: id = 275 os_tid = 0xf84 Thread: id = 279 os_tid = 0xfb0 Thread: id = 282 os_tid = 0xfe4 Thread: id = 285 os_tid = 0x1008 Thread: id = 291 os_tid = 0x1050 Thread: id = 294 os_tid = 0x108c Thread: id = 297 os_tid = 0x10a4 Thread: id = 306 os_tid = 0xc9c Thread: id = 309 os_tid = 0xb60 Thread: id = 312 os_tid = 0xcc0 Thread: id = 315 os_tid = 0xd98 Thread: id = 320 os_tid = 0x234 Thread: id = 327 os_tid = 0x1134 Thread: id = 332 os_tid = 0x125c Thread: id = 335 os_tid = 0xd64 Thread: id = 340 os_tid = 0x1394 Thread: id = 345 os_tid = 0x11bc Thread: id = 350 os_tid = 0x1200 Thread: id = 353 os_tid = 0x13e0 Thread: id = 357 os_tid = 0x488 Thread: id = 365 os_tid = 0x12d8 Thread: id = 372 os_tid = 0x12a0 Thread: id = 375 os_tid = 0xcec Thread: id = 378 os_tid = 0xc94 Thread: id = 382 os_tid = 0x11a0 Thread: id = 385 os_tid = 0x119c Thread: id = 388 os_tid = 0x5fc Thread: id = 392 os_tid = 0x11a4 Thread: id = 396 os_tid = 0xcfc Thread: id = 400 os_tid = 0x13dc Thread: id = 406 os_tid = 0x11c8 Thread: id = 410 os_tid = 0x13a0 Thread: id = 415 os_tid = 0x3f8 Thread: id = 424 os_tid = 0x13a8 Thread: id = 430 os_tid = 0xc54 Thread: id = 437 os_tid = 0xe9c Thread: id = 446 os_tid = 0xeac Thread: id = 449 os_tid = 0xf18 Thread: id = 452 os_tid = 0xf40 Thread: id = 458 os_tid = 0xf84 Thread: id = 462 os_tid = 0xfe4 Thread: id = 470 os_tid = 0x1038 Thread: id = 473 os_tid = 0xc1c Thread: id = 477 os_tid = 0x1360 Thread: id = 480 os_tid = 0x5f0 Thread: id = 483 os_tid = 0x108c Thread: id = 487 os_tid = 0xca4 Thread: id = 491 os_tid = 0x414 Thread: id = 496 os_tid = 0x49c Thread: id = 501 os_tid = 0x13f0 Thread: id = 506 os_tid = 0xc7c Thread: id = 509 os_tid = 0xc24 Thread: id = 513 os_tid = 0xda4 Thread: id = 518 os_tid = 0x1020 Thread: id = 526 os_tid = 0x13b0 Thread: id = 531 os_tid = 0x970 Thread: id = 534 os_tid = 0x11c0 Thread: id = 539 os_tid = 0x12c8 Thread: id = 543 os_tid = 0x1184 Thread: id = 546 os_tid = 0x81c Thread: id = 549 os_tid = 0x1108 Thread: id = 555 os_tid = 0x12f4 Thread: id = 558 os_tid = 0x12a4 Thread: id = 564 os_tid = 0x11a0 Thread: id = 568 os_tid = 0x119c Thread: id = 571 os_tid = 0x5fc Thread: id = 575 os_tid = 0xcb0 Thread: id = 578 os_tid = 0x120c Thread: id = 583 os_tid = 0x1278 Thread: id = 587 os_tid = 0x11f8 Thread: id = 591 os_tid = 0x13c4 Thread: id = 594 os_tid = 0x1148 Thread: id = 598 os_tid = 0xda0 Thread: id = 602 os_tid = 0x13a0 Thread: id = 605 os_tid = 0x131c Thread: id = 611 os_tid = 0x464 Thread: id = 618 os_tid = 0x1210 Thread: id = 623 os_tid = 0xe80 Thread: id = 627 os_tid = 0xd58 Thread: id = 630 os_tid = 0xe7c Thread: id = 633 os_tid = 0xcb4 Thread: id = 636 os_tid = 0x10e4 Thread: id = 642 os_tid = 0xcd4 Thread: id = 649 os_tid = 0xf84 Thread: id = 652 os_tid = 0xc18 Thread: id = 656 os_tid = 0x1154 Thread: id = 660 os_tid = 0xb64 Thread: id = 663 os_tid = 0x1360 Thread: id = 668 os_tid = 0xc80 Thread: id = 672 os_tid = 0x10a4 Thread: id = 676 os_tid = 0x12b0 Thread: id = 679 os_tid = 0x127c Thread: id = 685 os_tid = 0x1388 Thread: id = 689 os_tid = 0x1144 Thread: id = 695 os_tid = 0x13f0 Thread: id = 701 os_tid = 0xee8 Thread: id = 706 os_tid = 0x1024 Thread: id = 712 os_tid = 0x430 Thread: id = 715 os_tid = 0xda4 Thread: id = 718 os_tid = 0xc58 Thread: id = 721 os_tid = 0x970 Thread: id = 724 os_tid = 0xa88 Thread: id = 730 os_tid = 0x137c Thread: id = 738 os_tid = 0x1108 Thread: id = 741 os_tid = 0x12f4 Thread: id = 745 os_tid = 0x11a0 Thread: id = 750 os_tid = 0xd10 Thread: id = 753 os_tid = 0x12cc Thread: id = 756 os_tid = 0xc94 Thread: id = 759 os_tid = 0xcf4 Thread: id = 762 os_tid = 0xb60 Thread: id = 767 os_tid = 0xcd8 Thread: id = 773 os_tid = 0x98c Thread: id = 776 os_tid = 0x4ec Thread: id = 780 os_tid = 0x1214 Thread: id = 784 os_tid = 0xa68 Thread: id = 789 os_tid = 0xc34 Thread: id = 797 os_tid = 0x11dc Thread: id = 802 os_tid = 0xd78 Thread: id = 805 os_tid = 0x14c Thread: id = 808 os_tid = 0x1194 Thread: id = 811 os_tid = 0xe80 Thread: id = 818 os_tid = 0xf00 Thread: id = 823 os_tid = 0xc08 Thread: id = 827 os_tid = 0xeb8 Thread: id = 830 os_tid = 0xeac Thread: id = 834 os_tid = 0xfe4 Thread: id = 837 os_tid = 0xc68 Thread: id = 840 os_tid = 0x10f4 Thread: id = 844 os_tid = 0x488 Thread: id = 847 os_tid = 0x8e4 Thread: id = 854 os_tid = 0xb30 Thread: id = 859 os_tid = 0x1360 Thread: id = 862 os_tid = 0x1090 Thread: id = 867 os_tid = 0x17c Thread: id = 870 os_tid = 0xc5c Thread: id = 873 os_tid = 0xe18 Thread: id = 880 os_tid = 0x127c Thread: id = 888 os_tid = 0xcc4 Thread: id = 891 os_tid = 0xd5c Thread: id = 894 os_tid = 0x132c Thread: id = 897 os_tid = 0xfc8 Thread: id = 900 os_tid = 0x3f8 Thread: id = 906 os_tid = 0xe00 Thread: id = 913 os_tid = 0x1068 Thread: id = 916 os_tid = 0x430 Thread: id = 920 os_tid = 0xc14 Thread: id = 923 os_tid = 0x1020 Thread: id = 926 os_tid = 0xc58 Thread: id = 930 os_tid = 0x1178 Thread: id = 933 os_tid = 0xd24 Thread: id = 938 os_tid = 0x137c Thread: id = 944 os_tid = 0x12d0 Thread: id = 947 os_tid = 0xd54 Thread: id = 950 os_tid = 0xb58 Process: id = "2" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x68d9e000" os_pid = "0x11ac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_addProvider" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 351 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 352 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 353 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 354 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 355 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 356 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 357 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 358 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 359 start_va = 0xae0000 end_va = 0xae1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 360 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 361 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 362 start_va = 0x7ee80000 end_va = 0x7eea2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ee80000" filename = "" Region: id = 363 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 364 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 365 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 366 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 371 start_va = 0x400000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 372 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 373 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 374 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 375 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 376 start_va = 0xaf0000 end_va = 0xd3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 377 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 378 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 379 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 380 start_va = 0x7ed80000 end_va = 0x7ee7ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed80000" filename = "" Region: id = 381 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 382 start_va = 0x580000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 383 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 384 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 385 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 386 start_va = 0x590000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 387 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 388 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 389 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 390 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 391 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 392 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 393 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 394 start_va = 0xae0000 end_va = 0xae3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 395 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 396 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 397 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 416 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 417 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 418 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 419 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 420 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 421 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 422 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 423 start_va = 0x690000 end_va = 0x817fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 424 start_va = 0xaf0000 end_va = 0xb19fff monitored = 0 entry_point = 0xaf5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 425 start_va = 0xc40000 end_va = 0xd3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 426 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 435 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 436 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 437 start_va = 0x820000 end_va = 0x9a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 438 start_va = 0xaf0000 end_va = 0xb1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 439 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 440 start_va = 0xb20000 end_va = 0xbb0fff monitored = 0 entry_point = 0xb58cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 473 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 474 start_va = 0xaf0000 end_va = 0xaf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 475 start_va = 0xb10000 end_va = 0xb1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 476 start_va = 0xb00000 end_va = 0xb00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b00000" filename = "" Region: id = 477 start_va = 0xb00000 end_va = 0xb07fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b00000" filename = "" Region: id = 575 start_va = 0xb00000 end_va = 0xb00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 576 start_va = 0xb20000 end_va = 0xb21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 577 start_va = 0xb00000 end_va = 0xb00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 578 start_va = 0xb20000 end_va = 0xb20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 579 start_va = 0xb00000 end_va = 0xb00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b00000" filename = "" Region: id = 868 start_va = 0xb20000 end_va = 0xb20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Thread: id = 9 os_tid = 0x11a8 [0067.734] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0067.734] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0067.734] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0067.734] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0067.735] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0067.735] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0067.736] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0067.736] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0067.736] GetProcessHeap () returned 0xc40000 [0067.736] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0067.737] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0067.737] GetLastError () returned 0x7e [0067.737] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0067.737] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0067.737] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x364) returned 0xc50a28 [0067.737] SetLastError (dwErrCode=0x7e) [0067.737] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0xe00) returned 0xc50d98 [0067.739] GetStartupInfoW (in: lpStartupInfo=0x18f9c4 | out: lpStartupInfo=0x18f9c4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0067.739] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0067.739] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0067.739] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0067.739] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_addProvider" [0067.740] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_addProvider" [0067.740] GetACP () returned 0x4e4 [0067.740] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x0, Size=0x220) returned 0xc51ba0 [0067.740] IsValidCodePage (CodePage=0x4e4) returned 1 [0067.740] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f9e4 | out: lpCPInfo=0x18f9e4) returned 1 [0067.740] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f2ac | out: lpCPInfo=0x18f2ac) returned 1 [0067.740] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8c0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0067.740] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8c0, cbMultiByte=256, lpWideCharStr=0x18f048, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0067.740] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f2c0 | out: lpCharType=0x18f2c0) returned 1 [0067.740] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8c0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0067.740] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8c0, cbMultiByte=256, lpWideCharStr=0x18f008, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0067.740] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0067.740] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0067.740] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0067.740] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18edf8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0067.741] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f7c0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ¨AS\x1düù\x18", lpUsedDefaultChar=0x0) returned 256 [0067.741] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8c0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0067.741] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8c0, cbMultiByte=256, lpWideCharStr=0x18f018, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0067.741] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0067.741] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ee08, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0067.741] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f6c0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ¨AS\x1düù\x18", lpUsedDefaultChar=0x0) returned 256 [0067.741] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x0, Size=0x80) returned 0xc43830 [0067.741] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0067.741] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x160) returned 0xc49c70 [0067.741] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0067.741] GetLastError () returned 0x0 [0067.741] SetLastError (dwErrCode=0x0) [0067.741] GetEnvironmentStringsW () returned 0xc51dc8* [0067.741] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x0, Size=0xa8c) returned 0xc52860 [0067.742] FreeEnvironmentStringsW (penv=0xc51dc8) returned 1 [0067.742] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x90) returned 0xc44520 [0067.742] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x3e) returned 0xc4aa50 [0067.742] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x5c) returned 0xc487f8 [0067.742] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x6e) returned 0xc445e8 [0067.742] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x78) returned 0xc535a0 [0067.742] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x62) returned 0xc449b8 [0067.742] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x28) returned 0xc43d50 [0067.742] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x48) returned 0xc43fa0 [0067.742] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x1a) returned 0xc40570 [0067.742] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x3a) returned 0xc4ad68 [0067.742] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x62) returned 0xc43bb0 [0067.742] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x2a) returned 0xc484b0 [0067.742] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x2e) returned 0xc48638 [0067.742] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x1c) returned 0xc43d80 [0067.742] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x144) returned 0xc51dc8 [0067.742] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x7c) returned 0xc48058 [0067.742] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x36) returned 0xc4e638 [0067.813] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x3a) returned 0xc4b080 [0067.813] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x90) returned 0xc44358 [0067.813] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x24) returned 0xc438d0 [0067.813] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x30) returned 0xc484e8 [0067.813] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x36) returned 0xc4e678 [0067.813] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x48) returned 0xc428d8 [0067.813] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x52) returned 0xc404b8 [0067.813] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x3c) returned 0xc4abb8 [0067.813] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0xd6) returned 0xc49e30 [0067.813] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x2e) returned 0xc48600 [0067.813] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x1e) returned 0xc42928 [0067.813] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x2c) returned 0xc48558 [0067.813] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x54) returned 0xc43dc8 [0067.813] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x52) returned 0xc44028 [0067.813] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x24) returned 0xc43e28 [0067.813] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x42) returned 0xc44088 [0067.813] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x2c) returned 0xc486a8 [0067.813] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x44) returned 0xc49f60 [0067.813] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x24) returned 0xc43900 [0067.815] HeapFree (in: hHeap=0xc40000, dwFlags=0x0, lpMem=0xc52860 | out: hHeap=0xc40000) returned 1 [0067.815] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x8, Size=0x800) returned 0xc51f18 [0067.815] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0067.815] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0067.815] GetStartupInfoW (in: lpStartupInfo=0x18fa28 | out: lpStartupInfo=0x18fa28*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0067.815] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_addProvider" [0067.815] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_addProvider", pNumArgs=0x18fa14 | out: pNumArgs=0x18fa14) returned 0xc52b68*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0067.816] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0067.830] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x0, Size=0x1000) returned 0xc54300 [0067.830] RtlAllocateHeap (HeapHandle=0xc40000, Flags=0x0, Size=0x28) returned 0xc4a6a8 [0067.830] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_addProvider", cchWideChar=-1, lpMultiByteStr=0xc4a6a8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_addProvider", lpUsedDefaultChar=0x0) returned 20 [0067.830] GetLastError () returned 0x0 [0067.830] SetLastError (dwErrCode=0x0) [0067.830] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_addProviderW") returned 0x0 [0067.830] GetLastError () returned 0x7f [0067.830] SetLastError (dwErrCode=0x7f) [0067.831] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_addProviderA") returned 0x0 [0067.831] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_addProvider") returned 0x647cb3e5 [0067.831] GetActiveWindow () returned 0x0 [0067.833] GetLastError () returned 0x7f [0067.833] SetLastError (dwErrCode=0x7f) Thread: id = 11 os_tid = 0xcfc Process: id = "3" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x5ecd9000" os_pid = "0xce0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_create" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 398 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 399 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 400 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 401 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 402 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 403 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 404 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 405 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 406 start_va = 0x7b0000 end_va = 0x7b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 407 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 408 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 409 start_va = 0x7ece0000 end_va = 0x7ed02fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ece0000" filename = "" Region: id = 410 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 411 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 412 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 413 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 427 start_va = 0x400000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 428 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 429 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 430 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 431 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 432 start_va = 0x7c0000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 433 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 434 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 457 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 458 start_va = 0x7ebe0000 end_va = 0x7ecdffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ebe0000" filename = "" Region: id = 459 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 460 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 461 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 462 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 463 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 464 start_va = 0x4e0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 465 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 466 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 467 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 468 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 469 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 470 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 471 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 472 start_va = 0x7b0000 end_va = 0x7b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 503 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 504 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 505 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 506 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 507 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 508 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 509 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 510 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 511 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 512 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 513 start_va = 0x5e0000 end_va = 0x767fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 514 start_va = 0x7c0000 end_va = 0x7e9fff monitored = 0 entry_point = 0x7c5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 515 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 516 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 517 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 518 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 519 start_va = 0x7c0000 end_va = 0x940fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 520 start_va = 0xa80000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 521 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 522 start_va = 0xa80000 end_va = 0xb10fff monitored = 0 entry_point = 0xab8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 523 start_va = 0xc10000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 571 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 572 start_va = 0x950000 end_va = 0x950fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 573 start_va = 0x960000 end_va = 0x960fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000960000" filename = "" Region: id = 574 start_va = 0x960000 end_va = 0x967fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000960000" filename = "" Region: id = 625 start_va = 0x960000 end_va = 0x960fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Region: id = 626 start_va = 0x970000 end_va = 0x971fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000970000" filename = "" Region: id = 667 start_va = 0x960000 end_va = 0x960fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Region: id = 668 start_va = 0x970000 end_va = 0x970fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000970000" filename = "" Region: id = 669 start_va = 0x960000 end_va = 0x960fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000960000" filename = "" Region: id = 867 start_va = 0x970000 end_va = 0x970fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Thread: id = 12 os_tid = 0xce4 [0067.978] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0067.978] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0067.978] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0067.978] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0067.979] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0067.979] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0067.979] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0067.979] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0067.980] GetProcessHeap () returned 0x980000 [0067.980] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0067.980] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0067.980] GetLastError () returned 0x7e [0067.980] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0067.980] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0067.980] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x364) returned 0x990a48 [0067.981] SetLastError (dwErrCode=0x7e) [0067.981] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0xe00) returned 0x990db8 [0067.982] GetStartupInfoW (in: lpStartupInfo=0x18f844 | out: lpStartupInfo=0x18f844*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0067.982] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0067.982] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0067.982] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0067.983] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_create" [0067.983] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_create" [0067.983] GetACP () returned 0x4e4 [0067.983] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x0, Size=0x220) returned 0x991bc0 [0067.983] IsValidCodePage (CodePage=0x4e4) returned 1 [0067.983] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f864 | out: lpCPInfo=0x18f864) returned 1 [0067.983] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f12c | out: lpCPInfo=0x18f12c) returned 1 [0067.983] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f740, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0067.983] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f740, cbMultiByte=256, lpWideCharStr=0x18eec8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0067.983] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f140 | out: lpCharType=0x18f140) returned 1 [0067.983] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f740, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0067.983] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f740, cbMultiByte=256, lpWideCharStr=0x18ee88, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0067.983] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0067.983] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0067.983] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0067.983] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ec78, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0067.983] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f640, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿìÇbk|ø\x18", lpUsedDefaultChar=0x0) returned 256 [0067.983] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f740, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0067.984] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f740, cbMultiByte=256, lpWideCharStr=0x18ee98, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0067.984] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0067.984] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ec88, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0067.984] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f540, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿìÇbk|ø\x18", lpUsedDefaultChar=0x0) returned 256 [0067.984] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x0, Size=0x80) returned 0x983848 [0067.984] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0067.984] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x16e) returned 0x991de8 [0067.984] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0067.984] GetLastError () returned 0x0 [0067.984] SetLastError (dwErrCode=0x0) [0067.984] GetEnvironmentStringsW () returned 0x991f60* [0067.984] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x0, Size=0xa8c) returned 0x9929f8 [0067.984] FreeEnvironmentStringsW (penv=0x991f60) returned 1 [0067.984] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x90) returned 0x984538 [0067.984] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x3e) returned 0x98b0a0 [0067.985] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x5c) returned 0x988a78 [0067.985] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x6e) returned 0x984830 [0067.985] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x78) returned 0x993cb8 [0067.985] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x62) returned 0x9849d0 [0067.985] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x28) returned 0x983d68 [0067.985] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x48) returned 0x983fb8 [0067.985] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x1a) returned 0x983d98 [0067.985] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x3a) returned 0x98ae18 [0067.985] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x62) returned 0x984600 [0067.985] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x2a) returned 0x9886f8 [0067.985] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x2e) returned 0x988730 [0067.985] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x1c) returned 0x9847a0 [0067.985] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x144) returned 0x989c90 [0067.985] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x7c) returned 0x984370 [0067.985] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x36) returned 0x98e0d8 [0067.985] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x3a) returned 0x98b130 [0067.985] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x90) returned 0x983de0 [0067.985] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x24) returned 0x9847c8 [0067.985] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x30) returned 0x988768 [0067.985] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x36) returned 0x98e618 [0067.985] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x48) returned 0x983bc8 [0067.985] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x52) returned 0x9838e8 [0067.985] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x3c) returned 0x98a9e0 [0067.985] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0xd6) returned 0x989e50 [0067.985] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x2e) returned 0x988880 [0067.986] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x1e) returned 0x983c18 [0067.986] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x2c) returned 0x9888f0 [0067.986] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x54) returned 0x9828e8 [0067.986] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x52) returned 0x9804b8 [0067.986] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x24) returned 0x984040 [0067.986] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x42) returned 0x984070 [0067.986] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x2c) returned 0x9887a0 [0067.986] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x44) returned 0x989f80 [0067.986] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x24) returned 0x9840c0 [0067.987] HeapFree (in: hHeap=0x980000, dwFlags=0x0, lpMem=0x9929f8 | out: hHeap=0x980000) returned 1 [0067.987] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x800) returned 0x991f60 [0067.987] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0067.987] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0067.987] GetStartupInfoW (in: lpStartupInfo=0x18f8a8 | out: lpStartupInfo=0x18f8a8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0067.987] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_create" [0067.987] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_create", pNumArgs=0x18f894 | out: pNumArgs=0x18f894) returned 0x992bb0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0067.988] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0068.146] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x0, Size=0x1000) returned 0x994498 [0068.146] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x0, Size=0x36) returned 0x98e258 [0068.146] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_create", cchWideChar=-1, lpMultiByteStr=0x98e258, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_create", lpUsedDefaultChar=0x0) returned 27 [0068.146] GetLastError () returned 0x0 [0068.146] SetLastError (dwErrCode=0x0) [0068.146] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_createW") returned 0x0 [0068.147] GetLastError () returned 0x7f [0068.147] SetLastError (dwErrCode=0x7f) [0068.147] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_createA") returned 0x0 [0068.147] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_create") returned 0x647c7d14 [0068.147] GetActiveWindow () returned 0x0 [0068.148] GetLastError () returned 0x7f [0068.148] SetLastError (dwErrCode=0x7f) Thread: id = 16 os_tid = 0x11dc Process: id = "4" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x5ec7a000" os_pid = "0xd00" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decrypt" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 441 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 442 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 443 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 444 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 445 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 446 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 447 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 448 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 449 start_va = 0x4c0000 end_va = 0x4c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 450 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 451 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 452 start_va = 0x7e780000 end_va = 0x7e7a2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e780000" filename = "" Region: id = 453 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 454 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 455 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 456 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 478 start_va = 0x400000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 479 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 480 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 481 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 482 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 483 start_va = 0x4d0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 484 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 524 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 525 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 526 start_va = 0x7e680000 end_va = 0x7e77ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e680000" filename = "" Region: id = 527 start_va = 0x5f0000 end_va = 0x6adfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 528 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 529 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 530 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 531 start_va = 0x6b0000 end_va = 0x7affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 532 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 533 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 534 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 535 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 536 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 537 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 538 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 539 start_va = 0x4c0000 end_va = 0x4c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 540 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 541 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 542 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 580 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 581 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 582 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 583 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 584 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 585 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 586 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 587 start_va = 0x7b0000 end_va = 0x937fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007b0000" filename = "" Region: id = 588 start_va = 0x940000 end_va = 0x969fff monitored = 0 entry_point = 0x945680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 589 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 674 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 675 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 676 start_va = 0x480000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 677 start_va = 0x940000 end_va = 0xac0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 678 start_va = 0xad0000 end_va = 0xc3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 679 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 680 start_va = 0xad0000 end_va = 0xb60fff monitored = 0 entry_point = 0xb08cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 681 start_va = 0xc30000 end_va = 0xc3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 731 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 741 start_va = 0x4d0000 end_va = 0x4d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 742 start_va = 0x4f0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 743 start_va = 0x4e0000 end_va = 0x4e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 744 start_va = 0x4e0000 end_va = 0x4e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 864 start_va = 0x4e0000 end_va = 0x4e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 881 start_va = 0xad0000 end_va = 0xad1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ad0000" filename = "" Region: id = 882 start_va = 0x4e0000 end_va = 0x4e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 883 start_va = 0xad0000 end_va = 0xad0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ad0000" filename = "" Region: id = 884 start_va = 0x4e0000 end_va = 0x4e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 885 start_va = 0xad0000 end_va = 0xad0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Thread: id = 14 os_tid = 0x119c [0068.782] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0068.782] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0068.782] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0068.782] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0068.782] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0068.783] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0068.783] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0068.784] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0068.784] GetProcessHeap () returned 0x4f0000 [0068.784] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0068.784] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0068.784] GetLastError () returned 0x7e [0068.784] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0068.785] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0068.785] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x364) returned 0x500a40 [0068.785] SetLastError (dwErrCode=0x7e) [0068.785] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xe00) returned 0x500db0 [0068.787] GetStartupInfoW (in: lpStartupInfo=0x18fd48 | out: lpStartupInfo=0x18fd48*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0068.787] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0068.787] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0068.787] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0068.787] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decrypt" [0068.787] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decrypt" [0068.787] GetACP () returned 0x4e4 [0068.787] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x220) returned 0x501bb8 [0068.787] IsValidCodePage (CodePage=0x4e4) returned 1 [0068.787] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fd68 | out: lpCPInfo=0x18fd68) returned 1 [0068.787] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f630 | out: lpCPInfo=0x18f630) returned 1 [0068.787] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc44, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0068.788] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc44, cbMultiByte=256, lpWideCharStr=0x18f3d8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0068.788] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f644 | out: lpCharType=0x18f644) returned 1 [0068.788] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc44, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0068.788] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc44, cbMultiByte=256, lpWideCharStr=0x18f388, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0068.788] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0068.788] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0068.788] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0068.788] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f178, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0068.788] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fb44, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ/Ø%Ú\x80ý\x18", lpUsedDefaultChar=0x0) returned 256 [0068.788] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc44, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0068.788] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc44, cbMultiByte=256, lpWideCharStr=0x18f3a8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0068.788] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0068.788] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f198, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0068.788] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fa44, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ/Ø%Ú\x80ý\x18", lpUsedDefaultChar=0x0) returned 256 [0068.789] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x80) returned 0x4f3848 [0068.789] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0068.789] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x170) returned 0x501de0 [0068.789] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0068.789] GetLastError () returned 0x0 [0068.789] SetLastError (dwErrCode=0x0) [0068.789] GetEnvironmentStringsW () returned 0x501f58* [0068.789] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0xa8c) returned 0x5029f0 [0068.957] FreeEnvironmentStringsW (penv=0x501f58) returned 1 [0068.957] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x90) returned 0x4f4538 [0068.957] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x3e) returned 0x4fab40 [0068.957] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x5c) returned 0x4f8810 [0068.957] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x6e) returned 0x4f4600 [0068.957] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x78) returned 0x503eb0 [0068.957] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x62) returned 0x4f49d0 [0068.957] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x28) returned 0x4f3d68 [0068.957] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x48) returned 0x4f3fb8 [0068.957] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x1a) returned 0x4f0570 [0068.958] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x3a) returned 0x4fac18 [0068.958] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x62) returned 0x4f3bc8 [0068.958] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x2a) returned 0x4f86f8 [0068.958] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x2e) returned 0x4f8538 [0068.958] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x1c) returned 0x4f3d98 [0068.958] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x144) returned 0x4f9c88 [0068.958] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x7c) returned 0x4f8070 [0068.958] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x36) returned 0x4fdf50 [0068.958] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x3a) returned 0x4fae58 [0068.958] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x90) returned 0x4f4370 [0068.958] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x24) returned 0x4f38e8 [0068.958] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x30) returned 0x4f8420 [0068.958] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x36) returned 0x4fe250 [0068.958] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x48) returned 0x4f28e8 [0068.958] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x52) returned 0x4f04b8 [0068.958] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x3c) returned 0x4faee8 [0068.958] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xd6) returned 0x4f9e48 [0068.958] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x2e) returned 0x4f8570 [0068.958] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x1e) returned 0x4f2938 [0068.958] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x2c) returned 0x4f85a8 [0068.958] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x54) returned 0x4f3de0 [0068.958] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x52) returned 0x4f4040 [0068.958] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x24) returned 0x4f3e40 [0068.958] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x42) returned 0x4f40a0 [0068.958] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x2c) returned 0x4f85e0 [0068.958] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x44) returned 0x4f9f78 [0068.958] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x24) returned 0x4f3918 [0068.959] HeapFree (in: hHeap=0x4f0000, dwFlags=0x0, lpMem=0x5029f0 | out: hHeap=0x4f0000) returned 1 [0068.959] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x800) returned 0x501f58 [0068.959] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0068.959] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0068.959] GetStartupInfoW (in: lpStartupInfo=0x18fdac | out: lpStartupInfo=0x18fdac*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0068.959] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decrypt" [0068.959] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decrypt", pNumArgs=0x18fd98 | out: pNumArgs=0x18fd98) returned 0x502ba8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0068.960] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0068.963] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x1000) returned 0x504490 [0068.963] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x38) returned 0x4fe210 [0068.963] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_decrypt", cchWideChar=-1, lpMultiByteStr=0x4fe210, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_decrypt", lpUsedDefaultChar=0x0) returned 28 [0068.964] GetLastError () returned 0x0 [0068.964] SetLastError (dwErrCode=0x0) [0068.964] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_decryptW") returned 0x0 [0068.964] GetLastError () returned 0x7f [0068.964] SetLastError (dwErrCode=0x7f) [0068.964] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_decryptA") returned 0x0 [0068.964] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_decrypt") returned 0x647c7430 [0068.964] GetActiveWindow () returned 0x0 [0069.024] GetLastError () returned 0x7f [0069.024] SetLastError (dwErrCode=0x7f) Thread: id = 19 os_tid = 0xd10 Process: id = "5" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x63006000" os_pid = "0xd04" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decryptAny" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 487 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 488 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 489 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 490 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 491 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 492 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 493 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 494 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 495 start_va = 0xab0000 end_va = 0xab1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 496 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 497 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 498 start_va = 0x7f170000 end_va = 0x7f192fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f170000" filename = "" Region: id = 499 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 500 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 501 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 502 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 543 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 544 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 545 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 546 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 547 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 548 start_va = 0xac0000 end_va = 0xcfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 549 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 550 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 590 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 591 start_va = 0x7f070000 end_va = 0x7f16ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f070000" filename = "" Region: id = 592 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 593 start_va = 0x5f0000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 594 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 595 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 596 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 597 start_va = 0x4c0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 598 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 599 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 600 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 627 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 628 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 629 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 630 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 631 start_va = 0xab0000 end_va = 0xab3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 632 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 633 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 634 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 635 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 636 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 637 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 638 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 639 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 640 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 641 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 670 start_va = 0x600000 end_va = 0x787fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 671 start_va = 0xac0000 end_va = 0xae9fff monitored = 0 entry_point = 0xac5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 672 start_va = 0xc00000 end_va = 0xcfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 673 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 682 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 683 start_va = 0x5c0000 end_va = 0x5c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 684 start_va = 0x790000 end_va = 0x910fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 685 start_va = 0xac0000 end_va = 0xbbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 686 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 687 start_va = 0xac0000 end_va = 0xb50fff monitored = 0 entry_point = 0xaf8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 688 start_va = 0xbb0000 end_va = 0xbbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bb0000" filename = "" Region: id = 732 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 771 start_va = 0xac0000 end_va = 0xac0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 772 start_va = 0xad0000 end_va = 0xad0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ad0000" filename = "" Region: id = 773 start_va = 0xad0000 end_va = 0xad7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ad0000" filename = "" Region: id = 822 start_va = 0xad0000 end_va = 0xad0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 823 start_va = 0xae0000 end_va = 0xae1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ae0000" filename = "" Region: id = 877 start_va = 0xad0000 end_va = 0xad0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 878 start_va = 0xae0000 end_va = 0xae0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ae0000" filename = "" Region: id = 879 start_va = 0xad0000 end_va = 0xad0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ad0000" filename = "" Region: id = 880 start_va = 0xae0000 end_va = 0xae0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Thread: id = 17 os_tid = 0x11f0 [0068.966] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0068.966] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0068.966] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0068.966] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0068.967] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0068.967] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0068.967] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0068.968] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0068.968] GetProcessHeap () returned 0xc00000 [0068.968] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0068.968] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0068.968] GetLastError () returned 0x7e [0068.968] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0068.969] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0068.969] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x364) returned 0xc10a48 [0068.969] SetLastError (dwErrCode=0x7e) [0068.969] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0xe00) returned 0xc10db8 [0068.971] GetStartupInfoW (in: lpStartupInfo=0x18f7e8 | out: lpStartupInfo=0x18f7e8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0068.971] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0068.971] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0068.971] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0068.971] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decryptAny" [0068.971] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decryptAny" [0068.971] GetACP () returned 0x4e4 [0068.971] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x0, Size=0x220) returned 0xc11bc0 [0068.971] IsValidCodePage (CodePage=0x4e4) returned 1 [0068.971] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f808 | out: lpCPInfo=0x18f808) returned 1 [0068.971] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f0d0 | out: lpCPInfo=0x18f0d0) returned 1 [0068.972] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6e4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0068.972] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6e4, cbMultiByte=256, lpWideCharStr=0x18ee78, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0068.972] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f0e4 | out: lpCharType=0x18f0e4) returned 1 [0068.972] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6e4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0068.972] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6e4, cbMultiByte=256, lpWideCharStr=0x18ee28, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0068.972] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0068.972] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0068.972] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0068.972] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ec18, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0068.972] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f5e4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ´ÛåW ø\x18", lpUsedDefaultChar=0x0) returned 256 [0068.972] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6e4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0068.972] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6e4, cbMultiByte=256, lpWideCharStr=0x18ee48, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0068.972] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0068.973] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ec38, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0068.973] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f4e4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ´ÛåW ø\x18", lpUsedDefaultChar=0x0) returned 256 [0068.973] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x0, Size=0x80) returned 0xc03850 [0068.973] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0068.973] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x176) returned 0xc11de8 [0068.973] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0068.973] GetLastError () returned 0x0 [0068.973] SetLastError (dwErrCode=0x0) [0068.973] GetEnvironmentStringsW () returned 0xc11f68* [0068.973] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x0, Size=0xa8c) returned 0xc12a00 [0068.974] FreeEnvironmentStringsW (penv=0xc11f68) returned 1 [0068.974] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x90) returned 0xc047a0 [0068.974] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x3e) returned 0xc0b010 [0068.974] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x5c) returned 0xc08a78 [0068.974] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x6e) returned 0xc04868 [0068.974] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x78) returned 0xc14240 [0068.974] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x62) returned 0xc04c38 [0068.974] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x28) returned 0xc03d70 [0068.974] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x48) returned 0xc03fc0 [0068.974] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x1a) returned 0xc00570 [0068.974] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x3a) returned 0xc0ab48 [0068.974] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x62) returned 0xc03bd0 [0068.974] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x2a) returned 0xc08650 [0068.974] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x2e) returned 0xc08688 [0068.974] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x1c) returned 0xc03da0 [0068.975] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x144) returned 0xc09c90 [0068.975] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x7c) returned 0xc082d8 [0068.975] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x36) returned 0xc0dfd8 [0068.975] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x3a) returned 0xc0a998 [0068.975] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x90) returned 0xc045d8 [0068.975] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x24) returned 0xc038f0 [0068.975] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x30) returned 0xc088b8 [0068.975] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x36) returned 0xc0e218 [0068.975] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x48) returned 0xc028f0 [0068.975] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x52) returned 0xc004b8 [0068.975] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x3c) returned 0xc0b0e8 [0068.975] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0xd6) returned 0xc09e50 [0068.975] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x2e) returned 0xc08960 [0068.975] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x1e) returned 0xc02940 [0068.975] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x2c) returned 0xc088f0 [0068.975] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x54) returned 0xc03de8 [0068.975] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x52) returned 0xc04048 [0068.975] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x24) returned 0xc03e48 [0068.975] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x42) returned 0xc040a8 [0068.975] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x2c) returned 0xc08730 [0068.975] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x44) returned 0xc09f80 [0068.975] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x24) returned 0xc03920 [0068.976] HeapFree (in: hHeap=0xc00000, dwFlags=0x0, lpMem=0xc12a00 | out: hHeap=0xc00000) returned 1 [0068.976] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x8, Size=0x800) returned 0xc11f68 [0068.976] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0068.976] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0068.977] GetStartupInfoW (in: lpStartupInfo=0x18f84c | out: lpStartupInfo=0x18f84c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0068.977] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decryptAny" [0068.977] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decryptAny", pNumArgs=0x18f838 | out: pNumArgs=0x18f838) returned 0xc12bb8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0068.978] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0068.981] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x0, Size=0x1000) returned 0xc144a0 [0068.981] RtlAllocateHeap (HeapHandle=0xc00000, Flags=0x0, Size=0x3e) returned 0xc0ae60 [0068.981] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_decryptAny", cchWideChar=-1, lpMultiByteStr=0xc0ae60, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_decryptAny", lpUsedDefaultChar=0x0) returned 31 [0068.981] GetLastError () returned 0x0 [0068.981] SetLastError (dwErrCode=0x0) [0068.981] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_decryptAnyW") returned 0x0 [0068.982] GetLastError () returned 0x7f [0068.982] SetLastError (dwErrCode=0x7f) [0068.982] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_decryptAnyA") returned 0x0 [0068.982] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_decryptAny") returned 0x647c7a5d [0068.982] GetActiveWindow () returned 0x0 [0069.109] GetLastError () returned 0x7f [0069.109] SetLastError (dwErrCode=0x7f) Thread: id = 22 os_tid = 0xd20 Process: id = "6" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x2121d000" os_pid = "0x1200" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_deserializeCertificateId" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 553 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 554 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 555 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 556 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 557 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 558 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 559 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 560 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 561 start_va = 0xbd0000 end_va = 0xbd1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bd0000" filename = "" Region: id = 562 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 563 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 564 start_va = 0x7f2c0000 end_va = 0x7f2e2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f2c0000" filename = "" Region: id = 565 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 566 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 567 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 568 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 601 start_va = 0x1c0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 602 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 603 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 604 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 605 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 606 start_va = 0xbe0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000be0000" filename = "" Region: id = 607 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 608 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 642 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 643 start_va = 0x7f1c0000 end_va = 0x7f2bffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f1c0000" filename = "" Region: id = 644 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 645 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 646 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 647 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 648 start_va = 0x500000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 649 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 650 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 651 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 652 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 653 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 654 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 655 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 656 start_va = 0xbd0000 end_va = 0xbd3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bd0000" filename = "" Region: id = 657 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 658 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 659 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 707 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 708 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 709 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 710 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 711 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 712 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 713 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 714 start_va = 0x600000 end_va = 0x787fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 715 start_va = 0xcf0000 end_va = 0xd19fff monitored = 0 entry_point = 0xcf5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 716 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 745 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 746 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 747 start_va = 0x1e0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 748 start_va = 0x790000 end_va = 0x910fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 749 start_va = 0xcf0000 end_va = 0xe7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 750 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 751 start_va = 0xcf0000 end_va = 0xd80fff monitored = 0 entry_point = 0xd28cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 752 start_va = 0xe70000 end_va = 0xe7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 809 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 810 start_va = 0xbe0000 end_va = 0xbe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000be0000" filename = "" Region: id = 811 start_va = 0xbf0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bf0000" filename = "" Region: id = 812 start_va = 0xcf0000 end_va = 0xcf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 865 start_va = 0xcf0000 end_va = 0xcf7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 866 start_va = 0xcf0000 end_va = 0xcf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 916 start_va = 0xd00000 end_va = 0xd01fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 917 start_va = 0xcf0000 end_va = 0xcf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 918 start_va = 0xd00000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 919 start_va = 0xcf0000 end_va = 0xcf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 920 start_va = 0xd00000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Thread: id = 20 os_tid = 0xd18 [0069.283] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0069.283] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0069.283] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0069.284] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0069.284] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0069.284] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0069.285] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0069.285] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0069.285] GetProcessHeap () returned 0xbf0000 [0069.285] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0069.286] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0069.286] GetLastError () returned 0x7e [0069.286] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0069.286] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0069.286] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x364) returned 0xc009a0 [0069.286] SetLastError (dwErrCode=0x7e) [0069.286] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0xe00) returned 0xc00d10 [0069.288] GetStartupInfoW (in: lpStartupInfo=0x18f850 | out: lpStartupInfo=0x18f850*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0069.288] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0069.288] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0069.288] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0069.288] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_deserializeCertificateId" [0069.288] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_deserializeCertificateId" [0069.288] GetACP () returned 0x4e4 [0069.288] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x0, Size=0x220) returned 0xc01b18 [0069.289] IsValidCodePage (CodePage=0x4e4) returned 1 [0069.289] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f870 | out: lpCPInfo=0x18f870) returned 1 [0069.289] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f138 | out: lpCPInfo=0x18f138) returned 1 [0069.289] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f74c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0069.289] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f74c, cbMultiByte=256, lpWideCharStr=0x18eed8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0069.289] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f14c | out: lpCharType=0x18f14c) returned 1 [0069.289] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f74c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0069.289] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f74c, cbMultiByte=256, lpWideCharStr=0x18ee88, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0069.289] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0069.289] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0069.289] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0069.289] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ec78, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0069.289] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f64c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿt¥u\x88\x88ø\x18", lpUsedDefaultChar=0x0) returned 256 [0069.290] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f74c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0069.290] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f74c, cbMultiByte=256, lpWideCharStr=0x18eea8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0069.290] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0069.290] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ec98, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0069.290] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f54c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿt¥u\x88\x88ø\x18", lpUsedDefaultChar=0x0) returned 256 [0069.290] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x0, Size=0x80) returned 0xbf3878 [0069.290] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0069.290] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x192) returned 0xc01d40 [0069.290] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0069.290] GetLastError () returned 0x0 [0069.290] SetLastError (dwErrCode=0x0) [0069.290] GetEnvironmentStringsW () returned 0xc01ee0* [0069.290] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x0, Size=0xa8c) returned 0xc02978 [0069.291] FreeEnvironmentStringsW (penv=0xc01ee0) returned 1 [0069.291] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x90) returned 0xbf4568 [0069.291] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x3e) returned 0xbfb080 [0069.291] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x5c) returned 0xbf8840 [0069.291] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x6e) returned 0xbf4630 [0069.291] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x78) returned 0xc03bb8 [0069.291] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x62) returned 0xbf4a00 [0069.291] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x28) returned 0xbf3d98 [0069.291] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x48) returned 0xbf3fe8 [0069.291] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x1a) returned 0xbf0570 [0069.291] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x3a) returned 0xbfad68 [0069.291] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x62) returned 0xbf3bf8 [0069.291] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x2a) returned 0xbf84c0 [0069.291] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x2e) returned 0xbf8568 [0069.291] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x1c) returned 0xbf3dc8 [0069.291] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x144) returned 0xbf9cb8 [0069.292] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x7c) returned 0xbf80a0 [0069.292] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x36) returned 0xbfe630 [0069.292] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x3a) returned 0xbfab28 [0069.292] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x90) returned 0xbf43a0 [0069.292] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x24) returned 0xbf3918 [0069.292] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x30) returned 0xbf8728 [0069.292] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x36) returned 0xbfe4f0 [0069.292] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x48) returned 0xbf2908 [0069.292] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x52) returned 0xbf04b8 [0069.292] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x3c) returned 0xbfadf8 [0069.292] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0xd6) returned 0xbf9e78 [0069.292] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x2e) returned 0xbf85a0 [0069.292] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x1e) returned 0xbf2958 [0069.292] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x2c) returned 0xbf8760 [0069.292] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x54) returned 0xbf3e10 [0069.292] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x52) returned 0xbf4070 [0069.292] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x24) returned 0xbf3e70 [0069.292] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x42) returned 0xbf40d0 [0069.292] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x2c) returned 0xbf8610 [0069.292] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x44) returned 0xbf9fa8 [0069.292] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x24) returned 0xbf3948 [0069.293] HeapFree (in: hHeap=0xbf0000, dwFlags=0x0, lpMem=0xc02978 | out: hHeap=0xbf0000) returned 1 [0069.293] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x800) returned 0xc01ee0 [0069.293] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0069.293] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0069.293] GetStartupInfoW (in: lpStartupInfo=0x18f8b4 | out: lpStartupInfo=0x18f8b4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0069.293] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_deserializeCertificateId" [0069.293] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_deserializeCertificateId", pNumArgs=0x18f8a0 | out: pNumArgs=0x18f8a0) returned 0xc02b30*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0069.294] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0069.297] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x0, Size=0x1000) returned 0xc04418 [0069.297] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x0, Size=0x5a) returned 0xbfa6f0 [0069.297] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_deserializeCertificateId", cchWideChar=-1, lpMultiByteStr=0xbfa6f0, cbMultiByte=90, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_deserializeCertificateId", lpUsedDefaultChar=0x0) returned 45 [0069.297] GetLastError () returned 0x0 [0069.297] SetLastError (dwErrCode=0x0) [0069.297] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_deserializeCertificateIdW") returned 0x0 [0069.297] GetLastError () returned 0x7f [0069.297] SetLastError (dwErrCode=0x7f) [0069.298] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_deserializeCertificateIdA") returned 0x0 [0069.298] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_deserializeCertificateId") returned 0x647cddbf [0069.298] GetActiveWindow () returned 0x0 [0069.299] GetLastError () returned 0x7f [0069.299] SetLastError (dwErrCode=0x7f) Thread: id = 25 os_tid = 0x8e4 Process: id = "7" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x63080000" os_pid = "0xd24" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_duplicateCertificateId" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 609 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 610 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 611 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 612 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 613 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 614 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 615 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 616 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 617 start_va = 0xcc0000 end_va = 0xcc1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 618 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 619 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 620 start_va = 0x7e4d0000 end_va = 0x7e4f2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e4d0000" filename = "" Region: id = 621 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 622 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 623 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 624 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 660 start_va = 0x1c0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 661 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 662 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 663 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 664 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 665 start_va = 0xcd0000 end_va = 0xe7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 666 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 717 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 718 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 719 start_va = 0x7e3d0000 end_va = 0x7e4cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e3d0000" filename = "" Region: id = 720 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 721 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 722 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 723 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 724 start_va = 0x500000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 725 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 726 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 727 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 728 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 729 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 730 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 774 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 775 start_va = 0xcc0000 end_va = 0xcc3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 776 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 777 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 778 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 779 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 780 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 781 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 782 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 783 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 784 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 785 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 786 start_va = 0x600000 end_va = 0x787fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 787 start_va = 0xcd0000 end_va = 0xcf9fff monitored = 0 entry_point = 0xcd5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 788 start_va = 0xd80000 end_va = 0xe7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d80000" filename = "" Region: id = 789 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 824 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 825 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 826 start_va = 0x1e0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 827 start_va = 0x790000 end_va = 0x910fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 828 start_va = 0xcd0000 end_va = 0xcfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 829 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 830 start_va = 0xe80000 end_va = 0xf10fff monitored = 0 entry_point = 0xeb8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 869 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 888 start_va = 0xcd0000 end_va = 0xcd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 889 start_va = 0xcf0000 end_va = 0xcfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 890 start_va = 0xce0000 end_va = 0xce0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 891 start_va = 0xce0000 end_va = 0xce7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 899 start_va = 0xce0000 end_va = 0xce0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 904 start_va = 0xd00000 end_va = 0xd01fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 905 start_va = 0xce0000 end_va = 0xce0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 906 start_va = 0xd00000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 907 start_va = 0xce0000 end_va = 0xce0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 908 start_va = 0xd00000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Thread: id = 23 os_tid = 0xd28 [0069.440] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0069.440] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0069.440] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0069.440] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0069.440] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0069.441] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0069.441] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0069.442] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0069.442] GetProcessHeap () returned 0xd80000 [0069.442] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0069.442] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0069.442] GetLastError () returned 0x7e [0069.442] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0069.443] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0069.443] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x364) returned 0xd90968 [0069.443] SetLastError (dwErrCode=0x7e) [0069.443] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0xe00) returned 0xd90cd8 [0069.445] GetStartupInfoW (in: lpStartupInfo=0x18fa84 | out: lpStartupInfo=0x18fa84*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0069.445] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0069.445] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0069.445] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0069.445] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_duplicateCertificateId" [0069.445] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_duplicateCertificateId" [0069.445] GetACP () returned 0x4e4 [0069.445] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x0, Size=0x220) returned 0xd91ae0 [0069.445] IsValidCodePage (CodePage=0x4e4) returned 1 [0069.445] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18faa4 | out: lpCPInfo=0x18faa4) returned 1 [0069.445] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f36c | out: lpCPInfo=0x18f36c) returned 1 [0069.445] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f980, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0069.446] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f980, cbMultiByte=256, lpWideCharStr=0x18f108, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0069.446] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f380 | out: lpCharType=0x18f380) returned 1 [0069.653] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f980, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0069.654] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f980, cbMultiByte=256, lpWideCharStr=0x18f0c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0069.654] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0069.654] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0069.654] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0069.654] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18eeb8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0069.654] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f880, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ]Jmz¼ú\x18", lpUsedDefaultChar=0x0) returned 256 [0069.654] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f980, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0069.654] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f980, cbMultiByte=256, lpWideCharStr=0x18f0d8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0069.654] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0069.654] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18eec8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0069.654] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f780, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ]Jmz¼ú\x18", lpUsedDefaultChar=0x0) returned 256 [0069.654] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x0, Size=0x80) returned 0xd83878 [0069.655] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0069.655] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x18e) returned 0xd91d08 [0069.655] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0069.655] GetLastError () returned 0x0 [0069.655] SetLastError (dwErrCode=0x0) [0069.655] GetEnvironmentStringsW () returned 0xd91ea0* [0069.655] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x0, Size=0xa8c) returned 0xd92938 [0069.655] FreeEnvironmentStringsW (penv=0xd91ea0) returned 1 [0069.655] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x90) returned 0xd84568 [0069.655] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x3e) returned 0xd8ac10 [0069.655] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x5c) returned 0xd88a68 [0069.656] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x6e) returned 0xd84860 [0069.656] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x78) returned 0xd942f8 [0069.656] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x62) returned 0xd83fe8 [0069.656] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x28) returned 0xd89e40 [0069.656] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x48) returned 0xd83d98 [0069.656] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x1a) returned 0xd84630 [0069.656] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x3a) returned 0xd8abc8 [0069.656] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x62) returned 0xd847d0 [0069.656] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x2a) returned 0xd886e8 [0069.656] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x2e) returned 0xd88720 [0069.656] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x1c) returned 0xd84658 [0069.656] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x144) returned 0xd89c80 [0069.656] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x7c) returned 0xd882c8 [0069.656] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x36) returned 0xd8e5f8 [0069.656] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x3a) returned 0xd8aca0 [0069.656] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x90) returned 0xd8a290 [0069.656] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x24) returned 0xd83bf8 [0069.656] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x30) returned 0xd88758 [0069.657] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x36) returned 0xd8e038 [0069.657] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x48) returned 0xd83918 [0069.657] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x52) returned 0xd82908 [0069.657] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x3c) returned 0xd8b000 [0069.657] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0xd6) returned 0xd804a0 [0069.657] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x2e) returned 0xd88790 [0069.657] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x1e) returned 0xd80580 [0069.657] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x2c) returned 0xd88988 [0069.657] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x54) returned 0xd843a0 [0069.657] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x52) returned 0xd83e10 [0069.657] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x24) returned 0xd84400 [0069.657] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x42) returned 0xd84070 [0069.657] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x2c) returned 0xd888e0 [0069.657] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x44) returned 0xd840c0 [0069.657] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x24) returned 0xd83e70 [0069.658] HeapFree (in: hHeap=0xd80000, dwFlags=0x0, lpMem=0xd92938 | out: hHeap=0xd80000) returned 1 [0069.658] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x8, Size=0x800) returned 0xd91ea0 [0069.658] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0069.658] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0069.658] GetStartupInfoW (in: lpStartupInfo=0x18fae8 | out: lpStartupInfo=0x18fae8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0069.658] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_duplicateCertificateId" [0069.659] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_duplicateCertificateId", pNumArgs=0x18fad4 | out: pNumArgs=0x18fad4) returned 0xd92af0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0069.659] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0069.662] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x0, Size=0x1000) returned 0xd943d8 [0069.662] RtlAllocateHeap (HeapHandle=0xd80000, Flags=0x0, Size=0x56) returned 0xd8a3a8 [0069.662] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_duplicateCertificateId", cchWideChar=-1, lpMultiByteStr=0xd8a3a8, cbMultiByte=86, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_duplicateCertificateId", lpUsedDefaultChar=0x0) returned 43 [0069.662] GetLastError () returned 0x0 [0069.663] SetLastError (dwErrCode=0x0) [0069.663] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_duplicateCertificateIdW") returned 0x0 [0069.663] GetLastError () returned 0x7f [0069.663] SetLastError (dwErrCode=0x7f) [0069.663] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_duplicateCertificateIdA") returned 0x0 [0069.663] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_duplicateCertificateId") returned 0x647c6aee [0069.663] GetActiveWindow () returned 0x0 [0069.730] GetLastError () returned 0x7f [0069.731] SetLastError (dwErrCode=0x7f) Thread: id = 28 os_tid = 0x340 Process: id = "8" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x301a000" os_pid = "0xd1c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x11ac" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_addProvider" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "9" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6308c000" os_pid = "0x83c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0xce0" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_create" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "10" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x5fe4c000" os_pid = "0x768" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureCertificateAccess" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 689 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 690 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 691 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 692 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 693 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 694 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 695 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 696 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 697 start_va = 0xc90000 end_va = 0xc91fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c90000" filename = "" Region: id = 698 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 699 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 700 start_va = 0x7f5d0000 end_va = 0x7f5f2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f5d0000" filename = "" Region: id = 701 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 702 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 703 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 704 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 733 start_va = 0x400000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 734 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 735 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 736 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 737 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 738 start_va = 0xca0000 end_va = 0xeaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ca0000" filename = "" Region: id = 739 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 740 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 790 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 791 start_va = 0x7f4d0000 end_va = 0x7f5cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f4d0000" filename = "" Region: id = 792 start_va = 0x490000 end_va = 0x54dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 793 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 794 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 795 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 796 start_va = 0x550000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 797 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 798 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 799 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 800 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 801 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 802 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 803 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 804 start_va = 0xc90000 end_va = 0xc93fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c90000" filename = "" Region: id = 805 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 806 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 807 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 808 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 831 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 832 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 833 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 834 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 835 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 836 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 837 start_va = 0x650000 end_va = 0x7d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 838 start_va = 0xca0000 end_va = 0xcc9fff monitored = 0 entry_point = 0xca5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 839 start_va = 0xdb0000 end_va = 0xeaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 840 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 870 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 871 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 872 start_va = 0x480000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 873 start_va = 0x7e0000 end_va = 0x960fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 874 start_va = 0xca0000 end_va = 0xcdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ca0000" filename = "" Region: id = 875 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 876 start_va = 0xce0000 end_va = 0xd70fff monitored = 0 entry_point = 0xd18cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 898 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 900 start_va = 0xca0000 end_va = 0xca0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ca0000" filename = "" Region: id = 901 start_va = 0xcd0000 end_va = 0xcdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 902 start_va = 0xcb0000 end_va = 0xcb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cb0000" filename = "" Region: id = 903 start_va = 0xcb0000 end_va = 0xcb7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cb0000" filename = "" Region: id = 937 start_va = 0xcb0000 end_va = 0xcb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 938 start_va = 0xcc0000 end_va = 0xcc1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cc0000" filename = "" Region: id = 939 start_va = 0xcb0000 end_va = 0xcb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 940 start_va = 0xcc0000 end_va = 0xcc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cc0000" filename = "" Region: id = 1041 start_va = 0xcb0000 end_va = 0xcb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cb0000" filename = "" Region: id = 1042 start_va = 0xcc0000 end_va = 0xcc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Thread: id = 26 os_tid = 0x864 [0069.689] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0069.689] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0069.689] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0069.689] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0069.689] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0069.690] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0069.690] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0069.690] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0069.691] GetProcessHeap () returned 0xdb0000 [0069.691] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0069.691] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0069.691] GetLastError () returned 0x7e [0069.691] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0069.692] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0069.692] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x364) returned 0xdc09a0 [0069.692] SetLastError (dwErrCode=0x7e) [0069.692] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0xe00) returned 0xdc0d10 [0069.694] GetStartupInfoW (in: lpStartupInfo=0x18fb2c | out: lpStartupInfo=0x18fb2c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0069.694] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0069.694] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0069.694] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0069.694] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureCertificateAccess" [0069.694] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureCertificateAccess" [0069.694] GetACP () returned 0x4e4 [0069.694] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x0, Size=0x220) returned 0xdc1b18 [0069.694] IsValidCodePage (CodePage=0x4e4) returned 1 [0069.694] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fb4c | out: lpCPInfo=0x18fb4c) returned 1 [0069.695] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f414 | out: lpCPInfo=0x18f414) returned 1 [0069.695] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa28, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0069.695] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa28, cbMultiByte=256, lpWideCharStr=0x18f1b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0069.695] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f428 | out: lpCharType=0x18f428) returned 1 [0069.695] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa28, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0069.695] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa28, cbMultiByte=256, lpWideCharStr=0x18f168, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0069.695] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0069.695] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0069.695] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0069.695] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ef58, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0069.695] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f928, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x1f¼\x06Òdû\x18", lpUsedDefaultChar=0x0) returned 256 [0069.695] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa28, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0069.695] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa28, cbMultiByte=256, lpWideCharStr=0x18f188, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0069.695] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0069.696] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ef78, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0069.806] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f828, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x1f¼\x06Òdû\x18", lpUsedDefaultChar=0x0) returned 256 [0069.808] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x0, Size=0x80) returned 0xdb3878 [0069.809] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0069.821] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x190) returned 0xdc1d40 [0069.821] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0069.821] GetLastError () returned 0x0 [0069.821] SetLastError (dwErrCode=0x0) [0069.821] GetEnvironmentStringsW () returned 0xdc1ed8* [0069.822] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x0, Size=0xa8c) returned 0xdc2970 [0069.822] FreeEnvironmentStringsW (penv=0xdc1ed8) returned 1 [0069.822] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x90) returned 0xdb4568 [0069.822] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x3e) returned 0xdbb0c8 [0069.822] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x5c) returned 0xdb8840 [0069.822] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x6e) returned 0xdb4630 [0069.822] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x78) returned 0xdc3f30 [0069.822] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x62) returned 0xdb4a00 [0069.822] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x28) returned 0xdb3d98 [0069.822] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x48) returned 0xdb3fe8 [0069.822] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x1a) returned 0xdb0570 [0069.822] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x3a) returned 0xdbac90 [0069.822] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x62) returned 0xdb3bf8 [0069.822] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x2a) returned 0xdb86f0 [0069.822] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x2e) returned 0xdb85a0 [0069.822] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x1c) returned 0xdb3dc8 [0069.822] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x144) returned 0xdb9cb8 [0069.822] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x7c) returned 0xdb80a0 [0069.823] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x36) returned 0xdbe2f0 [0069.823] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x3a) returned 0xdbab28 [0069.823] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x90) returned 0xdb43a0 [0069.823] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x24) returned 0xdb3918 [0069.823] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x30) returned 0xdb8530 [0069.823] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x36) returned 0xdbdeb0 [0069.823] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x48) returned 0xdb2908 [0069.823] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x52) returned 0xdb04b8 [0069.823] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x3c) returned 0xdbaed0 [0069.823] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0xd6) returned 0xdb9e78 [0069.823] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x2e) returned 0xdb8418 [0069.823] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x1e) returned 0xdb2958 [0069.823] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x2c) returned 0xdb85d8 [0069.823] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x54) returned 0xdb3e10 [0069.823] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x52) returned 0xdb4070 [0069.823] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x24) returned 0xdb3e70 [0069.823] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x42) returned 0xdb40d0 [0069.823] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x2c) returned 0xdb8568 [0069.823] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x44) returned 0xdb9fa8 [0069.823] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x24) returned 0xdb3948 [0069.824] HeapFree (in: hHeap=0xdb0000, dwFlags=0x0, lpMem=0xdc2970 | out: hHeap=0xdb0000) returned 1 [0069.824] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x800) returned 0xdc1ed8 [0069.825] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0069.825] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0069.825] GetStartupInfoW (in: lpStartupInfo=0x18fb90 | out: lpStartupInfo=0x18fb90*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0069.825] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureCertificateAccess" [0069.825] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureCertificateAccess", pNumArgs=0x18fb7c | out: pNumArgs=0x18fb7c) returned 0xdc2b28*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0069.825] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0069.828] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x0, Size=0x1000) returned 0xdc4410 [0069.828] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x0, Size=0x58) returned 0xdba6f0 [0069.828] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_ensureCertificateAccess", cchWideChar=-1, lpMultiByteStr=0xdba6f0, cbMultiByte=88, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_ensureCertificateAccess", lpUsedDefaultChar=0x0) returned 44 [0069.828] GetLastError () returned 0x0 [0069.828] SetLastError (dwErrCode=0x0) [0069.828] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_ensureCertificateAccessW") returned 0x0 [0069.828] GetLastError () returned 0x7f [0069.828] SetLastError (dwErrCode=0x7f) [0069.829] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_ensureCertificateAccessA") returned 0x0 [0069.829] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_ensureCertificateAccess") returned 0x647c84a4 [0069.829] GetActiveWindow () returned 0x0 [0069.869] GetLastError () returned 0x7f [0069.869] SetLastError (dwErrCode=0x7f) Thread: id = 30 os_tid = 0x1278 Process: id = "11" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x7766d000" os_pid = "0x123c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureKeyAccess" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 755 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 756 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 757 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 758 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 759 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 760 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 761 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 762 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 763 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 764 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 765 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 766 start_va = 0x7eb70000 end_va = 0x7eb92fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eb70000" filename = "" Region: id = 767 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 768 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 769 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 770 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 813 start_va = 0x410000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 814 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 815 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 816 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 817 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 818 start_va = 0x410000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 819 start_va = 0x600000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 820 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 821 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 841 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 842 start_va = 0x7ea70000 end_va = 0x7eb6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ea70000" filename = "" Region: id = 843 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 844 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 845 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 846 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 847 start_va = 0x610000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 848 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 849 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 850 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 851 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 852 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 853 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 854 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 855 start_va = 0x4c0000 end_va = 0x4c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 856 start_va = 0x500000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 857 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 858 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 859 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 860 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 861 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 862 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 863 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 892 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 893 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 894 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 895 start_va = 0x4d0000 end_va = 0x4f9fff monitored = 0 entry_point = 0x4d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 896 start_va = 0x710000 end_va = 0x897fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 897 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 909 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 910 start_va = 0x4d0000 end_va = 0x4d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 911 start_va = 0x8a0000 end_va = 0xa20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 912 start_va = 0xa30000 end_va = 0xacffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 913 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 914 start_va = 0xad0000 end_va = 0xb60fff monitored = 0 entry_point = 0xb08cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 915 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 941 start_va = 0x4e0000 end_va = 0x4e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 942 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 943 start_va = 0x4f0000 end_va = 0x4f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 1043 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 1044 start_va = 0xa30000 end_va = 0xa31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 1045 start_va = 0xac0000 end_va = 0xacffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 1046 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 1047 start_va = 0xa30000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 1145 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 1146 start_va = 0xa30000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Thread: id = 29 os_tid = 0x904 [0069.948] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0069.949] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0069.949] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0069.949] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0069.949] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0069.949] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0069.950] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0069.950] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0069.950] GetProcessHeap () returned 0x500000 [0069.950] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0069.950] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0069.950] GetLastError () returned 0x7e [0069.951] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0069.951] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0069.951] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x364) returned 0x510a58 [0069.951] SetLastError (dwErrCode=0x7e) [0069.951] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0xe00) returned 0x510dc8 [0069.953] GetStartupInfoW (in: lpStartupInfo=0x18fc58 | out: lpStartupInfo=0x18fc58*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0069.953] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0069.953] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0069.953] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0069.953] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureKeyAccess" [0069.953] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureKeyAccess" [0069.953] GetACP () returned 0x4e4 [0069.953] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x220) returned 0x511bd0 [0069.953] IsValidCodePage (CodePage=0x4e4) returned 1 [0069.953] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fc78 | out: lpCPInfo=0x18fc78) returned 1 [0069.953] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f540 | out: lpCPInfo=0x18f540) returned 1 [0069.953] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb54, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0069.953] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb54, cbMultiByte=256, lpWideCharStr=0x18f2e8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0069.953] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f554 | out: lpCharType=0x18f554) returned 1 [0069.953] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb54, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0069.953] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb54, cbMultiByte=256, lpWideCharStr=0x18f298, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0069.953] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0069.954] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0069.954] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0069.954] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f088, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0069.954] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fa54, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿqµ\x04¸\x90ü\x18", lpUsedDefaultChar=0x0) returned 256 [0069.954] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb54, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0069.954] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb54, cbMultiByte=256, lpWideCharStr=0x18f2b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0069.954] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0069.954] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f0a8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0069.954] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f954, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿqµ\x04¸\x90ü\x18", lpUsedDefaultChar=0x0) returned 256 [0069.954] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x80) returned 0x503860 [0069.954] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0069.954] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x180) returned 0x511df8 [0069.954] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0069.954] GetLastError () returned 0x0 [0069.954] SetLastError (dwErrCode=0x0) [0069.954] GetEnvironmentStringsW () returned 0x511f80* [0069.954] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0xa8c) returned 0x512a18 [0069.955] FreeEnvironmentStringsW (penv=0x511f80) returned 1 [0069.955] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x90) returned 0x504550 [0069.955] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x3e) returned 0x50b0f8 [0069.955] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x5c) returned 0x508828 [0069.955] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x6e) returned 0x504618 [0069.955] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x78) returned 0x513758 [0069.955] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x62) returned 0x5049e8 [0069.955] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x28) returned 0x503d80 [0069.955] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x48) returned 0x503fd0 [0069.955] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x1a) returned 0x500570 [0069.955] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x3a) returned 0x50b140 [0069.955] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x62) returned 0x503be0 [0069.955] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x2a) returned 0x5084e0 [0069.955] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x2e) returned 0x508518 [0069.955] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x1c) returned 0x503db0 [0069.955] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x144) returned 0x509a40 [0069.955] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x7c) returned 0x508088 [0069.955] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x36) returned 0x50dfe8 [0069.955] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x3a) returned 0x50a9a8 [0069.955] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x90) returned 0x504388 [0069.955] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x24) returned 0x503900 [0069.955] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x30) returned 0x5086a0 [0069.956] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x36) returned 0x50e028 [0069.956] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x48) returned 0x5028f8 [0069.956] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x52) returned 0x5004b8 [0069.956] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x3c) returned 0x50ad50 [0069.956] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0xd6) returned 0x509c00 [0069.956] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x2e) returned 0x5086d8 [0069.956] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x1e) returned 0x502948 [0069.956] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x2c) returned 0x508748 [0069.956] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x54) returned 0x503df8 [0069.956] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x52) returned 0x504058 [0069.956] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x24) returned 0x503e58 [0069.956] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x42) returned 0x5040b8 [0069.956] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x2c) returned 0x508550 [0069.956] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x44) returned 0x509f90 [0069.956] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x24) returned 0x503930 [0069.957] HeapFree (in: hHeap=0x500000, dwFlags=0x0, lpMem=0x512a18 | out: hHeap=0x500000) returned 1 [0069.957] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x8, Size=0x800) returned 0x511f80 [0069.958] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0069.958] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0069.958] GetStartupInfoW (in: lpStartupInfo=0x18fcbc | out: lpStartupInfo=0x18fcbc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0069.958] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureKeyAccess" [0069.958] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureKeyAccess", pNumArgs=0x18fca8 | out: pNumArgs=0x18fca8) returned 0x512bd0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0069.959] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0070.170] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x1000) returned 0x5144b8 [0070.170] RtlAllocateHeap (HeapHandle=0x500000, Flags=0x0, Size=0x48) returned 0x50a6d8 [0070.170] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_ensureKeyAccess", cchWideChar=-1, lpMultiByteStr=0x50a6d8, cbMultiByte=72, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_ensureKeyAccess", lpUsedDefaultChar=0x0) returned 36 [0070.170] GetLastError () returned 0x0 [0070.170] SetLastError (dwErrCode=0x0) [0070.170] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_ensureKeyAccessW") returned 0x0 [0070.170] GetLastError () returned 0x7f [0070.170] SetLastError (dwErrCode=0x7f) [0070.171] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_ensureKeyAccessA") returned 0x0 [0070.171] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_ensureKeyAccess") returned 0x647c86f6 [0070.171] GetActiveWindow () returned 0x0 [0070.172] GetLastError () returned 0x7f [0070.172] SetLastError (dwErrCode=0x7f) Thread: id = 32 os_tid = 0x1148 Process: id = "12" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x5ff1d000" os_pid = "0x12c0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0xd04" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decryptAny" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "13" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6a386000" os_pid = "0x11e4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumCertificateIds" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 921 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 922 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 923 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 924 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 925 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 926 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 927 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 928 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 929 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 930 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 931 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 932 start_va = 0x7f690000 end_va = 0x7f6b2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f690000" filename = "" Region: id = 933 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 934 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 935 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 936 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 944 start_va = 0x1c0000 end_va = 0x1dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 945 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 946 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 947 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 948 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 949 start_va = 0x410000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 950 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 951 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1048 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1049 start_va = 0x7f590000 end_va = 0x7f68ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f590000" filename = "" Region: id = 1050 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1051 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1052 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1053 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 1054 start_va = 0x540000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 1055 start_va = 0x640000 end_va = 0x73ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 1056 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 1057 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1058 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 1059 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 1060 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 1061 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1062 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1063 start_va = 0x500000 end_va = 0x503fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 1064 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1065 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1066 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1067 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1068 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1147 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 1148 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 1149 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 1150 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 1151 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1152 start_va = 0x510000 end_va = 0x539fff monitored = 0 entry_point = 0x515680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1153 start_va = 0x740000 end_va = 0x8c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 1154 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1169 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1170 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1171 start_va = 0x1d0000 end_va = 0x1dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1172 start_va = 0x8d0000 end_va = 0xa50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008d0000" filename = "" Region: id = 1173 start_va = 0xa60000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 1174 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 1175 start_va = 0xa60000 end_va = 0xaf0fff monitored = 0 entry_point = 0xa98cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1176 start_va = 0xc10000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 1232 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 1274 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 1275 start_va = 0x520000 end_va = 0x520fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 1276 start_va = 0x520000 end_va = 0x527fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 1378 start_va = 0x520000 end_va = 0x520fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 1431 start_va = 0x530000 end_va = 0x531fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 1436 start_va = 0x520000 end_va = 0x520fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 1437 start_va = 0x530000 end_va = 0x530fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 1438 start_va = 0x520000 end_va = 0x520fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 1439 start_va = 0x530000 end_va = 0x530fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Thread: id = 33 os_tid = 0x1214 [0071.085] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0071.085] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0071.086] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0071.086] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0071.086] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0071.086] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0071.087] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0071.087] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0071.087] GetProcessHeap () returned 0x540000 [0071.087] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0071.088] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0071.088] GetLastError () returned 0x7e [0071.088] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0071.088] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0071.088] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x364) returned 0x550a60 [0071.088] SetLastError (dwErrCode=0x7e) [0071.088] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0xe00) returned 0x550dd0 [0071.418] GetStartupInfoW (in: lpStartupInfo=0x18fc1c | out: lpStartupInfo=0x18fc1c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0071.418] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0071.418] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0071.418] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0071.419] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumCertificateIds" [0071.419] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumCertificateIds" [0071.419] GetACP () returned 0x4e4 [0071.419] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x0, Size=0x220) returned 0x551bd8 [0071.419] IsValidCodePage (CodePage=0x4e4) returned 1 [0071.419] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fc3c | out: lpCPInfo=0x18fc3c) returned 1 [0071.419] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f504 | out: lpCPInfo=0x18f504) returned 1 [0071.419] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb18, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0071.419] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb18, cbMultiByte=256, lpWideCharStr=0x18f2a8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0071.419] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f518 | out: lpCharType=0x18f518) returned 1 [0071.419] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb18, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0071.419] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb18, cbMultiByte=256, lpWideCharStr=0x18f258, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0071.419] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0071.419] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0071.420] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0071.420] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f048, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0071.420] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fa18, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÇ@\x08\x10Tü\x18", lpUsedDefaultChar=0x0) returned 256 [0071.420] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb18, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0071.420] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb18, cbMultiByte=256, lpWideCharStr=0x18f278, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0071.420] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0071.420] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f068, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0071.420] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f918, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÇ@\x08\x10Tü\x18", lpUsedDefaultChar=0x0) returned 256 [0071.420] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x0, Size=0x80) returned 0x543868 [0071.420] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0071.420] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x186) returned 0x551e00 [0071.420] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0071.420] GetLastError () returned 0x0 [0071.420] SetLastError (dwErrCode=0x0) [0071.420] GetEnvironmentStringsW () returned 0x551f90* [0071.421] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x0, Size=0xa8c) returned 0x552a28 [0071.421] FreeEnvironmentStringsW (penv=0x551f90) returned 1 [0071.421] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x90) returned 0x544558 [0071.421] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x3e) returned 0x54af50 [0071.421] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x5c) returned 0x548830 [0071.421] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x6e) returned 0x544620 [0071.421] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x78) returned 0x553ee8 [0071.421] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x62) returned 0x5449f0 [0071.421] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x28) returned 0x543d88 [0071.421] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x48) returned 0x543fd8 [0071.421] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x1a) returned 0x540570 [0071.421] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x3a) returned 0x54b070 [0071.421] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x62) returned 0x543be8 [0071.421] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x2a) returned 0x548718 [0071.421] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x2e) returned 0x548788 [0071.421] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x1c) returned 0x543db8 [0071.421] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x144) returned 0x549ca8 [0071.422] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x7c) returned 0x548090 [0071.422] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x36) returned 0x54e630 [0071.422] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x3a) returned 0x54abf0 [0071.422] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x90) returned 0x544390 [0071.422] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x24) returned 0x543908 [0071.422] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x30) returned 0x548440 [0071.422] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x36) returned 0x54e3f0 [0071.422] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x48) returned 0x542900 [0071.422] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x52) returned 0x5404b8 [0071.422] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x3c) returned 0x54ac80 [0071.422] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0xd6) returned 0x549e68 [0071.422] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x2e) returned 0x548590 [0071.422] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x1e) returned 0x542950 [0071.422] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x2c) returned 0x5486a8 [0071.422] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x54) returned 0x543e00 [0071.422] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x52) returned 0x544060 [0071.422] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x24) returned 0x543e60 [0071.422] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x42) returned 0x5440c0 [0071.422] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x2c) returned 0x548600 [0071.422] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x44) returned 0x549f98 [0071.422] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x24) returned 0x543938 [0071.423] HeapFree (in: hHeap=0x540000, dwFlags=0x0, lpMem=0x552a28 | out: hHeap=0x540000) returned 1 [0071.423] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x800) returned 0x551f90 [0071.423] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0071.423] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0071.423] GetStartupInfoW (in: lpStartupInfo=0x18fc80 | out: lpStartupInfo=0x18fc80*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0071.423] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumCertificateIds" [0071.423] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumCertificateIds", pNumArgs=0x18fc6c | out: pNumArgs=0x18fc6c) returned 0x552be0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0071.424] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0071.426] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x0, Size=0x1000) returned 0x5544c8 [0071.426] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x0, Size=0x4e) returned 0x54a6e0 [0071.426] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_enumCertificateIds", cchWideChar=-1, lpMultiByteStr=0x54a6e0, cbMultiByte=78, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_enumCertificateIds", lpUsedDefaultChar=0x0) returned 39 [0071.426] GetLastError () returned 0x0 [0071.426] SetLastError (dwErrCode=0x0) [0071.427] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_enumCertificateIdsW") returned 0x0 [0071.427] GetLastError () returned 0x7f [0071.427] SetLastError (dwErrCode=0x7f) [0071.427] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_enumCertificateIdsA") returned 0x0 [0071.427] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_enumCertificateIds") returned 0x647c9404 [0071.427] GetActiveWindow () returned 0x0 [0071.645] GetLastError () returned 0x7f [0071.645] SetLastError (dwErrCode=0x7f) Thread: id = 41 os_tid = 0x12d0 Process: id = "14" image_name = "werfault.exe" filename = "c:\\windows\\syswow64\\werfault.exe" page_root = "0x5321d000" os_pid = "0x11d0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0xce0" cmd_line = "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 3296 -s 364" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 952 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 953 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 954 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 955 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 956 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 957 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 958 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 959 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 960 start_va = 0xff0000 end_va = 0xff0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ff0000" filename = "" Region: id = 961 start_va = 0x10e0000 end_va = 0x1122fff monitored = 0 entry_point = 0x1100f50 region_type = mapped_file name = "werfault.exe" filename = "\\Windows\\SysWOW64\\WerFault.exe" (normalized: "c:\\windows\\syswow64\\werfault.exe") Region: id = 962 start_va = 0x1130000 end_va = 0x512ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 963 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 964 start_va = 0x7f060000 end_va = 0x7f082fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f060000" filename = "" Region: id = 965 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 966 start_va = 0x7fff0000 end_va = 0x7dfb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 967 start_va = 0x7dfb201b0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfb201b0000" filename = "" Region: id = 968 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 969 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 970 start_va = 0x100000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 971 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 972 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1069 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1070 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1071 start_va = 0x5130000 end_va = 0x534ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005130000" filename = "" Region: id = 1072 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1073 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1074 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1075 start_va = 0x7ef60000 end_va = 0x7f05ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ef60000" filename = "" Region: id = 1076 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1077 start_va = 0x1f0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1078 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1155 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1156 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 1157 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 1158 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 1159 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1160 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1161 start_va = 0xff0000 end_va = 0xff3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ff0000" filename = "" Region: id = 1162 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1163 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1164 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1165 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1306 start_va = 0x480000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 1307 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 1308 start_va = 0x6fbc0000 end_va = 0x6fcfefff monitored = 0 entry_point = 0x6fbed880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 1309 start_va = 0x6fb00000 end_va = 0x6fb21fff monitored = 0 entry_point = 0x6fb091f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 1310 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 1311 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 1312 start_va = 0x6faa0000 end_va = 0x6faf3fff monitored = 0 entry_point = 0x6fad10d0 region_type = mapped_file name = "faultrep.dll" filename = "\\Windows\\SysWOW64\\Faultrep.dll" (normalized: "c:\\windows\\syswow64\\faultrep.dll") Region: id = 1387 start_va = 0x6fb30000 end_va = 0x6fbb6fff monitored = 0 entry_point = 0x6fb9dbc0 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\SysWOW64\\wer.dll" (normalized: "c:\\windows\\syswow64\\wer.dll") Region: id = 1394 start_va = 0x6fa70000 end_va = 0x6fa90fff monitored = 0 entry_point = 0x6fa8a910 region_type = mapped_file name = "dbgcore.dll" filename = "\\Windows\\SysWOW64\\dbgcore.dll" (normalized: "c:\\windows\\syswow64\\dbgcore.dll") Region: id = 1395 start_va = 0x5350000 end_va = 0x54bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005350000" filename = "" Region: id = 1396 start_va = 0x1000000 end_va = 0x108ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 1398 start_va = 0x1000000 end_va = 0x1003fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 1399 start_va = 0x1080000 end_va = 0x108ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001080000" filename = "" Region: id = 1405 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1406 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1417 start_va = 0x500000 end_va = 0x687fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 1418 start_va = 0x1010000 end_va = 0x1039fff monitored = 0 entry_point = 0x1015680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1419 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1446 start_va = 0x690000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 1447 start_va = 0x1010000 end_va = 0x1013fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werfault.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\WerFault.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werfault.exe.mui") Region: id = 1448 start_va = 0x54c0000 end_va = 0x68bffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000054c0000" filename = "" Region: id = 1453 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1454 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1455 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 1456 start_va = 0x68c0000 end_va = 0x6a4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000068c0000" filename = "" Region: id = 1650 start_va = 0x1020000 end_va = 0x1020fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001020000" filename = "" Region: id = 1651 start_va = 0x1030000 end_va = 0x1030fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001030000" filename = "" Region: id = 1652 start_va = 0x1040000 end_va = 0x1040fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 1653 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 1654 start_va = 0x1040000 end_va = 0x1040fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 1655 start_va = 0x6a50000 end_va = 0x724ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a50000" filename = "" Region: id = 1656 start_va = 0x1040000 end_va = 0x1046fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001040000" filename = "" Region: id = 1657 start_va = 0x1040000 end_va = 0x1046fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001040000" filename = "" Region: id = 1687 start_va = 0x1040000 end_va = 0x1046fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001040000" filename = "" Region: id = 1688 start_va = 0x1040000 end_va = 0x1046fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001040000" filename = "" Region: id = 1689 start_va = 0x1040000 end_va = 0x1046fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001040000" filename = "" Region: id = 1690 start_va = 0x1040000 end_va = 0x1046fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001040000" filename = "" Region: id = 1691 start_va = 0x1040000 end_va = 0x1046fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001040000" filename = "" Region: id = 1692 start_va = 0x1040000 end_va = 0x1046fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001040000" filename = "" Region: id = 1693 start_va = 0x1040000 end_va = 0x1046fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001040000" filename = "" Region: id = 1694 start_va = 0x1040000 end_va = 0x1046fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001040000" filename = "" Region: id = 1695 start_va = 0x1040000 end_va = 0x1046fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001040000" filename = "" Region: id = 1696 start_va = 0x1040000 end_va = 0x1046fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001040000" filename = "" Region: id = 1697 start_va = 0x1040000 end_va = 0x1046fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001040000" filename = "" Region: id = 1698 start_va = 0x1040000 end_va = 0x1046fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001040000" filename = "" Region: id = 1699 start_va = 0x1040000 end_va = 0x1046fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001040000" filename = "" Region: id = 1700 start_va = 0x1040000 end_va = 0x1046fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001040000" filename = "" Region: id = 1701 start_va = 0x1040000 end_va = 0x1046fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001040000" filename = "" Region: id = 1702 start_va = 0x1040000 end_va = 0x1046fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001040000" filename = "" Region: id = 1703 start_va = 0x1040000 end_va = 0x1046fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001040000" filename = "" Region: id = 1704 start_va = 0x1040000 end_va = 0x1046fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001040000" filename = "" Region: id = 1705 start_va = 0x1040000 end_va = 0x1046fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001040000" filename = "" Region: id = 1706 start_va = 0x1040000 end_va = 0x1046fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001040000" filename = "" Region: id = 1707 start_va = 0x1040000 end_va = 0x1046fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001040000" filename = "" Region: id = 1708 start_va = 0x1040000 end_va = 0x1046fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001040000" filename = "" Region: id = 1709 start_va = 0x1040000 end_va = 0x1046fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001040000" filename = "" Region: id = 1710 start_va = 0x1040000 end_va = 0x1046fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001040000" filename = "" Region: id = 1711 start_va = 0x1040000 end_va = 0x1046fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001040000" filename = "" Region: id = 1761 start_va = 0x820000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 1762 start_va = 0x860000 end_va = 0x89ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1890 start_va = 0x5130000 end_va = 0x51affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005130000" filename = "" Region: id = 1891 start_va = 0x5250000 end_va = 0x534ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005250000" filename = "" Region: id = 1951 start_va = 0x1040000 end_va = 0x1041fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "faultrep.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\faultrep.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\faultrep.dll.mui") Region: id = 1953 start_va = 0x1050000 end_va = 0x1050fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 1960 start_va = 0x6f650000 end_va = 0x6fa6dfff monitored = 0 entry_point = 0x6f74ee80 region_type = mapped_file name = "dbgeng.dll" filename = "\\Windows\\SysWOW64\\dbgeng.dll" (normalized: "c:\\windows\\syswow64\\dbgeng.dll") Region: id = 1961 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1990 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 2004 start_va = 0x6f5e0000 end_va = 0x6f64ffff monitored = 0 entry_point = 0x6f634b90 region_type = mapped_file name = "dbgmodel.dll" filename = "\\Windows\\SysWOW64\\DbgModel.dll" (normalized: "c:\\windows\\syswow64\\dbgmodel.dll") Region: id = 2005 start_va = 0x5350000 end_va = 0x5439fff monitored = 0 entry_point = 0x538d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2006 start_va = 0x54b0000 end_va = 0x54bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000054b0000" filename = "" Region: id = 2007 start_va = 0x70050000 end_va = 0x70059fff monitored = 0 entry_point = 0x70053200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 2008 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2009 start_va = 0x6f5d0000 end_va = 0x6f5d7fff monitored = 0 entry_point = 0x6f5d17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 2031 start_va = 0x5350000 end_va = 0x544ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005350000" filename = "" Region: id = 2032 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2058 start_va = 0x6a50000 end_va = 0x6d86fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2074 start_va = 0x1050000 end_va = 0x1051fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 2075 start_va = 0x1050000 end_va = 0x1053fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 2076 start_va = 0x1050000 end_va = 0x1055fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 2077 start_va = 0x1050000 end_va = 0x1057fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 2078 start_va = 0x820000 end_va = 0x91ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 2079 start_va = 0x1050000 end_va = 0x1059fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 2080 start_va = 0x1050000 end_va = 0x105bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 2081 start_va = 0x1050000 end_va = 0x105dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 2082 start_va = 0x1050000 end_va = 0x105ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 2083 start_va = 0x1050000 end_va = 0x1061fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 2084 start_va = 0x1050000 end_va = 0x1063fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 2085 start_va = 0x1050000 end_va = 0x1065fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 2086 start_va = 0x1050000 end_va = 0x1067fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 2087 start_va = 0x1050000 end_va = 0x1069fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 2088 start_va = 0x1050000 end_va = 0x106bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 2089 start_va = 0x1050000 end_va = 0x106dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 2090 start_va = 0x1050000 end_va = 0x106ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 2091 start_va = 0x1050000 end_va = 0x1071fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 2194 start_va = 0x68c0000 end_va = 0x699ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 2195 start_va = 0x6a40000 end_va = 0x6a4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006a40000" filename = "" Region: id = 2376 start_va = 0x6d90000 end_va = 0x6e5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006d90000" filename = "" Region: id = 2377 start_va = 0x6e60000 end_va = 0x6f0afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006e60000" filename = "" Region: id = 2400 start_va = 0x6f10000 end_va = 0x6fb9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006f10000" filename = "" Region: id = 2609 start_va = 0x1050000 end_va = 0x1050fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 2610 start_va = 0x1060000 end_va = 0x1062fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wer.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wer.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wer.dll.mui") Region: id = 2611 start_va = 0x1070000 end_va = 0x1073fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001070000" filename = "" Region: id = 2612 start_va = 0x6d90000 end_va = 0x758ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006d90000" filename = "" Region: id = 2613 start_va = 0x1090000 end_va = 0x1096fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 2614 start_va = 0x1090000 end_va = 0x1096fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 2615 start_va = 0x1090000 end_va = 0x1096fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 2616 start_va = 0x1090000 end_va = 0x1096fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 2617 start_va = 0x1090000 end_va = 0x1096fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 2618 start_va = 0x1090000 end_va = 0x1096fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 2619 start_va = 0x1090000 end_va = 0x1096fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 2620 start_va = 0x1090000 end_va = 0x1096fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 2621 start_va = 0x1090000 end_va = 0x1096fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 2622 start_va = 0x1090000 end_va = 0x1096fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 2623 start_va = 0x1090000 end_va = 0x1096fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 2624 start_va = 0x1090000 end_va = 0x1096fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 2625 start_va = 0x1090000 end_va = 0x1096fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 2626 start_va = 0x1090000 end_va = 0x1096fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 2647 start_va = 0x1090000 end_va = 0x1096fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 2648 start_va = 0x1090000 end_va = 0x1096fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 2649 start_va = 0x1090000 end_va = 0x1096fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 2650 start_va = 0x1090000 end_va = 0x1096fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 2651 start_va = 0x1090000 end_va = 0x1096fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 2652 start_va = 0x1090000 end_va = 0x1096fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 2653 start_va = 0x1090000 end_va = 0x1096fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 2654 start_va = 0x1090000 end_va = 0x1096fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 2655 start_va = 0x6d90000 end_va = 0x6e8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006d90000" filename = "" Region: id = 2656 start_va = 0x1090000 end_va = 0x1096fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 2657 start_va = 0x1090000 end_va = 0x1096fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 2658 start_va = 0x1090000 end_va = 0x1096fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 2659 start_va = 0x1090000 end_va = 0x1096fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 2698 start_va = 0x1090000 end_va = 0x1096fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 2699 start_va = 0x6f560000 end_va = 0x6f5c3fff monitored = 0 entry_point = 0x6f59e270 region_type = mapped_file name = "werui.dll" filename = "\\Windows\\SysWOW64\\werui.dll" (normalized: "c:\\windows\\syswow64\\werui.dll") Region: id = 2700 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2701 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 2702 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 2703 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 2704 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 2705 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2706 start_va = 0x731b0000 end_va = 0x733befff monitored = 0 entry_point = 0x7325b0a0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 2707 start_va = 0x6f3f0000 end_va = 0x6f556fff monitored = 0 entry_point = 0x6f46b9d0 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\SysWOW64\\dui70.dll" (normalized: "c:\\windows\\syswow64\\dui70.dll") Region: id = 2708 start_va = 0x1e0000 end_va = 0x1e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2709 start_va = 0x6f3c0000 end_va = 0x6f3e7fff monitored = 0 entry_point = 0x6f3c7820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 2710 start_va = 0x1090000 end_va = 0x1090fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 2711 start_va = 0x920000 end_va = 0x921fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000920000" filename = "" Region: id = 2712 start_va = 0x1090000 end_va = 0x1090fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 2713 start_va = 0x759b0000 end_va = 0x75a33fff monitored = 0 entry_point = 0x759d6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 2741 start_va = 0x10a0000 end_va = 0x10a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010a0000" filename = "" Region: id = 2742 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 3147 start_va = 0x930000 end_va = 0x96ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 3148 start_va = 0x970000 end_va = 0x9affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Region: id = 3149 start_va = 0x9b0000 end_va = 0x9effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 3150 start_va = 0x9f0000 end_va = 0xa2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 3151 start_va = 0xa30000 end_va = 0xa6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 3152 start_va = 0xa70000 end_va = 0xaaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 3241 start_va = 0x6fa60000 end_va = 0x6fa68fff monitored = 0 entry_point = 0x6fa63830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 4378 start_va = 0x1090000 end_va = 0x1090fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 4379 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 5333 start_va = 0x6fa60000 end_va = 0x6fa68fff monitored = 0 entry_point = 0x6fa63830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 5683 start_va = 0x1090000 end_va = 0x1094fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werui.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\werui.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werui.dll.mui") Region: id = 5684 start_va = 0x10b0000 end_va = 0x10b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010b0000" filename = "" Region: id = 5685 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 5782 start_va = 0x6fa60000 end_va = 0x6fa68fff monitored = 0 entry_point = 0x6fa63830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 5954 start_va = 0xab0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 5955 start_va = 0xaf0000 end_va = 0xb2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 5958 start_va = 0x10b0000 end_va = 0x10b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010b0000" filename = "" Region: id = 5959 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 6090 start_va = 0x6fa60000 end_va = 0x6fa68fff monitored = 0 entry_point = 0x6fa63830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 6176 start_va = 0xb30000 end_va = 0xb31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 6177 start_va = 0x6f9e0000 end_va = 0x6fa5afff monitored = 0 entry_point = 0x6fa04d80 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\SysWOW64\\duser.dll" (normalized: "c:\\windows\\syswow64\\duser.dll") Region: id = 6201 start_va = 0xb40000 end_va = 0xb7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b40000" filename = "" Region: id = 6202 start_va = 0xb80000 end_va = 0xbbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 6203 start_va = 0x6f950000 end_va = 0x6f9d0fff monitored = 0 entry_point = 0x6f956310 region_type = mapped_file name = "riched20.dll" filename = "\\Windows\\SysWOW64\\riched20.dll" (normalized: "c:\\windows\\syswow64\\riched20.dll") Region: id = 6204 start_va = 0x6f930000 end_va = 0x6f945fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 6205 start_va = 0x6f8f0000 end_va = 0x6f920fff monitored = 0 entry_point = 0x6f9022d0 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\SysWOW64\\msls31.dll" (normalized: "c:\\windows\\syswow64\\msls31.dll") Region: id = 6206 start_va = 0x10b0000 end_va = 0x10b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010b0000" filename = "" Region: id = 6207 start_va = 0x6e90000 end_va = 0x6f4bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006e90000" filename = "" Region: id = 6208 start_va = 0x10b0000 end_va = 0x10b3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010b0000" filename = "" Region: id = 6209 start_va = 0x74230000 end_va = 0x7424cfff monitored = 0 entry_point = 0x74233b10 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 6210 start_va = 0x10c0000 end_va = 0x10c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010c0000" filename = "" Region: id = 6211 start_va = 0x10d0000 end_va = 0x10d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010d0000" filename = "" Region: id = 6212 start_va = 0x51b0000 end_va = 0x51b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000051b0000" filename = "" Region: id = 6220 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 6240 start_va = 0x51c0000 end_va = 0x51c0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "duser.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\duser.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\duser.dll.mui") Region: id = 6241 start_va = 0x6fa60000 end_va = 0x6fa6cfff monitored = 0 entry_point = 0x6fa67d80 region_type = mapped_file name = "atlthunk.dll" filename = "\\Windows\\SysWOW64\\atlthunk.dll" (normalized: "c:\\windows\\syswow64\\atlthunk.dll") Region: id = 6242 start_va = 0x51d0000 end_va = 0x51d2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui") Region: id = 6243 start_va = 0xbd0000 end_va = 0xbd2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bd0000" filename = "" Region: id = 6244 start_va = 0x6f50000 end_va = 0x7441fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006f50000" filename = "" Region: id = 6267 start_va = 0x6f50000 end_va = 0x7f8ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 6268 start_va = 0x7f90000 end_va = 0x8481fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007f90000" filename = "" Region: id = 6280 start_va = 0xbe0000 end_va = 0xc21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000be0000" filename = "" Region: id = 6688 start_va = 0xbc0000 end_va = 0xbc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bc0000" filename = "" Region: id = 6689 start_va = 0x77500000 end_va = 0x7761efff monitored = 0 entry_point = 0x77545980 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Thread: id = 35 os_tid = 0x11b8 Thread: id = 45 os_tid = 0x12a4 Thread: id = 52 os_tid = 0x12f4 Thread: id = 66 os_tid = 0x5fc Thread: id = 112 os_tid = 0xc90 Thread: id = 113 os_tid = 0xc94 Thread: id = 114 os_tid = 0xc98 Thread: id = 178 os_tid = 0x904 Thread: id = 190 os_tid = 0x12a0 Process: id = "15" image_name = "werfault.exe" filename = "c:\\windows\\syswow64\\werfault.exe" page_root = "0x65f22000" os_pid = "0x11cc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x11ac" cmd_line = "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 4524 -s 364" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 973 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 974 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 975 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 976 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 977 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 978 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 979 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 980 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 981 start_va = 0x790000 end_va = 0x790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 982 start_va = 0x10e0000 end_va = 0x1122fff monitored = 0 entry_point = 0x1100f50 region_type = mapped_file name = "werfault.exe" filename = "\\Windows\\SysWOW64\\WerFault.exe" (normalized: "c:\\windows\\syswow64\\werfault.exe") Region: id = 983 start_va = 0x1130000 end_va = 0x512ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 984 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 985 start_va = 0x7ea90000 end_va = 0x7eab2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ea90000" filename = "" Region: id = 986 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 987 start_va = 0x7fff0000 end_va = 0x7dfb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 988 start_va = 0x7dfb201b0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfb201b0000" filename = "" Region: id = 989 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 990 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 991 start_va = 0x400000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 992 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 993 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 994 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 995 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 996 start_va = 0x7a0000 end_va = 0x9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 997 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 998 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1079 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1080 start_va = 0x7e990000 end_va = 0x7ea8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e990000" filename = "" Region: id = 1081 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1082 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1083 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1084 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1085 start_va = 0x590000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 1086 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 1087 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 1088 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1089 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1090 start_va = 0x790000 end_va = 0x793fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 1091 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1092 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1093 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1094 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1229 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 1230 start_va = 0x480000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 1231 start_va = 0x6fbc0000 end_va = 0x6fcfefff monitored = 0 entry_point = 0x6fbed880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 1246 start_va = 0x6fb00000 end_va = 0x6fb21fff monitored = 0 entry_point = 0x6fb091f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 1247 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 1248 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 1250 start_va = 0x6faa0000 end_va = 0x6faf3fff monitored = 0 entry_point = 0x6fad10d0 region_type = mapped_file name = "faultrep.dll" filename = "\\Windows\\SysWOW64\\Faultrep.dll" (normalized: "c:\\windows\\syswow64\\faultrep.dll") Region: id = 1299 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 1300 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 1301 start_va = 0x6fb30000 end_va = 0x6fbb6fff monitored = 0 entry_point = 0x6fb9dbc0 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\SysWOW64\\wer.dll" (normalized: "c:\\windows\\syswow64\\wer.dll") Region: id = 1388 start_va = 0x6fa70000 end_va = 0x6fa90fff monitored = 0 entry_point = 0x6fa8a910 region_type = mapped_file name = "dbgcore.dll" filename = "\\Windows\\SysWOW64\\dbgcore.dll" (normalized: "c:\\windows\\syswow64\\dbgcore.dll") Region: id = 1389 start_va = 0x9c0000 end_va = 0xbbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 1460 start_va = 0x9c0000 end_va = 0xafffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 1461 start_va = 0xbb0000 end_va = 0xbbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bb0000" filename = "" Region: id = 1462 start_va = 0x7a0000 end_va = 0x7a3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 1463 start_va = 0x8c0000 end_va = 0x9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 1464 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1465 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1498 start_va = 0x5a0000 end_va = 0x727fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 1499 start_va = 0x7b0000 end_va = 0x7d9fff monitored = 0 entry_point = 0x7b5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1500 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1520 start_va = 0x7b0000 end_va = 0x7b3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werfault.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\WerFault.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werfault.exe.mui") Region: id = 1521 start_va = 0xbc0000 end_va = 0xd40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 1522 start_va = 0x5130000 end_va = 0x652ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005130000" filename = "" Region: id = 1671 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1672 start_va = 0x540000 end_va = 0x540fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 1673 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 1674 start_va = 0x7c0000 end_va = 0x82ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 1771 start_va = 0x7c0000 end_va = 0x7c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 1772 start_va = 0x820000 end_va = 0x82ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 1773 start_va = 0x7d0000 end_va = 0x7d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 1774 start_va = 0x7e0000 end_va = 0x7e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 1775 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 1776 start_va = 0x7e0000 end_va = 0x7e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 1777 start_va = 0x6530000 end_va = 0x6d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006530000" filename = "" Region: id = 1778 start_va = 0x7e0000 end_va = 0x7e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 1779 start_va = 0x7e0000 end_va = 0x7e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 1780 start_va = 0x7e0000 end_va = 0x7e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 1781 start_va = 0x7e0000 end_va = 0x7e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 1782 start_va = 0x7e0000 end_va = 0x7e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 1783 start_va = 0x7e0000 end_va = 0x7e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 1784 start_va = 0x7e0000 end_va = 0x7e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 1785 start_va = 0x7e0000 end_va = 0x7e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 1786 start_va = 0x7e0000 end_va = 0x7e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 1787 start_va = 0x7e0000 end_va = 0x7e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 1788 start_va = 0x7e0000 end_va = 0x7e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 1789 start_va = 0x7e0000 end_va = 0x7e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 1835 start_va = 0x7e0000 end_va = 0x7e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 1836 start_va = 0x7e0000 end_va = 0x7e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 1837 start_va = 0x7e0000 end_va = 0x7e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 1838 start_va = 0x7e0000 end_va = 0x7e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 1839 start_va = 0x7e0000 end_va = 0x7e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 1840 start_va = 0x7e0000 end_va = 0x7e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 1841 start_va = 0x7e0000 end_va = 0x7e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 1842 start_va = 0x7e0000 end_va = 0x7e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 1843 start_va = 0x7e0000 end_va = 0x7e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 1844 start_va = 0x7e0000 end_va = 0x7e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 1845 start_va = 0x7e0000 end_va = 0x7e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 1846 start_va = 0x7e0000 end_va = 0x7e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 1847 start_va = 0x7e0000 end_va = 0x7e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 1848 start_va = 0x7e0000 end_va = 0x7e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 1849 start_va = 0x7e0000 end_va = 0x7e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 1928 start_va = 0x550000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1929 start_va = 0x730000 end_va = 0x76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 2030 start_va = 0x830000 end_va = 0x8affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 2217 start_va = 0x7e0000 end_va = 0x7e1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "faultrep.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\faultrep.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\faultrep.dll.mui") Region: id = 2218 start_va = 0x7f0000 end_va = 0x7f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 2219 start_va = 0x6f650000 end_va = 0x6fa6dfff monitored = 0 entry_point = 0x6f74ee80 region_type = mapped_file name = "dbgeng.dll" filename = "\\Windows\\SysWOW64\\dbgeng.dll" (normalized: "c:\\windows\\syswow64\\dbgeng.dll") Region: id = 2220 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2221 start_va = 0x6f5e0000 end_va = 0x6f64ffff monitored = 0 entry_point = 0x6f634b90 region_type = mapped_file name = "dbgmodel.dll" filename = "\\Windows\\SysWOW64\\DbgModel.dll" (normalized: "c:\\windows\\syswow64\\dbgmodel.dll") Region: id = 2222 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 2223 start_va = 0x9c0000 end_va = 0xaa9fff monitored = 0 entry_point = 0x9fd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2224 start_va = 0xaf0000 end_va = 0xafffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 2253 start_va = 0x70050000 end_va = 0x70059fff monitored = 0 entry_point = 0x70053200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 2254 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2255 start_va = 0x6f5d0000 end_va = 0x6f5d7fff monitored = 0 entry_point = 0x6f5d17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 2256 start_va = 0x9c0000 end_va = 0xabffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 2257 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2277 start_va = 0xd50000 end_va = 0x1086fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2278 start_va = 0x7f0000 end_va = 0x7f1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 2279 start_va = 0x7f0000 end_va = 0x7f3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 2280 start_va = 0x7f0000 end_va = 0x7f5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 2281 start_va = 0x7f0000 end_va = 0x7f7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 2282 start_va = 0x6530000 end_va = 0x662ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006530000" filename = "" Region: id = 2283 start_va = 0x7f0000 end_va = 0x7f9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 2284 start_va = 0x7f0000 end_va = 0x7fbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 2285 start_va = 0x7f0000 end_va = 0x7fdfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 2286 start_va = 0x7f0000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 2287 start_va = 0x7f0000 end_va = 0x801fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 2288 start_va = 0x7f0000 end_va = 0x803fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 2289 start_va = 0x7f0000 end_va = 0x805fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 2290 start_va = 0x7f0000 end_va = 0x807fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 2291 start_va = 0x7f0000 end_va = 0x809fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 2292 start_va = 0x7f0000 end_va = 0x80bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 2293 start_va = 0x7f0000 end_va = 0x80dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 2294 start_va = 0x7f0000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 2295 start_va = 0x7f0000 end_va = 0x811fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 2325 start_va = 0x6630000 end_va = 0x670ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 2483 start_va = 0x6710000 end_va = 0x67d5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006710000" filename = "" Region: id = 2484 start_va = 0x67e0000 end_va = 0x6897fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000067e0000" filename = "" Region: id = 2627 start_va = 0xb00000 end_va = 0xba5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 2804 start_va = 0x7f0000 end_va = 0x7f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 2805 start_va = 0x800000 end_va = 0x802fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wer.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wer.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wer.dll.mui") Region: id = 2806 start_va = 0x810000 end_va = 0x813fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 2814 start_va = 0x6710000 end_va = 0x6f0ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006710000" filename = "" Region: id = 2815 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 2816 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 2817 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 2818 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 2819 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 2820 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 2821 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 2822 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 2854 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 2855 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 2856 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 2857 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 2858 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 2859 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 2860 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 2861 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 2862 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 2863 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 2864 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 2865 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 2866 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 2867 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 2868 start_va = 0x6710000 end_va = 0x680ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006710000" filename = "" Region: id = 2869 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 2870 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 2871 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 2887 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 2888 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 2889 start_va = 0x6f560000 end_va = 0x6f5c3fff monitored = 0 entry_point = 0x6f59e270 region_type = mapped_file name = "werui.dll" filename = "\\Windows\\SysWOW64\\werui.dll" (normalized: "c:\\windows\\syswow64\\werui.dll") Region: id = 2890 start_va = 0x550000 end_va = 0x551fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 2891 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 2892 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 2893 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 2894 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 2895 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2900 start_va = 0x731b0000 end_va = 0x733befff monitored = 0 entry_point = 0x7325b0a0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 2901 start_va = 0x6f3f0000 end_va = 0x6f556fff monitored = 0 entry_point = 0x6f46b9d0 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\SysWOW64\\dui70.dll" (normalized: "c:\\windows\\syswow64\\dui70.dll") Region: id = 2902 start_va = 0x560000 end_va = 0x561fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 2903 start_va = 0x6f3c0000 end_va = 0x6f3e7fff monitored = 0 entry_point = 0x6f3c7820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 2904 start_va = 0x8b0000 end_va = 0x8b0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 2905 start_va = 0x570000 end_va = 0x571fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 2906 start_va = 0x8b0000 end_va = 0x8b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 2907 start_va = 0x759b0000 end_va = 0x75a33fff monitored = 0 entry_point = 0x759d6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 2908 start_va = 0xac0000 end_va = 0xac0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 2909 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 3225 start_va = 0xb00000 end_va = 0xb3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 3226 start_va = 0xb40000 end_va = 0xb7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b40000" filename = "" Region: id = 3227 start_va = 0x1090000 end_va = 0x10cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 3228 start_va = 0x6810000 end_va = 0x684ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006810000" filename = "" Region: id = 3229 start_va = 0x6850000 end_va = 0x688ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006850000" filename = "" Region: id = 3230 start_va = 0x6890000 end_va = 0x68cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006890000" filename = "" Region: id = 3328 start_va = 0x6fa60000 end_va = 0x6fa68fff monitored = 0 entry_point = 0x6fa63830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 5625 start_va = 0x8b0000 end_va = 0x8b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 5626 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 5747 start_va = 0x6fa60000 end_va = 0x6fa68fff monitored = 0 entry_point = 0x6fa63830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 5931 start_va = 0x8b0000 end_va = 0x8b4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werui.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\werui.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werui.dll.mui") Region: id = 5932 start_va = 0xad0000 end_va = 0xad0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ad0000" filename = "" Region: id = 5933 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 6032 start_va = 0x6fa60000 end_va = 0x6fa68fff monitored = 0 entry_point = 0x6fa63830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 6174 start_va = 0x68d0000 end_va = 0x690ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000068d0000" filename = "" Region: id = 6175 start_va = 0x6910000 end_va = 0x694ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006910000" filename = "" Region: id = 6199 start_va = 0xad0000 end_va = 0xad0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ad0000" filename = "" Region: id = 6200 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 6600 start_va = 0x6f8e0000 end_va = 0x6f8e8fff monitored = 0 entry_point = 0x6f8e3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 7013 start_va = 0x580000 end_va = 0x581fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 7014 start_va = 0x6f9e0000 end_va = 0x6fa5afff monitored = 0 entry_point = 0x6fa04d80 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\SysWOW64\\duser.dll" (normalized: "c:\\windows\\syswow64\\duser.dll") Region: id = 7023 start_va = 0x6950000 end_va = 0x698ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006950000" filename = "" Region: id = 7024 start_va = 0x6990000 end_va = 0x69cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006990000" filename = "" Region: id = 7025 start_va = 0x6f950000 end_va = 0x6f9d0fff monitored = 0 entry_point = 0x6f956310 region_type = mapped_file name = "riched20.dll" filename = "\\Windows\\SysWOW64\\riched20.dll" (normalized: "c:\\windows\\syswow64\\riched20.dll") Region: id = 7026 start_va = 0x6f930000 end_va = 0x6f945fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 7027 start_va = 0x6f8f0000 end_va = 0x6f920fff monitored = 0 entry_point = 0x6f9022d0 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\SysWOW64\\msls31.dll" (normalized: "c:\\windows\\syswow64\\msls31.dll") Region: id = 7028 start_va = 0xad0000 end_va = 0xad0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ad0000" filename = "" Region: id = 7029 start_va = 0x69d0000 end_va = 0x6a8bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000069d0000" filename = "" Region: id = 7030 start_va = 0xad0000 end_va = 0xad3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ad0000" filename = "" Region: id = 7031 start_va = 0x74230000 end_va = 0x7424cfff monitored = 0 entry_point = 0x74233b10 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 7032 start_va = 0xae0000 end_va = 0xae3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 7033 start_va = 0xb80000 end_va = 0xb80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 7034 start_va = 0xb90000 end_va = 0xb90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b90000" filename = "" Region: id = 7035 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 7036 start_va = 0xba0000 end_va = 0xba0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "duser.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\duser.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\duser.dll.mui") Region: id = 7037 start_va = 0x6fa60000 end_va = 0x6fa6cfff monitored = 0 entry_point = 0x6fa67d80 region_type = mapped_file name = "atlthunk.dll" filename = "\\Windows\\SysWOW64\\atlthunk.dll" (normalized: "c:\\windows\\syswow64\\atlthunk.dll") Region: id = 7038 start_va = 0x10d0000 end_va = 0x10d2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui") Region: id = 7039 start_va = 0x740000 end_va = 0x742fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 7040 start_va = 0x6a90000 end_va = 0x6f81fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a90000" filename = "" Region: id = 7041 start_va = 0x6f90000 end_va = 0x7fcffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 7047 start_va = 0x7fd0000 end_va = 0x8011fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007fd0000" filename = "" Region: id = 7070 start_va = 0x730000 end_va = 0x730fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 7071 start_va = 0x77500000 end_va = 0x7761efff monitored = 0 entry_point = 0x77545980 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Thread: id = 36 os_tid = 0x11a4 Thread: id = 42 os_tid = 0x12b4 Thread: id = 48 os_tid = 0x12bc Thread: id = 54 os_tid = 0x358 Thread: id = 71 os_tid = 0x1384 Thread: id = 121 os_tid = 0x1100 Thread: id = 122 os_tid = 0x110c Thread: id = 123 os_tid = 0x7e8 Thread: id = 189 os_tid = 0x12cc Thread: id = 203 os_tid = 0x5fc Process: id = "16" image_name = "werfault.exe" filename = "c:\\windows\\syswow64\\werfault.exe" page_root = "0x6ca27000" os_pid = "0x11c4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0xd04" cmd_line = "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 3332 -s 364" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1018 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1019 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1020 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1021 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1022 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1023 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1024 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1025 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1026 start_va = 0x650000 end_va = 0x650fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 1027 start_va = 0x10e0000 end_va = 0x1122fff monitored = 0 entry_point = 0x1100f50 region_type = mapped_file name = "werfault.exe" filename = "\\Windows\\SysWOW64\\WerFault.exe" (normalized: "c:\\windows\\syswow64\\werfault.exe") Region: id = 1028 start_va = 0x1130000 end_va = 0x512ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 1029 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1030 start_va = 0x7ee20000 end_va = 0x7ee42fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ee20000" filename = "" Region: id = 1031 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1032 start_va = 0x7fff0000 end_va = 0x7dfb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1033 start_va = 0x7dfb201b0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfb201b0000" filename = "" Region: id = 1034 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1035 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 1036 start_va = 0x100000 end_va = 0x10ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 1037 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1038 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1039 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1040 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1144 start_va = 0x660000 end_va = 0x92ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 1166 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1167 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1177 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1178 start_va = 0x7ed20000 end_va = 0x7ee1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed20000" filename = "" Region: id = 1179 start_va = 0x110000 end_va = 0x1cdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1180 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1181 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1182 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 1183 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 1233 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 1234 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1235 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1236 start_va = 0x650000 end_va = 0x653fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 1237 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1238 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1239 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1240 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1295 start_va = 0x480000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 1296 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 1297 start_va = 0x6fbc0000 end_va = 0x6fcfefff monitored = 0 entry_point = 0x6fbed880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 1298 start_va = 0x6fb30000 end_va = 0x6fbb6fff monitored = 0 entry_point = 0x6fb9dbc0 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\SysWOW64\\wer.dll" (normalized: "c:\\windows\\syswow64\\wer.dll") Region: id = 1302 start_va = 0x6fb00000 end_va = 0x6fb21fff monitored = 0 entry_point = 0x6fb091f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 1303 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 1304 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 1305 start_va = 0x6faa0000 end_va = 0x6faf3fff monitored = 0 entry_point = 0x6fad10d0 region_type = mapped_file name = "faultrep.dll" filename = "\\Windows\\SysWOW64\\Faultrep.dll" (normalized: "c:\\windows\\syswow64\\faultrep.dll") Region: id = 1397 start_va = 0x6fa70000 end_va = 0x6fa90fff monitored = 0 entry_point = 0x6fa8a910 region_type = mapped_file name = "dbgcore.dll" filename = "\\Windows\\SysWOW64\\dbgcore.dll" (normalized: "c:\\windows\\syswow64\\dbgcore.dll") Region: id = 1400 start_va = 0x930000 end_va = 0xb2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 1401 start_va = 0x660000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 1402 start_va = 0x830000 end_va = 0x92ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 1403 start_va = 0x660000 end_va = 0x663fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 1404 start_va = 0x6f0000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 1407 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1408 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1420 start_va = 0x670000 end_va = 0x699fff monitored = 0 entry_point = 0x675680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1421 start_va = 0x930000 end_va = 0xab7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 1422 start_va = 0xb20000 end_va = 0xb2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 1423 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1443 start_va = 0x670000 end_va = 0x673fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werfault.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\WerFault.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werfault.exe.mui") Region: id = 1444 start_va = 0xb30000 end_va = 0xcb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 1445 start_va = 0x5130000 end_va = 0x652ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005130000" filename = "" Region: id = 1449 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1450 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1451 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 1452 start_va = 0x700000 end_va = 0x7dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 1539 start_va = 0x680000 end_va = 0x680fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 1540 start_va = 0x690000 end_va = 0x690fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1541 start_va = 0x6a0000 end_va = 0x6a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 1542 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 1543 start_va = 0x6a0000 end_va = 0x6a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 1544 start_va = 0x6530000 end_va = 0x6d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006530000" filename = "" Region: id = 1573 start_va = 0x6a0000 end_va = 0x6a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 1574 start_va = 0x6a0000 end_va = 0x6a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 1575 start_va = 0x6a0000 end_va = 0x6a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 1576 start_va = 0x6a0000 end_va = 0x6a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 1577 start_va = 0x6a0000 end_va = 0x6a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 1578 start_va = 0x6a0000 end_va = 0x6a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 1579 start_va = 0x6a0000 end_va = 0x6a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 1580 start_va = 0x6a0000 end_va = 0x6a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 1581 start_va = 0x6a0000 end_va = 0x6a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 1582 start_va = 0x6a0000 end_va = 0x6a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 1583 start_va = 0x6a0000 end_va = 0x6a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 1584 start_va = 0x6a0000 end_va = 0x6a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 1585 start_va = 0x6a0000 end_va = 0x6a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 1592 start_va = 0x6a0000 end_va = 0x6a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 1593 start_va = 0x6a0000 end_va = 0x6a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 1594 start_va = 0x6a0000 end_va = 0x6a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 1595 start_va = 0x6a0000 end_va = 0x6a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 1596 start_va = 0x6a0000 end_va = 0x6a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 1597 start_va = 0x6a0000 end_va = 0x6a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 1598 start_va = 0x6a0000 end_va = 0x6a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 1599 start_va = 0x6a0000 end_va = 0x6a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 1600 start_va = 0x6a0000 end_va = 0x6a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 1601 start_va = 0x6a0000 end_va = 0x6a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 1602 start_va = 0x6a0000 end_va = 0x6a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 1603 start_va = 0x6a0000 end_va = 0x6a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 1604 start_va = 0x6a0000 end_va = 0x6a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 1605 start_va = 0x6a0000 end_va = 0x6a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 1675 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 1676 start_va = 0x540000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 1677 start_va = 0x700000 end_va = 0x77ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 1678 start_va = 0x7d0000 end_va = 0x7dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 1800 start_va = 0x6a0000 end_va = 0x6a1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "faultrep.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\faultrep.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\faultrep.dll.mui") Region: id = 1850 start_va = 0x6b0000 end_va = 0x6b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 1930 start_va = 0x6f650000 end_va = 0x6fa6dfff monitored = 0 entry_point = 0x6f74ee80 region_type = mapped_file name = "dbgeng.dll" filename = "\\Windows\\SysWOW64\\dbgeng.dll" (normalized: "c:\\windows\\syswow64\\dbgeng.dll") Region: id = 1974 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1991 start_va = 0x6f5e0000 end_va = 0x6f64ffff monitored = 0 entry_point = 0x6f634b90 region_type = mapped_file name = "dbgmodel.dll" filename = "\\Windows\\SysWOW64\\DbgModel.dll" (normalized: "c:\\windows\\syswow64\\dbgmodel.dll") Region: id = 2000 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 2010 start_va = 0xcc0000 end_va = 0xda9fff monitored = 0 entry_point = 0xcfd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2023 start_va = 0x70050000 end_va = 0x70059fff monitored = 0 entry_point = 0x70053200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 2024 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2025 start_va = 0x6f5d0000 end_va = 0x6f5d7fff monitored = 0 entry_point = 0x6f5d17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 2056 start_va = 0xcc0000 end_va = 0xdbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 2057 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2072 start_va = 0x6530000 end_va = 0x6866fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2134 start_va = 0x6b0000 end_va = 0x6b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 2135 start_va = 0x6b0000 end_va = 0x6b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 2136 start_va = 0x6b0000 end_va = 0x6b5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 2137 start_va = 0x6b0000 end_va = 0x6b7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 2180 start_va = 0x500000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 2181 start_va = 0x6b0000 end_va = 0x6b9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 2182 start_va = 0x6b0000 end_va = 0x6bbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 2183 start_va = 0x6b0000 end_va = 0x6bdfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 2184 start_va = 0x6b0000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 2185 start_va = 0x6b0000 end_va = 0x6c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 2186 start_va = 0x6b0000 end_va = 0x6c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 2187 start_va = 0x6b0000 end_va = 0x6c5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 2188 start_va = 0x6b0000 end_va = 0x6c7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 2189 start_va = 0x6b0000 end_va = 0x6c9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 2190 start_va = 0x6b0000 end_va = 0x6cbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 2191 start_va = 0x6b0000 end_va = 0x6cdfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 2192 start_va = 0x6b0000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 2193 start_va = 0x6b0000 end_va = 0x6d1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 2245 start_va = 0xdc0000 end_va = 0xe9ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 2275 start_va = 0xea0000 end_va = 0xf66fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 2276 start_va = 0xf70000 end_va = 0x1021fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f70000" filename = "" Region: id = 2324 start_va = 0x1030000 end_va = 0x10d3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001030000" filename = "" Region: id = 2401 start_va = 0x6b0000 end_va = 0x6b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 2438 start_va = 0x6c0000 end_va = 0x6c2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wer.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wer.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wer.dll.mui") Region: id = 2439 start_va = 0x6d0000 end_va = 0x6d3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 2472 start_va = 0x6870000 end_va = 0x706ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006870000" filename = "" Region: id = 2473 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 2474 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 2475 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 2476 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 2477 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 2478 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 2479 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 2480 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 2481 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 2482 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 2514 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 2515 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 2516 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 2517 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 2518 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 2519 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 2520 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 2521 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 2522 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 2523 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 2524 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 2525 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 2526 start_va = 0xea0000 end_va = 0xf9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 2527 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 2528 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 2529 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 2530 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 2600 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 2601 start_va = 0x6f560000 end_va = 0x6f5c3fff monitored = 0 entry_point = 0x6f59e270 region_type = mapped_file name = "werui.dll" filename = "\\Windows\\SysWOW64\\werui.dll" (normalized: "c:\\windows\\syswow64\\werui.dll") Region: id = 2602 start_va = 0x1e0000 end_va = 0x1e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2603 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 2604 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 2605 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 2606 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 2607 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2608 start_va = 0x731b0000 end_va = 0x733befff monitored = 0 entry_point = 0x7325b0a0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 2642 start_va = 0x6f3f0000 end_va = 0x6f556fff monitored = 0 entry_point = 0x6f46b9d0 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\SysWOW64\\dui70.dll" (normalized: "c:\\windows\\syswow64\\dui70.dll") Region: id = 2643 start_va = 0x6f3c0000 end_va = 0x6f3e7fff monitored = 0 entry_point = 0x6f3c7820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 2691 start_va = 0x1f0000 end_va = 0x1f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 2692 start_va = 0x6e0000 end_va = 0x6e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 2693 start_va = 0x600000 end_va = 0x601fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 2694 start_va = 0x6e0000 end_va = 0x6e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 2695 start_va = 0x759b0000 end_va = 0x75a33fff monitored = 0 entry_point = 0x759d6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 2696 start_va = 0x780000 end_va = 0x780fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 2697 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 3141 start_va = 0x610000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 3142 start_va = 0x790000 end_va = 0x7cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 3143 start_va = 0x7e0000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 3144 start_va = 0xac0000 end_va = 0xafffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 3145 start_va = 0xfa0000 end_va = 0xfdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fa0000" filename = "" Region: id = 3146 start_va = 0xfe0000 end_va = 0x101ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 3240 start_va = 0x6fa60000 end_va = 0x6fa68fff monitored = 0 entry_point = 0x6fa63830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 3818 start_va = 0x6e0000 end_va = 0x6e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 3819 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 4425 start_va = 0x6fa60000 end_va = 0x6fa68fff monitored = 0 entry_point = 0x6fa63830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 5627 start_va = 0x6e0000 end_va = 0x6e4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werui.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\werui.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werui.dll.mui") Region: id = 5628 start_va = 0x820000 end_va = 0x820fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 5629 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 5769 start_va = 0x6fa60000 end_va = 0x6fa68fff monitored = 0 entry_point = 0x6fa63830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 5934 start_va = 0x1020000 end_va = 0x105ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 5935 start_va = 0x1060000 end_va = 0x109ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001060000" filename = "" Region: id = 5936 start_va = 0x820000 end_va = 0x820fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 5937 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 6071 start_va = 0x6fa60000 end_va = 0x6fa68fff monitored = 0 entry_point = 0x6fa63830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 6167 start_va = 0x820000 end_va = 0x821fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 6168 start_va = 0x6f9e0000 end_va = 0x6fa5afff monitored = 0 entry_point = 0x6fa04d80 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\SysWOW64\\duser.dll" (normalized: "c:\\windows\\syswow64\\duser.dll") Region: id = 6169 start_va = 0x10a0000 end_va = 0x10dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010a0000" filename = "" Region: id = 6170 start_va = 0x6870000 end_va = 0x68affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006870000" filename = "" Region: id = 6171 start_va = 0x6f950000 end_va = 0x6f9d0fff monitored = 0 entry_point = 0x6f956310 region_type = mapped_file name = "riched20.dll" filename = "\\Windows\\SysWOW64\\riched20.dll" (normalized: "c:\\windows\\syswow64\\riched20.dll") Region: id = 6172 start_va = 0x6f930000 end_va = 0x6f945fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 6173 start_va = 0x6f8f0000 end_va = 0x6f920fff monitored = 0 entry_point = 0x6f9022d0 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\SysWOW64\\msls31.dll" (normalized: "c:\\windows\\syswow64\\msls31.dll") Region: id = 6194 start_va = 0xb00000 end_va = 0xb00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b00000" filename = "" Region: id = 6195 start_va = 0x68b0000 end_va = 0x696bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000068b0000" filename = "" Region: id = 6196 start_va = 0xb00000 end_va = 0xb03fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b00000" filename = "" Region: id = 6197 start_va = 0x74230000 end_va = 0x7424cfff monitored = 0 entry_point = 0x74233b10 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 6198 start_va = 0xb10000 end_va = 0xb13fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 6235 start_va = 0x6970000 end_va = 0x6970fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006970000" filename = "" Region: id = 6236 start_va = 0x6980000 end_va = 0x6980fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006980000" filename = "" Region: id = 6237 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 6245 start_va = 0x6990000 end_va = 0x6990fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "duser.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\duser.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\duser.dll.mui") Region: id = 6246 start_va = 0x6fa60000 end_va = 0x6fa6cfff monitored = 0 entry_point = 0x6fa67d80 region_type = mapped_file name = "atlthunk.dll" filename = "\\Windows\\SysWOW64\\atlthunk.dll" (normalized: "c:\\windows\\syswow64\\atlthunk.dll") Region: id = 6247 start_va = 0x69a0000 end_va = 0x69a2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui") Region: id = 6248 start_va = 0x69c0000 end_va = 0x69c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000069c0000" filename = "" Region: id = 6249 start_va = 0x69d0000 end_va = 0x6ec1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000069d0000" filename = "" Region: id = 6276 start_va = 0x69d0000 end_va = 0x7a0ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 6277 start_va = 0x7a10000 end_va = 0x7f01fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007a10000" filename = "" Region: id = 6278 start_va = 0x7f10000 end_va = 0x7f51fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007f10000" filename = "" Region: id = 7019 start_va = 0x69b0000 end_va = 0x69b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000069b0000" filename = "" Region: id = 7020 start_va = 0x77500000 end_va = 0x7761efff monitored = 0 entry_point = 0x77545980 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Thread: id = 37 os_tid = 0x11c8 Thread: id = 46 os_tid = 0x12b8 Thread: id = 51 os_tid = 0x98c Thread: id = 62 os_tid = 0x1308 Thread: id = 109 os_tid = 0xc84 Thread: id = 110 os_tid = 0xc88 Thread: id = 111 os_tid = 0xc8c Thread: id = 175 os_tid = 0x1278 Thread: id = 187 os_tid = 0xbbc Process: id = "17" image_name = "werfault.exe" filename = "c:\\windows\\syswow64\\werfault.exe" page_root = "0x6c72c000" os_pid = "0x11a0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0xd00" cmd_line = "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 3328 -s 364" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1095 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1096 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1097 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1098 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1099 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1100 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1101 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1102 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1103 start_va = 0x770000 end_va = 0x770fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 1104 start_va = 0x10e0000 end_va = 0x1122fff monitored = 0 entry_point = 0x1100f50 region_type = mapped_file name = "werfault.exe" filename = "\\Windows\\SysWOW64\\WerFault.exe" (normalized: "c:\\windows\\syswow64\\werfault.exe") Region: id = 1105 start_va = 0x1130000 end_va = 0x512ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 1106 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1107 start_va = 0x7ea40000 end_va = 0x7ea62fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ea40000" filename = "" Region: id = 1108 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1109 start_va = 0x7fff0000 end_va = 0x7dfb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1110 start_va = 0x7dfb201b0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfb201b0000" filename = "" Region: id = 1111 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1112 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 1113 start_va = 0x100000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 1114 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1115 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1116 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1117 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1168 start_va = 0x780000 end_va = 0x90ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 1227 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1228 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1281 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1282 start_va = 0x7e940000 end_va = 0x7ea3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e940000" filename = "" Region: id = 1283 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1284 start_va = 0x1e0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 1285 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1286 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1287 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 1288 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 1289 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 1290 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1291 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1292 start_va = 0x770000 end_va = 0x773fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 1293 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1294 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1379 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1380 start_va = 0x6fb30000 end_va = 0x6fbb6fff monitored = 0 entry_point = 0x6fb9dbc0 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\SysWOW64\\wer.dll" (normalized: "c:\\windows\\syswow64\\wer.dll") Region: id = 1381 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1382 start_va = 0x6fbc0000 end_va = 0x6fcfefff monitored = 0 entry_point = 0x6fbed880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 1383 start_va = 0x6fb00000 end_va = 0x6fb21fff monitored = 0 entry_point = 0x6fb091f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 1384 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 1385 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 1386 start_va = 0x6faa0000 end_va = 0x6faf3fff monitored = 0 entry_point = 0x6fad10d0 region_type = mapped_file name = "faultrep.dll" filename = "\\Windows\\SysWOW64\\Faultrep.dll" (normalized: "c:\\windows\\syswow64\\faultrep.dll") Region: id = 1390 start_va = 0x6fa70000 end_va = 0x6fa90fff monitored = 0 entry_point = 0x6fa8a910 region_type = mapped_file name = "dbgcore.dll" filename = "\\Windows\\SysWOW64\\dbgcore.dll" (normalized: "c:\\windows\\syswow64\\dbgcore.dll") Region: id = 1391 start_va = 0x780000 end_va = 0x7bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 1392 start_va = 0x810000 end_va = 0x90ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 1393 start_va = 0x910000 end_va = 0xa8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000910000" filename = "" Region: id = 1466 start_va = 0x780000 end_va = 0x783fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 1467 start_va = 0x7b0000 end_va = 0x7bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 1468 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1469 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1501 start_va = 0x480000 end_va = 0x607fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 1502 start_va = 0x7c0000 end_va = 0x7e9fff monitored = 0 entry_point = 0x7c5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1519 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1557 start_va = 0x790000 end_va = 0x793fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werfault.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\WerFault.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werfault.exe.mui") Region: id = 1558 start_va = 0xa90000 end_va = 0xc10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a90000" filename = "" Region: id = 1559 start_va = 0x5130000 end_va = 0x652ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005130000" filename = "" Region: id = 1663 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1664 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1665 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 1666 start_va = 0x910000 end_va = 0xa2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000910000" filename = "" Region: id = 1667 start_va = 0xa80000 end_va = 0xa8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 1763 start_va = 0x7a0000 end_va = 0x7a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 1764 start_va = 0x7c0000 end_va = 0x7c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 1765 start_va = 0x7d0000 end_va = 0x7d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 1766 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 1767 start_va = 0x7d0000 end_va = 0x7d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 1768 start_va = 0x6530000 end_va = 0x6d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006530000" filename = "" Region: id = 1769 start_va = 0x7d0000 end_va = 0x7d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1770 start_va = 0x7d0000 end_va = 0x7d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1810 start_va = 0x7d0000 end_va = 0x7d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1811 start_va = 0x7d0000 end_va = 0x7d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1812 start_va = 0x7d0000 end_va = 0x7d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1813 start_va = 0x7d0000 end_va = 0x7d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1814 start_va = 0x7d0000 end_va = 0x7d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1815 start_va = 0x7d0000 end_va = 0x7d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1816 start_va = 0x7d0000 end_va = 0x7d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1817 start_va = 0x7d0000 end_va = 0x7d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1818 start_va = 0x7d0000 end_va = 0x7d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1819 start_va = 0x7d0000 end_va = 0x7d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1820 start_va = 0x7d0000 end_va = 0x7d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1821 start_va = 0x7d0000 end_va = 0x7d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1822 start_va = 0x7d0000 end_va = 0x7d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1823 start_va = 0x7d0000 end_va = 0x7d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1824 start_va = 0x7d0000 end_va = 0x7d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1825 start_va = 0x7d0000 end_va = 0x7d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1826 start_va = 0x7d0000 end_va = 0x7d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1827 start_va = 0x7d0000 end_va = 0x7d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1828 start_va = 0x7d0000 end_va = 0x7d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1829 start_va = 0x7d0000 end_va = 0x7d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1830 start_va = 0x7d0000 end_va = 0x7d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1831 start_va = 0x7d0000 end_va = 0x7d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1832 start_va = 0x7d0000 end_va = 0x7d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1833 start_va = 0x7d0000 end_va = 0x7d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1834 start_va = 0x7d0000 end_va = 0x7d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1892 start_va = 0x610000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 1893 start_va = 0x650000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 1894 start_va = 0x910000 end_va = 0x98ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000910000" filename = "" Region: id = 1895 start_va = 0xa20000 end_va = 0xa2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Region: id = 1952 start_va = 0x7d0000 end_va = 0x7d1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "faultrep.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\faultrep.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\faultrep.dll.mui") Region: id = 1959 start_va = 0x7e0000 end_va = 0x7e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 1972 start_va = 0x6f650000 end_va = 0x6fa6dfff monitored = 0 entry_point = 0x6f74ee80 region_type = mapped_file name = "dbgeng.dll" filename = "\\Windows\\SysWOW64\\dbgeng.dll" (normalized: "c:\\windows\\syswow64\\dbgeng.dll") Region: id = 1973 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1992 start_va = 0x6f5e0000 end_va = 0x6f64ffff monitored = 0 entry_point = 0x6f634b90 region_type = mapped_file name = "dbgmodel.dll" filename = "\\Windows\\SysWOW64\\DbgModel.dll" (normalized: "c:\\windows\\syswow64\\dbgmodel.dll") Region: id = 1993 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 1994 start_va = 0xc20000 end_va = 0xd09fff monitored = 0 entry_point = 0xc5d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1995 start_va = 0x70050000 end_va = 0x70059fff monitored = 0 entry_point = 0x70053200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 2026 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2027 start_va = 0x6f5d0000 end_va = 0x6f5d7fff monitored = 0 entry_point = 0x6f5d17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 2054 start_va = 0xc20000 end_va = 0xd1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 2055 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2073 start_va = 0xd20000 end_va = 0x1056fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2124 start_va = 0x7e0000 end_va = 0x7e1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 2125 start_va = 0x7e0000 end_va = 0x7e3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 2126 start_va = 0x7e0000 end_va = 0x7e5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 2127 start_va = 0x7e0000 end_va = 0x7e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 2128 start_va = 0x610000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 2129 start_va = 0x7e0000 end_va = 0x7e9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 2130 start_va = 0x7e0000 end_va = 0x7ebfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 2131 start_va = 0x7e0000 end_va = 0x7edfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 2132 start_va = 0x7e0000 end_va = 0x7effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 2133 start_va = 0x7e0000 end_va = 0x7f1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 2172 start_va = 0x7e0000 end_va = 0x7f3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 2173 start_va = 0x7e0000 end_va = 0x7f5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 2174 start_va = 0x7e0000 end_va = 0x7f7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 2175 start_va = 0x7e0000 end_va = 0x7f9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 2176 start_va = 0x7e0000 end_va = 0x7fbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 2177 start_va = 0x7e0000 end_va = 0x7fdfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 2178 start_va = 0x7e0000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 2179 start_va = 0x7e0000 end_va = 0x801fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 2246 start_va = 0x6530000 end_va = 0x660ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 2375 start_va = 0x6610000 end_va = 0x66d7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006610000" filename = "" Region: id = 2399 start_va = 0x66e0000 end_va = 0x678bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000066e0000" filename = "" Region: id = 2437 start_va = 0x6790000 end_va = 0x6831fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006790000" filename = "" Region: id = 2644 start_va = 0x7e0000 end_va = 0x7e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 2645 start_va = 0x7f0000 end_va = 0x7f2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wer.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wer.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wer.dll.mui") Region: id = 2646 start_va = 0x800000 end_va = 0x803fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 2664 start_va = 0x6610000 end_va = 0x6e0ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006610000" filename = "" Region: id = 2665 start_va = 0x990000 end_va = 0x996fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 2666 start_va = 0x990000 end_va = 0x996fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 2667 start_va = 0x990000 end_va = 0x996fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 2668 start_va = 0x990000 end_va = 0x996fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 2669 start_va = 0x990000 end_va = 0x996fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 2670 start_va = 0x990000 end_va = 0x996fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 2671 start_va = 0x990000 end_va = 0x996fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 2672 start_va = 0x990000 end_va = 0x996fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 2673 start_va = 0x990000 end_va = 0x996fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 2714 start_va = 0x990000 end_va = 0x996fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 2715 start_va = 0x990000 end_va = 0x996fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 2716 start_va = 0x990000 end_va = 0x996fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 2717 start_va = 0x990000 end_va = 0x996fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 2718 start_va = 0x990000 end_va = 0x996fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 2719 start_va = 0x990000 end_va = 0x996fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 2720 start_va = 0x990000 end_va = 0x996fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 2721 start_va = 0x990000 end_va = 0x996fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 2722 start_va = 0x990000 end_va = 0x996fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 2723 start_va = 0x990000 end_va = 0x996fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 2724 start_va = 0x990000 end_va = 0x996fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 2725 start_va = 0x990000 end_va = 0x996fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 2726 start_va = 0x990000 end_va = 0x996fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 2758 start_va = 0x6610000 end_va = 0x670ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006610000" filename = "" Region: id = 2759 start_va = 0x990000 end_va = 0x996fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 2760 start_va = 0x990000 end_va = 0x996fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 2761 start_va = 0x990000 end_va = 0x996fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 2762 start_va = 0x990000 end_va = 0x996fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 2763 start_va = 0x990000 end_va = 0x996fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 2764 start_va = 0x6f560000 end_va = 0x6f5c3fff monitored = 0 entry_point = 0x6f59e270 region_type = mapped_file name = "werui.dll" filename = "\\Windows\\SysWOW64\\werui.dll" (normalized: "c:\\windows\\syswow64\\werui.dll") Region: id = 2765 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2766 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 2767 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 2768 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 2769 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 2791 start_va = 0x731b0000 end_va = 0x733befff monitored = 0 entry_point = 0x7325b0a0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 2792 start_va = 0x6f3f0000 end_va = 0x6f556fff monitored = 0 entry_point = 0x6f46b9d0 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\SysWOW64\\dui70.dll" (normalized: "c:\\windows\\syswow64\\dui70.dll") Region: id = 2793 start_va = 0x1f0000 end_va = 0x1f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 2794 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2795 start_va = 0x6f3c0000 end_va = 0x6f3e7fff monitored = 0 entry_point = 0x6f3c7820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 2796 start_va = 0x990000 end_va = 0x990fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 2797 start_va = 0x710000 end_va = 0x711fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 2825 start_va = 0x990000 end_va = 0x990fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 2826 start_va = 0x759b0000 end_va = 0x75a33fff monitored = 0 entry_point = 0x759d6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 2827 start_va = 0x9a0000 end_va = 0x9a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009a0000" filename = "" Region: id = 2828 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 3199 start_va = 0x720000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 3200 start_va = 0x9b0000 end_va = 0x9effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 3201 start_va = 0xa30000 end_va = 0xa6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 3202 start_va = 0x1060000 end_va = 0x109ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001060000" filename = "" Region: id = 3203 start_va = 0x10a0000 end_va = 0x10dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010a0000" filename = "" Region: id = 3204 start_va = 0x6710000 end_va = 0x674ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006710000" filename = "" Region: id = 3298 start_va = 0x6fa60000 end_va = 0x6fa68fff monitored = 0 entry_point = 0x6fa63830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 5623 start_va = 0x990000 end_va = 0x990fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 5624 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 5729 start_va = 0x6fa60000 end_va = 0x6fa68fff monitored = 0 entry_point = 0x6fa63830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 5849 start_va = 0x990000 end_va = 0x994fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werui.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\werui.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werui.dll.mui") Region: id = 5850 start_va = 0x9f0000 end_va = 0x9f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 5851 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 5966 start_va = 0x6fa60000 end_va = 0x6fa68fff monitored = 0 entry_point = 0x6fa63830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 6091 start_va = 0x6750000 end_va = 0x678ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006750000" filename = "" Region: id = 6092 start_va = 0x6790000 end_va = 0x67cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006790000" filename = "" Region: id = 6109 start_va = 0x9f0000 end_va = 0x9f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 6110 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 6279 start_va = 0x6f8e0000 end_va = 0x6f8e8fff monitored = 0 entry_point = 0x6f8e3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 6662 start_va = 0x760000 end_va = 0x761fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 6663 start_va = 0x6f9e0000 end_va = 0x6fa5afff monitored = 0 entry_point = 0x6fa04d80 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\SysWOW64\\duser.dll" (normalized: "c:\\windows\\syswow64\\duser.dll") Region: id = 6671 start_va = 0x67d0000 end_va = 0x680ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000067d0000" filename = "" Region: id = 6672 start_va = 0x6810000 end_va = 0x684ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006810000" filename = "" Region: id = 6673 start_va = 0x6f950000 end_va = 0x6f9d0fff monitored = 0 entry_point = 0x6f956310 region_type = mapped_file name = "riched20.dll" filename = "\\Windows\\SysWOW64\\riched20.dll" (normalized: "c:\\windows\\syswow64\\riched20.dll") Region: id = 6674 start_va = 0x6f930000 end_va = 0x6f945fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 6675 start_va = 0x6f8f0000 end_va = 0x6f920fff monitored = 0 entry_point = 0x6f9022d0 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\SysWOW64\\msls31.dll" (normalized: "c:\\windows\\syswow64\\msls31.dll") Region: id = 6676 start_va = 0x9f0000 end_va = 0x9f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 6677 start_va = 0x6850000 end_va = 0x690bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006850000" filename = "" Region: id = 6678 start_va = 0x9f0000 end_va = 0x9f3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 6679 start_va = 0x74230000 end_va = 0x7424cfff monitored = 0 entry_point = 0x74233b10 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 6680 start_va = 0xa00000 end_va = 0xa03fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Region: id = 6681 start_va = 0xa10000 end_va = 0xa10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a10000" filename = "" Region: id = 6682 start_va = 0xa70000 end_va = 0xa70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a70000" filename = "" Region: id = 6683 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 6684 start_va = 0x6910000 end_va = 0x6910fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "duser.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\duser.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\duser.dll.mui") Region: id = 6685 start_va = 0x6fa60000 end_va = 0x6fa6cfff monitored = 0 entry_point = 0x6fa67d80 region_type = mapped_file name = "atlthunk.dll" filename = "\\Windows\\SysWOW64\\atlthunk.dll" (normalized: "c:\\windows\\syswow64\\atlthunk.dll") Region: id = 6686 start_va = 0x6920000 end_va = 0x6922fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui") Region: id = 6687 start_va = 0x6940000 end_va = 0x6942fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006940000" filename = "" Region: id = 6705 start_va = 0x6950000 end_va = 0x6e41fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006950000" filename = "" Region: id = 6706 start_va = 0x6e50000 end_va = 0x7e8ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 6758 start_va = 0x7e90000 end_va = 0x7ed1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007e90000" filename = "" Region: id = 6915 start_va = 0x6930000 end_va = 0x6930fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006930000" filename = "" Region: id = 6916 start_va = 0x77500000 end_va = 0x7761efff monitored = 0 entry_point = 0x77545980 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Thread: id = 38 os_tid = 0x79c Thread: id = 55 os_tid = 0x12f0 Thread: id = 70 os_tid = 0x1360 Thread: id = 117 os_tid = 0xcac Thread: id = 118 os_tid = 0xcb0 Thread: id = 120 os_tid = 0xcec Thread: id = 183 os_tid = 0x12d0 Thread: id = 199 os_tid = 0x134c Process: id = "18" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x5a7a0000" os_pid = "0x1210" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumTokenCertificateIds" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1001 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1002 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1003 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1004 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1005 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1006 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 1007 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1008 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1009 start_va = 0x6b0000 end_va = 0x6b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 1010 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 1011 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1012 start_va = 0x7ea70000 end_va = 0x7ea92fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ea70000" filename = "" Region: id = 1013 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1014 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1015 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1016 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 1118 start_va = 0x400000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1119 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1120 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1121 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1122 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1123 start_va = 0x6c0000 end_va = 0x8effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 1124 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1125 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1184 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1185 start_va = 0x7e970000 end_va = 0x7ea6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e970000" filename = "" Region: id = 1186 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1187 start_va = 0x500000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 1188 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1189 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1190 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1191 start_va = 0x510000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 1192 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 1193 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1194 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 1195 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 1196 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 1197 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1198 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1199 start_va = 0x6b0000 end_va = 0x6b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 1200 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1201 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1202 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1203 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1204 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1241 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 1242 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 1243 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 1244 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 1245 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1277 start_va = 0x6c0000 end_va = 0x6e9fff monitored = 0 entry_point = 0x6c5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1278 start_va = 0x7f0000 end_va = 0x8effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 1279 start_va = 0x8f0000 end_va = 0xa77fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 1280 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1329 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1330 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 1331 start_va = 0x6c0000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 1332 start_va = 0xa80000 end_va = 0xc00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a80000" filename = "" Region: id = 1333 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 1334 start_va = 0x720000 end_va = 0x7b0fff monitored = 0 entry_point = 0x758cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1335 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 1432 start_va = 0x6c0000 end_va = 0x6c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 1433 start_va = 0x710000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 1434 start_va = 0x6d0000 end_va = 0x6d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 1435 start_va = 0x6d0000 end_va = 0x6d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 1497 start_va = 0x6d0000 end_va = 0x6d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 1531 start_va = 0x6e0000 end_va = 0x6e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 1532 start_va = 0x6d0000 end_va = 0x6d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 1533 start_va = 0x6e0000 end_va = 0x6e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 1534 start_va = 0x6d0000 end_va = 0x6d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 1535 start_va = 0x6e0000 end_va = 0x6e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Thread: id = 39 os_tid = 0x12d8 [0071.983] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0071.983] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0071.983] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0071.984] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0071.984] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0071.984] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0071.984] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0071.984] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0071.985] GetProcessHeap () returned 0x7f0000 [0071.985] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0071.985] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0071.985] GetLastError () returned 0x7e [0071.985] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0071.985] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0071.985] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x364) returned 0x8009a0 [0071.986] SetLastError (dwErrCode=0x7e) [0071.986] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0xe00) returned 0x800d10 [0071.987] GetStartupInfoW (in: lpStartupInfo=0x18f9a8 | out: lpStartupInfo=0x18f9a8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0071.987] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0071.987] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0071.987] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0071.987] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumTokenCertificateIds" [0071.987] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumTokenCertificateIds" [0071.988] GetACP () returned 0x4e4 [0071.988] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x0, Size=0x220) returned 0x801b18 [0071.988] IsValidCodePage (CodePage=0x4e4) returned 1 [0071.988] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f9c8 | out: lpCPInfo=0x18f9c8) returned 1 [0071.988] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f290 | out: lpCPInfo=0x18f290) returned 1 [0071.988] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8a4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0071.988] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8a4, cbMultiByte=256, lpWideCharStr=0x18f038, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0071.988] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f2a4 | out: lpCharType=0x18f2a4) returned 1 [0071.988] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8a4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0071.988] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8a4, cbMultiByte=256, lpWideCharStr=0x18efe8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0071.988] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0071.988] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0071.988] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0071.988] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18edd8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0071.988] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f7a4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", lpUsedDefaultChar=0x0) returned 256 [0071.988] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8a4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0071.988] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8a4, cbMultiByte=256, lpWideCharStr=0x18f008, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0071.988] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0071.988] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18edf8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0071.988] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f6a4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", lpUsedDefaultChar=0x0) returned 256 [0071.989] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x0, Size=0x80) returned 0x7f3878 [0071.989] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0071.989] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x190) returned 0x801d40 [0071.989] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0071.989] GetLastError () returned 0x0 [0071.989] SetLastError (dwErrCode=0x0) [0071.989] GetEnvironmentStringsW () returned 0x801ed8* [0071.989] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x0, Size=0xa8c) returned 0x802970 [0071.989] FreeEnvironmentStringsW (penv=0x801ed8) returned 1 [0071.989] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x90) returned 0x7f4568 [0071.989] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x3e) returned 0x7faae0 [0071.989] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x5c) returned 0x7f8840 [0071.989] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x6e) returned 0x7f4630 [0071.989] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x78) returned 0x8037b0 [0071.990] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x62) returned 0x7f4a00 [0071.990] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x28) returned 0x7f3d98 [0071.990] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x48) returned 0x7f3fe8 [0071.990] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x1a) returned 0x7f0570 [0071.990] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x3a) returned 0x7fac48 [0071.990] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x62) returned 0x7f3bf8 [0071.990] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x2a) returned 0x7f86b8 [0071.990] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x2e) returned 0x7f84c0 [0071.990] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x1c) returned 0x7f3dc8 [0071.990] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x144) returned 0x7f9cb8 [0071.990] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x7c) returned 0x7f80a0 [0071.990] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x36) returned 0x7fdef0 [0071.990] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x3a) returned 0x7fab28 [0071.990] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x90) returned 0x7f43a0 [0071.990] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x24) returned 0x7f3918 [0071.990] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x30) returned 0x7f8728 [0071.990] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x36) returned 0x7fe3b0 [0071.990] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x48) returned 0x7f2908 [0071.990] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x52) returned 0x7f04b8 [0071.990] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x3c) returned 0x7fb080 [0071.990] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0xd6) returned 0x7f9e78 [0071.990] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x2e) returned 0x7f86f0 [0071.990] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x1e) returned 0x7f2958 [0071.990] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x2c) returned 0x7f8760 [0071.990] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x54) returned 0x7f3e10 [0071.990] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x52) returned 0x7f4070 [0071.990] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x24) returned 0x7f3e70 [0071.991] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x42) returned 0x7f40d0 [0071.991] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x2c) returned 0x7f85a0 [0071.991] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x44) returned 0x7f9fa8 [0071.991] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x24) returned 0x7f3948 [0071.991] HeapFree (in: hHeap=0x7f0000, dwFlags=0x0, lpMem=0x802970 | out: hHeap=0x7f0000) returned 1 [0071.991] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x800) returned 0x801ed8 [0071.991] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0071.991] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0071.992] GetStartupInfoW (in: lpStartupInfo=0x18fa0c | out: lpStartupInfo=0x18fa0c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0071.992] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumTokenCertificateIds" [0071.992] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumTokenCertificateIds", pNumArgs=0x18f9f8 | out: pNumArgs=0x18f9f8) returned 0x802b28*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0071.992] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0071.994] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x0, Size=0x1000) returned 0x804410 [0071.994] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x0, Size=0x58) returned 0x7fa6f0 [0071.994] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_enumTokenCertificateIds", cchWideChar=-1, lpMultiByteStr=0x7fa6f0, cbMultiByte=88, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_enumTokenCertificateIds", lpUsedDefaultChar=0x0) returned 44 [0071.994] GetLastError () returned 0x0 [0071.994] SetLastError (dwErrCode=0x0) [0071.995] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_enumTokenCertificateIdsW") returned 0x0 [0071.995] GetLastError () returned 0x7f [0071.995] SetLastError (dwErrCode=0x7f) [0071.995] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_enumTokenCertificateIdsA") returned 0x0 [0071.995] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_enumTokenCertificateIds") returned 0x647c91d9 [0071.995] GetActiveWindow () returned 0x0 [0072.432] GetLastError () returned 0x7f [0072.433] SetLastError (dwErrCode=0x7f) Thread: id = 47 os_tid = 0x12ac Process: id = "19" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x1795f000" os_pid = "0x11ec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0xd00" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decrypt" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "20" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x45f04000" os_pid = "0x11e8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "6" os_parent_pid = "0x1200" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_deserializeCertificateId" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "21" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x3cec0000" os_pid = "0x11bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "7" os_parent_pid = "0xd24" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_duplicateCertificateId" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "22" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x45453000" os_pid = "0x11f4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0x768" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureCertificateAccess" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "23" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x449b5000" os_pid = "0x12b0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificate" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1128 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1129 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1130 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1131 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1132 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1133 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 1134 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1135 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1136 start_va = 0x6e0000 end_va = 0x6e1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 1137 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 1138 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1139 start_va = 0x7e7d0000 end_va = 0x7e7f2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e7d0000" filename = "" Region: id = 1140 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1141 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1142 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1143 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 1205 start_va = 0x400000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1206 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1207 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1208 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1209 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1210 start_va = 0x6f0000 end_va = 0x97ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 1249 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1251 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1252 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1253 start_va = 0x7e6d0000 end_va = 0x7e7cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e6d0000" filename = "" Region: id = 1254 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1255 start_va = 0x4f0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 1256 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1257 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1258 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1259 start_va = 0x500000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 1260 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 1261 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1262 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 1263 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 1264 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 1265 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1336 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1337 start_va = 0x6e0000 end_va = 0x6e3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 1338 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1339 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1340 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1341 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1342 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1343 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 1344 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 1345 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 1346 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 1347 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1348 start_va = 0x6f0000 end_va = 0x877fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006f0000" filename = "" Region: id = 1349 start_va = 0x880000 end_va = 0x97ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 1350 start_va = 0x980000 end_va = 0x9a9fff monitored = 0 entry_point = 0x985680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1351 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1424 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1425 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 1426 start_va = 0x980000 end_va = 0xb00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000980000" filename = "" Region: id = 1427 start_va = 0xb10000 end_va = 0xc5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 1428 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 1429 start_va = 0xb10000 end_va = 0xba0fff monitored = 0 entry_point = 0xb48cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1430 start_va = 0xc50000 end_va = 0xc5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 1496 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 1536 start_va = 0xb10000 end_va = 0xb10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 1537 start_va = 0xb20000 end_va = 0xb20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 1538 start_va = 0xb20000 end_va = 0xb27fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 1561 start_va = 0xb20000 end_va = 0xb20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 1572 start_va = 0xb30000 end_va = 0xb31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 1586 start_va = 0xb20000 end_va = 0xb20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 1587 start_va = 0xb30000 end_va = 0xb30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 1588 start_va = 0xb20000 end_va = 0xb20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 1589 start_va = 0xb30000 end_va = 0xb30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Thread: id = 43 os_tid = 0x12cc [0072.707] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0072.707] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0072.707] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0072.707] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0072.708] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0072.708] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0072.708] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0072.709] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0072.709] GetProcessHeap () returned 0x880000 [0072.709] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0072.709] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0072.709] GetLastError () returned 0x7e [0072.709] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0072.709] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0072.709] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x364) returned 0x890a20 [0072.710] SetLastError (dwErrCode=0x7e) [0072.710] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0xe00) returned 0x890d90 [0072.712] GetStartupInfoW (in: lpStartupInfo=0x18f998 | out: lpStartupInfo=0x18f998*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0072.712] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0072.712] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0072.712] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0072.712] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificate" [0072.712] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificate" [0072.712] GetACP () returned 0x4e4 [0072.712] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x0, Size=0x220) returned 0x891b98 [0072.712] IsValidCodePage (CodePage=0x4e4) returned 1 [0072.712] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f9b8 | out: lpCPInfo=0x18f9b8) returned 1 [0072.712] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f280 | out: lpCPInfo=0x18f280) returned 1 [0072.712] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f894, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0072.712] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f894, cbMultiByte=256, lpWideCharStr=0x18f028, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0072.712] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f294 | out: lpCharType=0x18f294) returned 1 [0072.712] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f894, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0072.712] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f894, cbMultiByte=256, lpWideCharStr=0x18efd8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0072.712] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0072.713] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0072.713] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0072.713] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18edc8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0072.713] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f794, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x80àH§Ðù\x18", lpUsedDefaultChar=0x0) returned 256 [0072.713] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f894, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0072.713] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f894, cbMultiByte=256, lpWideCharStr=0x18eff8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0072.713] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0072.713] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ede8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0072.713] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f694, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x80àH§Ðù\x18", lpUsedDefaultChar=0x0) returned 256 [0072.713] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x0, Size=0x80) returned 0x883860 [0072.713] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0072.713] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x180) returned 0x891dc0 [0072.713] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0072.713] GetLastError () returned 0x0 [0072.713] SetLastError (dwErrCode=0x0) [0072.714] GetEnvironmentStringsW () returned 0x891f48* [0072.714] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x0, Size=0xa8c) returned 0x8929e0 [0072.714] FreeEnvironmentStringsW (penv=0x891f48) returned 1 [0072.714] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x90) returned 0x884550 [0072.714] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x3e) returned 0x88aec8 [0072.714] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x5c) returned 0x888a50 [0072.714] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x6e) returned 0x884848 [0072.714] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x78) returned 0x893720 [0072.715] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x62) returned 0x883fd0 [0072.715] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x28) returned 0x889e28 [0072.715] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x48) returned 0x883d80 [0072.715] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x1a) returned 0x884618 [0072.715] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x3a) returned 0x88b030 [0072.715] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x62) returned 0x8847b8 [0072.715] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x2a) returned 0x8886d0 [0072.715] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x2e) returned 0x888970 [0072.715] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x1c) returned 0x884640 [0072.715] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x144) returned 0x889c68 [0072.715] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x7c) returned 0x8882b0 [0072.715] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x36) returned 0x88e4f0 [0072.715] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x3a) returned 0x88b078 [0072.715] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x90) returned 0x88a278 [0072.715] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x24) returned 0x883be0 [0072.715] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x30) returned 0x8887e8 [0072.715] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x36) returned 0x88e130 [0072.715] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x48) returned 0x883900 [0072.715] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x52) returned 0x8828f8 [0072.715] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x3c) returned 0x88aa90 [0072.715] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0xd6) returned 0x8804a0 [0072.715] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x2e) returned 0x888900 [0072.715] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x1e) returned 0x880580 [0072.715] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x2c) returned 0x888660 [0072.715] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x54) returned 0x884388 [0072.716] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x52) returned 0x883df8 [0072.716] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x24) returned 0x8843e8 [0072.716] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x42) returned 0x884058 [0072.716] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x2c) returned 0x888938 [0072.716] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x44) returned 0x8840a8 [0072.716] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x24) returned 0x883e58 [0072.716] HeapFree (in: hHeap=0x880000, dwFlags=0x0, lpMem=0x8929e0 | out: hHeap=0x880000) returned 1 [0072.716] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x8, Size=0x800) returned 0x891f48 [0072.716] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0072.716] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0072.717] GetStartupInfoW (in: lpStartupInfo=0x18f9fc | out: lpStartupInfo=0x18f9fc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0072.717] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificate" [0072.717] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificate", pNumArgs=0x18f9e8 | out: pNumArgs=0x18f9e8) returned 0x892b98*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0072.717] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0072.720] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x0, Size=0x1000) returned 0x894480 [0072.720] RtlAllocateHeap (HeapHandle=0x880000, Flags=0x0, Size=0x48) returned 0x88a390 [0072.720] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_freeCertificate", cchWideChar=-1, lpMultiByteStr=0x88a390, cbMultiByte=72, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_freeCertificate", lpUsedDefaultChar=0x0) returned 36 [0072.720] GetLastError () returned 0x0 [0072.720] SetLastError (dwErrCode=0x0) [0072.720] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_freeCertificateW") returned 0x0 [0072.720] GetLastError () returned 0x7f [0072.720] SetLastError (dwErrCode=0x7f) [0072.720] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_freeCertificateA") returned 0x0 [0072.721] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_freeCertificate") returned 0x647c6e77 [0072.721] GetActiveWindow () returned 0x0 [0072.950] GetLastError () returned 0x7f [0072.950] SetLastError (dwErrCode=0x7f) Thread: id = 53 os_tid = 0x130c Process: id = "24" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x663c7000" os_pid = "0x12a8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateId" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1211 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1212 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1213 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1214 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1215 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1216 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 1217 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1218 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1219 start_va = 0x660000 end_va = 0x661fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 1220 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 1221 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1222 start_va = 0x7ea20000 end_va = 0x7ea42fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ea20000" filename = "" Region: id = 1223 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1224 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1225 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1226 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 1266 start_va = 0x400000 end_va = 0x4affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1267 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1268 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1269 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1270 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1271 start_va = 0x670000 end_va = 0x8fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 1272 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1273 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1352 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1353 start_va = 0x7e920000 end_va = 0x7ea1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e920000" filename = "" Region: id = 1354 start_va = 0x4b0000 end_va = 0x56dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1355 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1356 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1357 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1358 start_va = 0x570000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 1359 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 1360 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1361 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 1362 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 1363 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 1364 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1365 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1366 start_va = 0x670000 end_va = 0x673fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 1367 start_va = 0x800000 end_va = 0x8fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 1368 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1369 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1370 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1371 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1372 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1373 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 1374 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 1375 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 1376 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 1377 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1457 start_va = 0x680000 end_va = 0x6a9fff monitored = 0 entry_point = 0x685680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1458 start_va = 0x900000 end_va = 0xa87fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000900000" filename = "" Region: id = 1459 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1523 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1524 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1525 start_va = 0x4a0000 end_va = 0x4affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 1526 start_va = 0x680000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 1527 start_va = 0xa90000 end_va = 0xc10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a90000" filename = "" Region: id = 1528 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 1529 start_va = 0x680000 end_va = 0x710fff monitored = 0 entry_point = 0x6b8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1530 start_va = 0x740000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 1560 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 1569 start_va = 0x680000 end_va = 0x680fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 1570 start_va = 0x690000 end_va = 0x690fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 1571 start_va = 0x690000 end_va = 0x697fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 1633 start_va = 0x690000 end_va = 0x690fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1658 start_va = 0x6a0000 end_va = 0x6a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 1659 start_va = 0x690000 end_va = 0x690fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1660 start_va = 0x6a0000 end_va = 0x6a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 1661 start_va = 0x690000 end_va = 0x690fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 1662 start_va = 0x6a0000 end_va = 0x6a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Thread: id = 49 os_tid = 0x12a0 [0072.862] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0072.862] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0072.863] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0072.863] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0072.863] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0072.863] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0072.864] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0072.864] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0072.865] GetProcessHeap () returned 0x800000 [0072.865] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0072.865] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0072.865] GetLastError () returned 0x7e [0072.865] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0072.865] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0072.865] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x364) returned 0x810a60 [0072.866] SetLastError (dwErrCode=0x7e) [0072.866] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0xe00) returned 0x810dd0 [0072.868] GetStartupInfoW (in: lpStartupInfo=0x18fe54 | out: lpStartupInfo=0x18fe54*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0072.868] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0072.868] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0072.868] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0072.868] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateId" [0072.868] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateId" [0072.868] GetACP () returned 0x4e4 [0072.868] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x0, Size=0x220) returned 0x811bd8 [0072.868] IsValidCodePage (CodePage=0x4e4) returned 1 [0072.868] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fe74 | out: lpCPInfo=0x18fe74) returned 1 [0072.868] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f73c | out: lpCPInfo=0x18f73c) returned 1 [0072.868] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd50, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0072.868] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd50, cbMultiByte=256, lpWideCharStr=0x18f4d8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0072.869] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f750 | out: lpCharType=0x18f750) returned 1 [0072.869] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd50, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0072.869] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd50, cbMultiByte=256, lpWideCharStr=0x18f498, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0072.869] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0072.869] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0072.869] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0072.869] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f288, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0072.869] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fc50, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÃ|¹-\x8cþ\x18", lpUsedDefaultChar=0x0) returned 256 [0072.869] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd50, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0072.869] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd50, cbMultiByte=256, lpWideCharStr=0x18f4a8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0072.869] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0072.870] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f298, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0072.870] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fb50, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÃ|¹-\x8cþ\x18", lpUsedDefaultChar=0x0) returned 256 [0072.870] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x0, Size=0x80) returned 0x803868 [0072.870] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0072.870] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x184) returned 0x811e00 [0072.870] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0072.870] GetLastError () returned 0x0 [0072.870] SetLastError (dwErrCode=0x0) [0072.870] GetEnvironmentStringsW () returned 0x811f90* [0073.206] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x0, Size=0xa8c) returned 0x812a28 [0073.206] FreeEnvironmentStringsW (penv=0x811f90) returned 1 [0073.206] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x90) returned 0x804558 [0073.206] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x3e) returned 0x80b100 [0073.206] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x5c) returned 0x808830 [0073.206] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x6e) returned 0x804620 [0073.206] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x78) returned 0x813968 [0073.206] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x62) returned 0x8049f0 [0073.207] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x28) returned 0x803d88 [0073.207] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x48) returned 0x803fd8 [0073.207] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x1a) returned 0x800570 [0073.207] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x3a) returned 0x80aad0 [0073.207] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x62) returned 0x803be8 [0073.207] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x2a) returned 0x8085c8 [0073.207] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x2e) returned 0x808788 [0073.207] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x1c) returned 0x803db8 [0073.207] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x144) returned 0x809a48 [0073.207] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x7c) returned 0x808090 [0073.207] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x36) returned 0x80e330 [0073.207] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x3a) returned 0x80afe0 [0073.207] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x90) returned 0x804390 [0073.207] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x24) returned 0x803908 [0073.207] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x30) returned 0x808520 [0073.207] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x36) returned 0x80e4f0 [0073.207] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x48) returned 0x802900 [0073.207] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x52) returned 0x8004b8 [0073.207] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x3c) returned 0x80af08 [0073.207] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0xd6) returned 0x809c08 [0073.207] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x2e) returned 0x808638 [0073.207] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x1e) returned 0x802950 [0073.207] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x2c) returned 0x808440 [0073.207] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x54) returned 0x803e00 [0073.207] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x52) returned 0x804060 [0073.207] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x24) returned 0x803e60 [0073.207] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x42) returned 0x8040c0 [0073.207] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x2c) returned 0x8086e0 [0073.207] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x44) returned 0x809d38 [0073.207] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x24) returned 0x803938 [0073.208] HeapFree (in: hHeap=0x800000, dwFlags=0x0, lpMem=0x812a28 | out: hHeap=0x800000) returned 1 [0073.208] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x8, Size=0x800) returned 0x811f90 [0073.208] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0073.208] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0073.208] GetStartupInfoW (in: lpStartupInfo=0x18feb8 | out: lpStartupInfo=0x18feb8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0073.208] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateId" [0073.208] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateId", pNumArgs=0x18fea4 | out: pNumArgs=0x18fea4) returned 0x812be0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0073.209] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0073.211] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x0, Size=0x1000) returned 0x8144c8 [0073.211] RtlAllocateHeap (HeapHandle=0x800000, Flags=0x0, Size=0x4c) returned 0x80a7c8 [0073.211] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_freeCertificateId", cchWideChar=-1, lpMultiByteStr=0x80a7c8, cbMultiByte=76, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_freeCertificateId", lpUsedDefaultChar=0x0) returned 38 [0073.212] GetLastError () returned 0x0 [0073.212] SetLastError (dwErrCode=0x0) [0073.212] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_freeCertificateIdW") returned 0x0 [0073.212] GetLastError () returned 0x7f [0073.212] SetLastError (dwErrCode=0x7f) [0073.212] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_freeCertificateIdA") returned 0x0 [0073.212] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_freeCertificateId") returned 0x647c69cb [0073.212] GetActiveWindow () returned 0x0 [0073.295] GetLastError () returned 0x7f [0073.295] SetLastError (dwErrCode=0x7f) Thread: id = 58 os_tid = 0xe28 Process: id = "25" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x3f11f000" os_pid = "0x12c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "11" os_parent_pid = "0x123c" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureKeyAccess" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "26" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x79dd8000" os_pid = "0xbfc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateIdList" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1313 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1314 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1315 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1316 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1317 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1318 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 1319 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1320 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1321 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1322 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 1323 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1324 start_va = 0x7eed0000 end_va = 0x7eef2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eed0000" filename = "" Region: id = 1325 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1326 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1327 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1328 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 1409 start_va = 0x410000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 1410 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1411 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1412 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1413 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1414 start_va = 0x5f0000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 1415 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1416 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1470 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1471 start_va = 0x7edd0000 end_va = 0x7eecffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007edd0000" filename = "" Region: id = 1472 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1473 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1474 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1475 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1476 start_va = 0x4c0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 1477 start_va = 0x5e0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 1478 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 1479 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1480 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 1481 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 1482 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 1483 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1484 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1485 start_va = 0x5c0000 end_va = 0x5c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 1486 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1487 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1488 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1489 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1490 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1491 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 1492 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 1493 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 1494 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 1495 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1545 start_va = 0x5f0000 end_va = 0x777fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 1546 start_va = 0x780000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 1547 start_va = 0x880000 end_va = 0x8a9fff monitored = 0 entry_point = 0x885680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1548 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1562 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1563 start_va = 0x5d0000 end_va = 0x5d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 1564 start_va = 0x880000 end_va = 0xa00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 1565 start_va = 0xa10000 end_va = 0xa1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 1566 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 1567 start_va = 0xa20000 end_va = 0xab0fff monitored = 0 entry_point = 0xa58cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1568 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 1668 start_va = 0xa20000 end_va = 0xa20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Region: id = 1669 start_va = 0xa30000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 1670 start_va = 0xa30000 end_va = 0xa37fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 1712 start_va = 0xa30000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 1716 start_va = 0xa40000 end_va = 0xa41fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a40000" filename = "" Region: id = 1741 start_va = 0xa30000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 1742 start_va = 0xa40000 end_va = 0xa40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a40000" filename = "" Region: id = 1743 start_va = 0xa30000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 1744 start_va = 0xa40000 end_va = 0xa40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Thread: id = 56 os_tid = 0x1314 [0073.282] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0073.282] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0073.282] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0073.282] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0073.282] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0073.283] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0073.283] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0073.283] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0073.284] GetProcessHeap () returned 0x780000 [0073.284] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0073.284] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0073.284] GetLastError () returned 0x7e [0073.284] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0073.284] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0073.284] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x364) returned 0x7909a0 [0073.284] SetLastError (dwErrCode=0x7e) [0073.284] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0xe00) returned 0x790d10 [0073.286] GetStartupInfoW (in: lpStartupInfo=0x18fa10 | out: lpStartupInfo=0x18fa10*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0073.286] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0073.286] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0073.286] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0073.286] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateIdList" [0073.286] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateIdList" [0073.286] GetACP () returned 0x4e4 [0073.286] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x0, Size=0x220) returned 0x791b18 [0073.286] IsValidCodePage (CodePage=0x4e4) returned 1 [0073.286] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fa30 | out: lpCPInfo=0x18fa30) returned 1 [0073.286] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f2f8 | out: lpCPInfo=0x18f2f8) returned 1 [0073.286] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f90c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0073.286] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f90c, cbMultiByte=256, lpWideCharStr=0x18f098, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0073.286] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f30c | out: lpCharType=0x18f30c) returned 1 [0073.287] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f90c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0073.287] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f90c, cbMultiByte=256, lpWideCharStr=0x18f048, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0073.287] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0073.287] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0073.287] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0073.287] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ee38, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0073.287] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f80c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x0cbB&Hú\x18", lpUsedDefaultChar=0x0) returned 256 [0073.287] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f90c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0073.287] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f90c, cbMultiByte=256, lpWideCharStr=0x18f068, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0073.287] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0073.287] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ee58, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0073.287] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f70c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x0cbB&Hú\x18", lpUsedDefaultChar=0x0) returned 256 [0073.287] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x0, Size=0x80) returned 0x783878 [0073.287] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0073.287] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x18c) returned 0x791d40 [0073.287] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0073.287] GetLastError () returned 0x0 [0073.287] SetLastError (dwErrCode=0x0) [0073.288] GetEnvironmentStringsW () returned 0x791ed8* [0073.288] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x0, Size=0xa8c) returned 0x792970 [0073.288] FreeEnvironmentStringsW (penv=0x791ed8) returned 1 [0073.288] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x90) returned 0x784568 [0073.288] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x3e) returned 0x78ae88 [0073.288] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x5c) returned 0x788840 [0073.288] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x6e) returned 0x784630 [0073.288] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x78) returned 0x793730 [0073.288] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x62) returned 0x784a00 [0073.288] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x28) returned 0x783d98 [0073.288] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x48) returned 0x783fe8 [0073.288] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x1a) returned 0x780570 [0073.288] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x3a) returned 0x78aa08 [0073.289] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x62) returned 0x783bf8 [0073.289] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x2a) returned 0x788530 [0073.289] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x2e) returned 0x788680 [0073.289] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x1c) returned 0x783dc8 [0073.289] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x144) returned 0x789a58 [0073.289] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x7c) returned 0x7880a0 [0073.289] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x36) returned 0x78e430 [0073.289] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x3a) returned 0x78aa50 [0073.289] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x90) returned 0x7843a0 [0073.289] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x24) returned 0x783918 [0073.289] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x30) returned 0x7886b8 [0073.289] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x36) returned 0x78e370 [0073.289] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x48) returned 0x782908 [0073.289] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x52) returned 0x7804b8 [0073.289] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x3c) returned 0x78b080 [0073.289] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0xd6) returned 0x789c18 [0073.289] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x2e) returned 0x7886f0 [0073.289] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x1e) returned 0x782958 [0073.289] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x2c) returned 0x788568 [0073.289] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x54) returned 0x783e10 [0073.289] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x52) returned 0x784070 [0073.289] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x24) returned 0x783e70 [0073.289] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x42) returned 0x7840d0 [0073.289] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x2c) returned 0x788760 [0073.289] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x44) returned 0x789d48 [0073.289] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x24) returned 0x783948 [0073.290] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x792970 | out: hHeap=0x780000) returned 1 [0073.290] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x800) returned 0x791ed8 [0073.290] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0073.290] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0073.290] GetStartupInfoW (in: lpStartupInfo=0x18fa74 | out: lpStartupInfo=0x18fa74*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0073.290] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateIdList" [0073.290] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateIdList", pNumArgs=0x18fa60 | out: pNumArgs=0x18fa60) returned 0x792b28*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0073.291] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0073.526] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x0, Size=0x1000) returned 0x794410 [0073.526] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x0, Size=0x54) returned 0x78a7d8 [0073.527] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_freeCertificateIdList", cchWideChar=-1, lpMultiByteStr=0x78a7d8, cbMultiByte=84, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_freeCertificateIdList", lpUsedDefaultChar=0x0) returned 42 [0073.529] GetLastError () returned 0x0 [0073.530] SetLastError (dwErrCode=0x0) [0073.532] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_freeCertificateIdListW") returned 0x0 [0073.533] GetLastError () returned 0x7f [0073.533] SetLastError (dwErrCode=0x7f) [0073.533] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_freeCertificateIdListA") returned 0x0 [0073.533] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_freeCertificateIdList") returned 0x647c90f5 [0073.533] GetActiveWindow () returned 0x0 [0073.665] GetLastError () returned 0x7f [0073.665] SetLastError (dwErrCode=0x7f) Thread: id = 59 os_tid = 0x1140 Process: id = "27" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x59bbd000" os_pid = "0x81c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "13" os_parent_pid = "0x11e4" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumCertificateIds" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "28" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x181f2000" os_pid = "0x1144" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateBlob" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1503 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1504 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1505 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1506 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1507 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1508 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 1509 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1510 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1511 start_va = 0x560000 end_va = 0x561fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 1512 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 1513 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1514 start_va = 0x7ecf0000 end_va = 0x7ed12fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ecf0000" filename = "" Region: id = 1515 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1516 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1517 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1518 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 1549 start_va = 0x400000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1550 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1551 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1552 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1553 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1554 start_va = 0x570000 end_va = 0x7dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 1555 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1556 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1606 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1607 start_va = 0x7ebf0000 end_va = 0x7eceffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ebf0000" filename = "" Region: id = 1608 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1609 start_va = 0x510000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 1610 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1611 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1612 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1613 start_va = 0x520000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 1614 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 1615 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1616 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 1617 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 1618 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 1619 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1620 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1621 start_va = 0x620000 end_va = 0x623fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 1622 start_va = 0x6e0000 end_va = 0x7dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 1623 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1624 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1625 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1626 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1627 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1628 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 1629 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 1630 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 1631 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 1632 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1713 start_va = 0x630000 end_va = 0x659fff monitored = 0 entry_point = 0x635680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1714 start_va = 0x7e0000 end_va = 0x967fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 1715 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1717 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1718 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 1719 start_va = 0x630000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 1720 start_va = 0x970000 end_va = 0xaf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000970000" filename = "" Region: id = 1721 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 1722 start_va = 0xb00000 end_va = 0xb90fff monitored = 0 entry_point = 0xb38cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1790 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 1791 start_va = 0x630000 end_va = 0x630fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 1792 start_va = 0x650000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 1793 start_va = 0x640000 end_va = 0x640fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 1794 start_va = 0x640000 end_va = 0x647fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 1882 start_va = 0x640000 end_va = 0x640fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 1903 start_va = 0x660000 end_va = 0x661fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 1904 start_va = 0x640000 end_va = 0x640fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 1905 start_va = 0x660000 end_va = 0x660fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 1906 start_va = 0x640000 end_va = 0x640fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 1907 start_va = 0x660000 end_va = 0x660fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Thread: id = 60 os_tid = 0x5f0 [0074.051] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0074.052] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0074.052] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0074.052] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0074.053] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0074.053] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0074.053] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0074.054] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0074.054] GetProcessHeap () returned 0x6e0000 [0074.054] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0074.054] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0074.054] GetLastError () returned 0x7e [0074.054] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0074.055] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0074.055] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x364) returned 0x6f0a60 [0074.055] SetLastError (dwErrCode=0x7e) [0074.055] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0xe00) returned 0x6f0dd0 [0074.057] GetStartupInfoW (in: lpStartupInfo=0x18f96c | out: lpStartupInfo=0x18f96c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0074.057] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0074.057] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0074.057] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0074.057] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateBlob" [0074.057] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateBlob" [0074.057] GetACP () returned 0x4e4 [0074.058] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x0, Size=0x220) returned 0x6f1bd8 [0074.058] IsValidCodePage (CodePage=0x4e4) returned 1 [0074.058] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f98c | out: lpCPInfo=0x18f98c) returned 1 [0074.058] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f254 | out: lpCPInfo=0x18f254) returned 1 [0074.058] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f868, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0074.058] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f868, cbMultiByte=256, lpWideCharStr=0x18eff8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0074.058] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f268 | out: lpCharType=0x18f268) returned 1 [0074.058] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f868, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0074.327] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f868, cbMultiByte=256, lpWideCharStr=0x18efa8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0074.327] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0074.327] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0074.327] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0074.327] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ed98, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0074.327] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f768, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿüY\x84Ö¤ù\x18", lpUsedDefaultChar=0x0) returned 256 [0074.327] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f868, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0074.327] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f868, cbMultiByte=256, lpWideCharStr=0x18efc8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0074.327] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0074.327] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18edb8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0074.327] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f668, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿüY\x84Ö¤ù\x18", lpUsedDefaultChar=0x0) returned 256 [0074.328] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x0, Size=0x80) returned 0x6e3868 [0074.328] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0074.328] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x186) returned 0x6f1e00 [0074.328] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0074.328] GetLastError () returned 0x0 [0074.328] SetLastError (dwErrCode=0x0) [0074.328] GetEnvironmentStringsW () returned 0x6f1f90* [0074.328] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x0, Size=0xa8c) returned 0x6f2a28 [0074.329] FreeEnvironmentStringsW (penv=0x6f1f90) returned 1 [0074.329] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x90) returned 0x6e4558 [0074.329] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x3e) returned 0x6eafe0 [0074.329] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x5c) returned 0x6e8830 [0074.329] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x6e) returned 0x6e4620 [0074.329] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x78) returned 0x6f39e8 [0074.329] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x62) returned 0x6e49f0 [0074.329] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x28) returned 0x6e3d88 [0074.329] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x48) returned 0x6e3fd8 [0074.329] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x1a) returned 0x6e0570 [0074.329] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x3a) returned 0x6eb0b8 [0074.329] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x62) returned 0x6e3be8 [0074.329] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x2a) returned 0x6e8600 [0074.329] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x2e) returned 0x6e8750 [0074.329] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x1c) returned 0x6e3db8 [0074.329] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x144) returned 0x6e9a48 [0074.329] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x7c) returned 0x6e8090 [0074.330] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x36) returned 0x6edfb0 [0074.330] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x3a) returned 0x6eaa40 [0074.330] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x90) returned 0x6e4390 [0074.330] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x24) returned 0x6e3908 [0074.330] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x30) returned 0x6e84b0 [0074.330] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x36) returned 0x6edf70 [0074.330] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x48) returned 0x6e2900 [0074.330] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x52) returned 0x6e04b8 [0074.330] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x3c) returned 0x6eb100 [0074.330] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0xd6) returned 0x6e9c08 [0074.330] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x2e) returned 0x6e86e0 [0074.330] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x1e) returned 0x6e2950 [0074.330] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x2c) returned 0x6e84e8 [0074.330] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x54) returned 0x6e3e00 [0074.330] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x52) returned 0x6e4060 [0074.330] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x24) returned 0x6e3e60 [0074.330] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x42) returned 0x6e40c0 [0074.330] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x2c) returned 0x6e8520 [0074.330] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x44) returned 0x6e9d38 [0074.330] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x24) returned 0x6e3938 [0074.331] HeapFree (in: hHeap=0x6e0000, dwFlags=0x0, lpMem=0x6f2a28 | out: hHeap=0x6e0000) returned 1 [0074.331] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x800) returned 0x6f1f90 [0074.331] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0074.331] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0074.332] GetStartupInfoW (in: lpStartupInfo=0x18f9d0 | out: lpStartupInfo=0x18f9d0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0074.332] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateBlob" [0074.332] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateBlob", pNumArgs=0x18f9bc | out: pNumArgs=0x18f9bc) returned 0x6f2be0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0074.332] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0074.335] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x0, Size=0x1000) returned 0x6f44c8 [0074.335] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x0, Size=0x4e) returned 0x6ea480 [0074.335] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_getCertificateBlob", cchWideChar=-1, lpMultiByteStr=0x6ea480, cbMultiByte=78, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_getCertificateBlob", lpUsedDefaultChar=0x0) returned 39 [0074.336] GetLastError () returned 0x0 [0074.336] SetLastError (dwErrCode=0x0) [0074.336] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_getCertificateBlobW") returned 0x0 [0074.336] GetLastError () returned 0x7f [0074.336] SetLastError (dwErrCode=0x7f) [0074.336] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_getCertificateBlobA") returned 0x0 [0074.337] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_getCertificateBlob") returned 0x647c8232 [0074.337] GetActiveWindow () returned 0x0 [0074.338] GetLastError () returned 0x7f [0074.338] SetLastError (dwErrCode=0x7f) Thread: id = 63 os_tid = 0x11fc Process: id = "29" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x7be16000" os_pid = "0x1108" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "18" os_parent_pid = "0x1210" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumTokenCertificateIds" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "30" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x27775000" os_pid = "0x1318" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "23" os_parent_pid = "0x12b0" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificate" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "31" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6d50a000" os_pid = "0x9e4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateId" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1634 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1635 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1636 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1637 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1638 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1639 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 1640 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1641 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1642 start_va = 0xe30000 end_va = 0xe31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e30000" filename = "" Region: id = 1643 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 1644 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1645 start_va = 0x7e750000 end_va = 0x7e772fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e750000" filename = "" Region: id = 1646 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1647 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1648 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1649 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 1679 start_va = 0x400000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1680 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1681 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1682 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1683 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1684 start_va = 0xe40000 end_va = 0xfdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e40000" filename = "" Region: id = 1685 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1686 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1745 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1746 start_va = 0x7e650000 end_va = 0x7e74ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e650000" filename = "" Region: id = 1747 start_va = 0x4a0000 end_va = 0x55dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1748 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1749 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1750 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1751 start_va = 0x560000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 1752 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 1753 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1754 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 1755 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 1756 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 1757 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1758 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1759 start_va = 0xe30000 end_va = 0xe33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e30000" filename = "" Region: id = 1760 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1801 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1802 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1803 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1804 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1805 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 1806 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 1807 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 1808 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 1809 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1851 start_va = 0x660000 end_va = 0x7e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 1852 start_va = 0xe40000 end_va = 0xe69fff monitored = 0 entry_point = 0xe45680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1853 start_va = 0xee0000 end_va = 0xfdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 1854 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1855 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1856 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1857 start_va = 0x490000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 1858 start_va = 0x7f0000 end_va = 0x970fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1859 start_va = 0xe40000 end_va = 0xecffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e40000" filename = "" Region: id = 1860 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 1861 start_va = 0xfe0000 end_va = 0x1070fff monitored = 0 entry_point = 0x1018cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1896 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 1908 start_va = 0xe40000 end_va = 0xe40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e40000" filename = "" Region: id = 1909 start_va = 0xec0000 end_va = 0xecffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ec0000" filename = "" Region: id = 1910 start_va = 0xe50000 end_va = 0xe50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e50000" filename = "" Region: id = 1911 start_va = 0xe50000 end_va = 0xe57fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e50000" filename = "" Region: id = 1944 start_va = 0xe50000 end_va = 0xe50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e50000" filename = "" Region: id = 1958 start_va = 0xe60000 end_va = 0xe61fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e60000" filename = "" Region: id = 1968 start_va = 0xe50000 end_va = 0xe50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e50000" filename = "" Region: id = 1969 start_va = 0xe60000 end_va = 0xe60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e60000" filename = "" Region: id = 1970 start_va = 0xe50000 end_va = 0xe50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e50000" filename = "" Region: id = 1971 start_va = 0xe60000 end_va = 0xe60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e60000" filename = "" Thread: id = 64 os_tid = 0x11f8 [0074.682] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0074.682] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0074.683] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0074.683] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0074.683] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0074.936] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0074.937] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0074.937] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0074.938] GetProcessHeap () returned 0xee0000 [0074.938] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0074.938] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0074.938] GetLastError () returned 0x7e [0074.938] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0074.938] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0074.938] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x364) returned 0xef0a60 [0074.939] SetLastError (dwErrCode=0x7e) [0074.939] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0xe00) returned 0xef0dd0 [0074.941] GetStartupInfoW (in: lpStartupInfo=0x18f6a8 | out: lpStartupInfo=0x18f6a8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0074.941] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0074.941] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0074.941] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0074.941] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateId" [0074.941] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateId" [0074.941] GetACP () returned 0x4e4 [0074.941] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x0, Size=0x220) returned 0xef1bd8 [0074.941] IsValidCodePage (CodePage=0x4e4) returned 1 [0074.941] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f6c8 | out: lpCPInfo=0x18f6c8) returned 1 [0074.941] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18ef90 | out: lpCPInfo=0x18ef90) returned 1 [0074.941] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f5a4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0074.941] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f5a4, cbMultiByte=256, lpWideCharStr=0x18ed38, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0074.941] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18efa4 | out: lpCharType=0x18efa4) returned 1 [0074.942] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f5a4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0074.942] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f5a4, cbMultiByte=256, lpWideCharStr=0x18ece8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0074.942] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0074.942] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0074.942] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0074.942] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ead8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0074.942] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f4a4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x98Êx\x9eàö\x18", lpUsedDefaultChar=0x0) returned 256 [0074.942] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f5a4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0074.942] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f5a4, cbMultiByte=256, lpWideCharStr=0x18ed08, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0074.942] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0074.942] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18eaf8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0074.942] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f3a4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x98Êx\x9eàö\x18", lpUsedDefaultChar=0x0) returned 256 [0074.943] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x0, Size=0x80) returned 0xee3860 [0074.943] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0074.943] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x182) returned 0xef1e00 [0074.943] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0074.943] GetLastError () returned 0x0 [0074.943] SetLastError (dwErrCode=0x0) [0074.943] GetEnvironmentStringsW () returned 0xef1f90* [0074.943] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x0, Size=0xa8c) returned 0xef2a28 [0074.943] FreeEnvironmentStringsW (penv=0xef1f90) returned 1 [0074.944] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x90) returned 0xee4550 [0074.944] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x3e) returned 0xeeaf50 [0074.944] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x5c) returned 0xee8a90 [0074.944] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x6e) returned 0xee4848 [0074.944] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x78) returned 0xef3768 [0074.944] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x62) returned 0xee49e8 [0074.944] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x28) returned 0xee3d80 [0074.944] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x48) returned 0xee3fd0 [0074.944] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x1a) returned 0xee3db0 [0074.944] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x3a) returned 0xeeaf98 [0074.944] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x62) returned 0xee4618 [0074.944] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x2a) returned 0xee87b8 [0074.944] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x2e) returned 0xee89e8 [0074.944] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x1c) returned 0xee47b8 [0074.944] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x144) returned 0xee9ca8 [0074.944] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x7c) returned 0xee4388 [0074.944] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x36) returned 0xeee330 [0074.944] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x3a) returned 0xeead10 [0074.944] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x90) returned 0xee3df8 [0074.945] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x24) returned 0xee47e0 [0074.945] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x30) returned 0xee86a0 [0074.945] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x36) returned 0xeee570 [0074.945] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x48) returned 0xee3be0 [0074.945] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x52) returned 0xee3900 [0074.945] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x3c) returned 0xeead58 [0074.945] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0xd6) returned 0xee9e68 [0074.945] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x2e) returned 0xee88d0 [0074.945] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x1e) returned 0xee3c30 [0074.945] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x2c) returned 0xee8908 [0074.945] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x54) returned 0xee28f8 [0074.945] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x52) returned 0xee04b8 [0074.945] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x24) returned 0xee4058 [0074.945] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x42) returned 0xee4088 [0074.945] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x2c) returned 0xee8828 [0074.945] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x44) returned 0xee9f98 [0074.945] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x24) returned 0xee40d8 [0074.946] HeapFree (in: hHeap=0xee0000, dwFlags=0x0, lpMem=0xef2a28 | out: hHeap=0xee0000) returned 1 [0074.946] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x8, Size=0x800) returned 0xef1f90 [0074.946] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0074.946] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0074.946] GetStartupInfoW (in: lpStartupInfo=0x18f70c | out: lpStartupInfo=0x18f70c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0074.946] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateId" [0074.947] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateId", pNumArgs=0x18f6f8 | out: pNumArgs=0x18f6f8) returned 0xef2be0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0074.947] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0074.950] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x0, Size=0x1000) returned 0xef44c8 [0074.950] RtlAllocateHeap (HeapHandle=0xee0000, Flags=0x0, Size=0x4a) returned 0xee82c8 [0074.950] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_getCertificateId", cchWideChar=-1, lpMultiByteStr=0xee82c8, cbMultiByte=74, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_getCertificateId", lpUsedDefaultChar=0x0) returned 37 [0074.951] GetLastError () returned 0x0 [0074.951] SetLastError (dwErrCode=0x0) [0074.951] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_getCertificateIdW") returned 0x0 [0074.951] GetLastError () returned 0x7f [0074.951] SetLastError (dwErrCode=0x7f) [0074.951] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_getCertificateIdA") returned 0x0 [0074.951] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_getCertificateId") returned 0x647c8109 [0074.951] GetActiveWindow () returned 0x0 [0075.048] GetLastError () returned 0x7f [0075.048] SetLastError (dwErrCode=0x7f) Thread: id = 69 os_tid = 0x1388 Process: id = "32" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x7be24000" os_pid = "0x1380" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getPromptMask" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1725 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1726 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1727 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1728 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1729 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1730 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 1731 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1732 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1733 start_va = 0xf00000 end_va = 0xf01fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 1734 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 1735 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1736 start_va = 0x7e5e0000 end_va = 0x7e602fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e5e0000" filename = "" Region: id = 1737 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1738 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1739 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1740 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 1795 start_va = 0x400000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1796 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1797 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1798 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1799 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1883 start_va = 0xf10000 end_va = 0x111ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f10000" filename = "" Region: id = 1884 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1885 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1886 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1887 start_va = 0x7e4e0000 end_va = 0x7e5dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e4e0000" filename = "" Region: id = 1888 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1889 start_va = 0x580000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 1912 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1913 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1914 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1915 start_va = 0x590000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 1916 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 1917 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1918 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 1919 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 1920 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 1921 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1922 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1923 start_va = 0xf00000 end_va = 0xf03fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 1924 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1925 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1926 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1927 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1945 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1946 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 1947 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 1948 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 1949 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 1950 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1954 start_va = 0x690000 end_va = 0x817fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 1955 start_va = 0xf10000 end_va = 0xf39fff monitored = 0 entry_point = 0xf15680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1956 start_va = 0x1020000 end_va = 0x111ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 1957 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1962 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1963 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 1964 start_va = 0x820000 end_va = 0x9a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 1965 start_va = 0x1120000 end_va = 0x128ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001120000" filename = "" Region: id = 1966 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 1967 start_va = 0xf10000 end_va = 0xfa0fff monitored = 0 entry_point = 0xf48cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1996 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 1997 start_va = 0xf10000 end_va = 0xf10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f10000" filename = "" Region: id = 1998 start_va = 0xf20000 end_va = 0xf20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 1999 start_va = 0xf20000 end_va = 0xf27fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 2028 start_va = 0xf20000 end_va = 0xf20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f20000" filename = "" Region: id = 2029 start_va = 0xf30000 end_va = 0xf31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f30000" filename = "" Region: id = 2034 start_va = 0xf20000 end_va = 0xf20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f20000" filename = "" Region: id = 2035 start_va = 0xf30000 end_va = 0xf30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f30000" filename = "" Region: id = 2036 start_va = 0xf20000 end_va = 0xf20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 2037 start_va = 0xf30000 end_va = 0xf30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Thread: id = 67 os_tid = 0x1390 [0075.654] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0075.655] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0075.656] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0075.656] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0075.657] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0075.658] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0075.667] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0075.668] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0075.678] GetProcessHeap () returned 0x1020000 [0075.678] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0075.679] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0075.679] GetLastError () returned 0x7e [0075.679] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0075.679] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0075.679] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x364) returned 0x1030a58 [0075.679] SetLastError (dwErrCode=0x7e) [0075.679] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0xe00) returned 0x1030dc8 [0075.681] GetStartupInfoW (in: lpStartupInfo=0x18fd40 | out: lpStartupInfo=0x18fd40*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0075.681] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0075.681] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0075.681] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0075.681] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getPromptMask" [0075.681] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getPromptMask" [0075.682] GetACP () returned 0x4e4 [0075.682] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x0, Size=0x220) returned 0x1031bd0 [0075.682] IsValidCodePage (CodePage=0x4e4) returned 1 [0075.682] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fd60 | out: lpCPInfo=0x18fd60) returned 1 [0075.682] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f628 | out: lpCPInfo=0x18f628) returned 1 [0075.682] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc3c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0075.682] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc3c, cbMultiByte=256, lpWideCharStr=0x18f3c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0075.682] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f63c | out: lpCharType=0x18f63c) returned 1 [0075.682] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc3c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0075.682] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc3c, cbMultiByte=256, lpWideCharStr=0x18f378, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0075.682] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0075.682] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0075.682] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0075.682] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f168, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0075.683] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fb3c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ/qhÝxý\x18", lpUsedDefaultChar=0x0) returned 256 [0075.683] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc3c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0075.683] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc3c, cbMultiByte=256, lpWideCharStr=0x18f398, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0075.683] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0075.683] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f188, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0075.683] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fa3c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ/qhÝxý\x18", lpUsedDefaultChar=0x0) returned 256 [0075.683] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x0, Size=0x80) returned 0x1023860 [0075.683] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0075.683] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x17c) returned 0x1031df8 [0075.683] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0075.683] GetLastError () returned 0x0 [0075.683] SetLastError (dwErrCode=0x0) [0075.683] GetEnvironmentStringsW () returned 0x1031f80* [0075.684] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x0, Size=0xa8c) returned 0x1032a18 [0075.684] FreeEnvironmentStringsW (penv=0x1031f80) returned 1 [0075.684] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x90) returned 0x1024550 [0075.684] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x3e) returned 0x102ae70 [0075.684] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x5c) returned 0x1028828 [0075.684] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x6e) returned 0x1024618 [0075.684] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x78) returned 0x10343d8 [0075.684] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x62) returned 0x10249e8 [0075.684] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x28) returned 0x1023d80 [0075.684] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x48) returned 0x1023fd0 [0075.684] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x1a) returned 0x1020570 [0075.684] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x3a) returned 0x102ac78 [0075.684] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x62) returned 0x1023be0 [0075.684] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x2a) returned 0x1028780 [0075.684] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x2e) returned 0x1028400 [0075.684] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x1c) returned 0x1023db0 [0075.685] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x144) returned 0x1029ca0 [0075.685] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x7c) returned 0x1028088 [0075.685] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x36) returned 0x102e0a8 [0075.685] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x3a) returned 0x102ac30 [0075.685] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x90) returned 0x1024388 [0075.685] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x24) returned 0x1023900 [0075.685] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x30) returned 0x10285c0 [0075.685] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x36) returned 0x102e128 [0075.685] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x48) returned 0x10228f8 [0075.685] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x52) returned 0x10204b8 [0075.685] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x3c) returned 0x102ad98 [0075.685] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0xd6) returned 0x1029e60 [0075.685] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x2e) returned 0x1028438 [0075.685] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x1e) returned 0x1022948 [0075.685] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x2c) returned 0x1028470 [0075.685] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x54) returned 0x1023df8 [0075.685] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x52) returned 0x1024058 [0075.685] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x24) returned 0x1023e58 [0075.685] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x42) returned 0x10240b8 [0075.685] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x2c) returned 0x10284a8 [0075.685] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x44) returned 0x1029f90 [0075.685] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x24) returned 0x1023930 [0075.686] HeapFree (in: hHeap=0x1020000, dwFlags=0x0, lpMem=0x1032a18 | out: hHeap=0x1020000) returned 1 [0075.686] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x8, Size=0x800) returned 0x1031f80 [0075.686] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0075.686] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0075.686] GetStartupInfoW (in: lpStartupInfo=0x18fda4 | out: lpStartupInfo=0x18fda4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0075.686] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getPromptMask" [0075.686] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getPromptMask", pNumArgs=0x18fd90 | out: pNumArgs=0x18fd90) returned 0x1032bd0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0075.687] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0075.690] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x0, Size=0x1000) returned 0x10344b8 [0075.690] RtlAllocateHeap (HeapHandle=0x1020000, Flags=0x0, Size=0x44) returned 0x102a6d8 [0075.690] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_getPromptMask", cchWideChar=-1, lpMultiByteStr=0x102a6d8, cbMultiByte=68, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_getPromptMask", lpUsedDefaultChar=0x0) returned 34 [0075.690] GetLastError () returned 0x0 [0075.690] SetLastError (dwErrCode=0x0) [0075.690] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_getPromptMaskW") returned 0x0 [0075.690] GetLastError () returned 0x7f [0075.690] SetLastError (dwErrCode=0x7f) [0075.690] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_getPromptMaskA") returned 0x0 [0075.690] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_getPromptMask") returned 0x647c8041 [0075.691] GetActiveWindow () returned 0x0 [0075.691] GetLastError () returned 0x7f [0075.692] SetLastError (dwErrCode=0x7f) Thread: id = 74 os_tid = 0x13b0 Process: id = "33" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x4740c000" os_pid = "0xa7c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "24" os_parent_pid = "0x12a8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateId" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "34" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x46187000" os_pid = "0x1358" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "26" os_parent_pid = "0xbfc" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateIdList" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "35" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x16939000" os_pid = "0x1370" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getUserData" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1864 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1865 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1866 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1867 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1868 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1869 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 1870 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1871 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1872 start_va = 0x740000 end_va = 0x741fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 1873 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 1874 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1875 start_va = 0x7ef40000 end_va = 0x7ef62fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ef40000" filename = "" Region: id = 1876 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1877 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1878 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1879 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 1897 start_va = 0x400000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1898 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1899 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1900 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1901 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1902 start_va = 0x750000 end_va = 0x86ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 1931 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1932 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1933 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1934 start_va = 0x7ee40000 end_va = 0x7ef3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ee40000" filename = "" Region: id = 1935 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1936 start_va = 0x5e0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 1937 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1938 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1939 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1940 start_va = 0x4c0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 1941 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 1942 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1943 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 1975 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 1976 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 1977 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1978 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1979 start_va = 0x740000 end_va = 0x743fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 1980 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1981 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 1982 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1983 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1984 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1985 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 1986 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 1987 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 1988 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 1989 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2001 start_va = 0x870000 end_va = 0x9f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 2002 start_va = 0xa00000 end_va = 0xa29fff monitored = 0 entry_point = 0xa05680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2003 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2011 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2012 start_va = 0x5c0000 end_va = 0x5c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 2013 start_va = 0xa00000 end_va = 0xb80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a00000" filename = "" Region: id = 2014 start_va = 0xb90000 end_va = 0xd3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 2015 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 2016 start_va = 0xb90000 end_va = 0xc20fff monitored = 0 entry_point = 0xbc8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2017 start_va = 0xd30000 end_va = 0xd3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d30000" filename = "" Region: id = 2018 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 2019 start_va = 0x750000 end_va = 0x750fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 2020 start_va = 0x770000 end_va = 0x86ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 2021 start_va = 0x760000 end_va = 0x760fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 2022 start_va = 0x760000 end_va = 0x767fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 2033 start_va = 0x760000 end_va = 0x760fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 2059 start_va = 0xb90000 end_va = 0xb91fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b90000" filename = "" Region: id = 2060 start_va = 0x760000 end_va = 0x760fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 2061 start_va = 0xb90000 end_va = 0xb90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b90000" filename = "" Region: id = 2062 start_va = 0x760000 end_va = 0x760fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 2063 start_va = 0xb90000 end_va = 0xb90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Thread: id = 72 os_tid = 0x135c [0075.839] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0075.839] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0075.840] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0075.840] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0075.840] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0075.840] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0075.840] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0075.841] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0075.841] GetProcessHeap () returned 0x770000 [0075.841] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0075.841] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0075.841] GetLastError () returned 0x7e [0075.841] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0075.842] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0075.842] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x364) returned 0x780a48 [0075.842] SetLastError (dwErrCode=0x7e) [0075.842] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0xe00) returned 0x780db8 [0075.843] GetStartupInfoW (in: lpStartupInfo=0x18fad4 | out: lpStartupInfo=0x18fad4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0075.844] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0075.844] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0075.844] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0075.844] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getUserData" [0075.844] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getUserData" [0075.844] GetACP () returned 0x4e4 [0075.844] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x0, Size=0x220) returned 0x781bc0 [0075.844] IsValidCodePage (CodePage=0x4e4) returned 1 [0075.844] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18faf4 | out: lpCPInfo=0x18faf4) returned 1 [0075.844] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f3bc | out: lpCPInfo=0x18f3bc) returned 1 [0075.844] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f9d0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0075.844] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f9d0, cbMultiByte=256, lpWideCharStr=0x18f158, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0075.844] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f3d0 | out: lpCharType=0x18f3d0) returned 1 [0075.844] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f9d0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0075.844] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f9d0, cbMultiByte=256, lpWideCharStr=0x18f118, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0075.844] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0075.844] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0075.844] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0075.845] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ef08, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0075.845] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f8d0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\rÅ\x1a¾\x0cû\x18", lpUsedDefaultChar=0x0) returned 256 [0075.845] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f9d0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0075.845] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f9d0, cbMultiByte=256, lpWideCharStr=0x18f128, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0075.845] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0075.845] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ef18, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0075.845] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f7d0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\rÅ\x1a¾\x0cû\x18", lpUsedDefaultChar=0x0) returned 256 [0075.845] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x0, Size=0x80) returned 0x773850 [0075.845] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0075.845] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x178) returned 0x781de8 [0075.845] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0075.845] GetLastError () returned 0x0 [0075.845] SetLastError (dwErrCode=0x0) [0075.845] GetEnvironmentStringsW () returned 0x781f68* [0075.845] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x0, Size=0xa8c) returned 0x782a00 [0075.846] FreeEnvironmentStringsW (penv=0x781f68) returned 1 [0075.846] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x90) returned 0x7747a0 [0075.846] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x3e) returned 0x77ab48 [0075.846] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x5c) returned 0x778a78 [0075.846] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x6e) returned 0x774868 [0075.846] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x78) returned 0x783540 [0075.846] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x62) returned 0x774c38 [0075.846] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x28) returned 0x773d70 [0075.846] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x48) returned 0x773fc0 [0075.846] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x1a) returned 0x770570 [0075.846] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x3a) returned 0x77ad88 [0075.846] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x62) returned 0x773bd0 [0075.846] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x2a) returned 0x778730 [0075.846] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x2e) returned 0x778768 [0075.846] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x1c) returned 0x773da0 [0075.846] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x144) returned 0x779c90 [0075.846] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x7c) returned 0x7782d8 [0075.846] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x36) returned 0x77e0d8 [0075.846] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x3a) returned 0x77ae18 [0075.846] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x90) returned 0x7745d8 [0075.846] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x24) returned 0x7738f0 [0075.846] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x30) returned 0x778688 [0075.846] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x36) returned 0x77e058 [0075.847] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x48) returned 0x7728f0 [0075.847] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x52) returned 0x7704b8 [0075.847] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x3c) returned 0x77aea8 [0075.847] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0xd6) returned 0x779e50 [0075.847] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x2e) returned 0x7788b8 [0075.847] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x1e) returned 0x772940 [0075.847] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x2c) returned 0x7789d0 [0075.847] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x54) returned 0x773de8 [0075.847] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x52) returned 0x774048 [0075.847] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x24) returned 0x773e48 [0075.847] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x42) returned 0x7740a8 [0075.847] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x2c) returned 0x778848 [0075.847] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x44) returned 0x779f80 [0075.847] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x24) returned 0x773920 [0075.848] HeapFree (in: hHeap=0x770000, dwFlags=0x0, lpMem=0x782a00 | out: hHeap=0x770000) returned 1 [0075.848] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x800) returned 0x781f68 [0075.848] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0075.848] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0075.848] GetStartupInfoW (in: lpStartupInfo=0x18fb38 | out: lpStartupInfo=0x18fb38*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0075.848] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getUserData" [0075.848] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getUserData", pNumArgs=0x18fb24 | out: pNumArgs=0x18fb24) returned 0x782bb8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0075.849] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0075.852] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x0, Size=0x1000) returned 0x7844a0 [0075.852] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x0, Size=0x40) returned 0x77af80 [0075.852] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_getUserData", cchWideChar=-1, lpMultiByteStr=0x77af80, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_getUserData", lpUsedDefaultChar=0x0) returned 32 [0075.852] GetLastError () returned 0x0 [0075.852] SetLastError (dwErrCode=0x0) [0075.852] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_getUserDataW") returned 0x0 [0075.852] GetLastError () returned 0x7f [0075.852] SetLastError (dwErrCode=0x7f) [0075.852] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_getUserDataA") returned 0x0 [0075.853] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_getUserData") returned 0x647c80a5 [0075.853] GetActiveWindow () returned 0x0 [0075.854] GetLastError () returned 0x7f [0075.854] SetLastError (dwErrCode=0x7f) Thread: id = 75 os_tid = 0x13a0 Process: id = "36" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6d4ff000" os_pid = "0x13b4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "28" os_parent_pid = "0x1144" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateBlob" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "37" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x3dd35000" os_pid = "0x13ac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "31" os_parent_pid = "0x9e4" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateId" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "38" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6d54f000" os_pid = "0x13d4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_lockSession" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2038 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2039 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2040 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2041 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 2042 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 2043 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 2044 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 2045 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2046 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2047 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 2048 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2049 start_va = 0x7f4b0000 end_va = 0x7f4d2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f4b0000" filename = "" Region: id = 2050 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2051 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2052 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2053 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 2064 start_va = 0x410000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 2065 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2066 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2067 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2068 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2069 start_va = 0x5a0000 end_va = 0x72ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 2070 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2071 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2110 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2111 start_va = 0x7f3b0000 end_va = 0x7f4affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f3b0000" filename = "" Region: id = 2112 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2113 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2114 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2115 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2116 start_va = 0x730000 end_va = 0x82ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 2117 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 2118 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2119 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 2120 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 2121 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 2122 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2123 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2149 start_va = 0x4c0000 end_va = 0x4c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 2150 start_va = 0x590000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 2151 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2152 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 2153 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2154 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2155 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2156 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 2157 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 2158 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 2159 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 2160 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2161 start_va = 0x4d0000 end_va = 0x4f9fff monitored = 0 entry_point = 0x4d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2162 start_va = 0x830000 end_va = 0x9b7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 2163 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2164 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2165 start_va = 0x4d0000 end_va = 0x4d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 2166 start_va = 0x9c0000 end_va = 0xb40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009c0000" filename = "" Region: id = 2167 start_va = 0xb50000 end_va = 0xc4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b50000" filename = "" Region: id = 2168 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 2169 start_va = 0x4e0000 end_va = 0x570fff monitored = 0 entry_point = 0x518cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2225 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 2226 start_va = 0x4e0000 end_va = 0x4e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 2227 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 2228 start_va = 0x4f0000 end_va = 0x4f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 2264 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 2300 start_va = 0x500000 end_va = 0x501fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 2301 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 2302 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 2303 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 2304 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Thread: id = 76 os_tid = 0x13d0 [0076.843] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0076.843] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0076.844] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0076.844] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0076.844] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0076.844] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0076.844] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0076.845] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0076.845] GetProcessHeap () returned 0x630000 [0076.845] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0076.845] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0076.845] GetLastError () returned 0x7e [0076.845] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0076.845] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0076.845] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x364) returned 0x640a10 [0076.846] SetLastError (dwErrCode=0x7e) [0076.846] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0xe00) returned 0x640d80 [0076.847] GetStartupInfoW (in: lpStartupInfo=0x18f810 | out: lpStartupInfo=0x18f810*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0076.847] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0076.847] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0076.847] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0076.848] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_lockSession" [0076.848] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_lockSession" [0076.848] GetACP () returned 0x4e4 [0076.848] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x0, Size=0x220) returned 0x641b88 [0076.848] IsValidCodePage (CodePage=0x4e4) returned 1 [0076.848] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f830 | out: lpCPInfo=0x18f830) returned 1 [0076.848] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f0f8 | out: lpCPInfo=0x18f0f8) returned 1 [0076.848] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f70c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0076.848] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f70c, cbMultiByte=256, lpWideCharStr=0x18ee98, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0076.848] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f10c | out: lpCharType=0x18f10c) returned 1 [0076.848] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f70c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0076.848] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f70c, cbMultiByte=256, lpWideCharStr=0x18ee48, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0076.848] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0076.848] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0076.848] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0076.848] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ec38, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0076.848] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f60c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿwanÆHø\x18", lpUsedDefaultChar=0x0) returned 256 [0076.848] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f70c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0076.849] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f70c, cbMultiByte=256, lpWideCharStr=0x18ee68, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0076.849] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0076.849] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ec58, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0076.849] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f50c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿwanÆHø\x18", lpUsedDefaultChar=0x0) returned 256 [0076.849] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x0, Size=0x80) returned 0x633850 [0076.849] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0076.849] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x178) returned 0x641db0 [0076.849] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0076.849] GetLastError () returned 0x0 [0076.849] SetLastError (dwErrCode=0x0) [0076.849] GetEnvironmentStringsW () returned 0x641f30* [0076.849] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x0, Size=0xa8c) returned 0x6429c8 [0076.850] FreeEnvironmentStringsW (penv=0x641f30) returned 1 [0076.850] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x90) returned 0x634540 [0076.850] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x3e) returned 0x63ae28 [0076.850] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x5c) returned 0x638a40 [0076.850] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x6e) returned 0x634838 [0076.850] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x78) returned 0x644188 [0077.165] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x62) returned 0x633fc0 [0077.165] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x28) returned 0x639e18 [0077.165] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x48) returned 0x633d70 [0077.165] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x1a) returned 0x634608 [0077.165] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x3a) returned 0x63a9f0 [0077.165] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x62) returned 0x6347a8 [0077.165] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x2a) returned 0x638730 [0077.165] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x2e) returned 0x638768 [0077.165] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x1c) returned 0x634630 [0077.165] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x144) returned 0x639c58 [0077.165] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x7c) returned 0x6382a0 [0077.165] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x36) returned 0x63e360 [0077.165] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x3a) returned 0x63ad50 [0077.165] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x90) returned 0x63a268 [0077.165] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x24) returned 0x633bd0 [0077.165] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x30) returned 0x6386c0 [0077.165] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x36) returned 0x63e120 [0077.165] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x48) returned 0x6338f0 [0077.165] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x52) returned 0x6328f0 [0077.165] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x3c) returned 0x63aa38 [0077.166] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0xd6) returned 0x6304a0 [0077.166] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x2e) returned 0x6387a0 [0077.166] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x1e) returned 0x630580 [0077.166] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x2c) returned 0x6387d8 [0077.166] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x54) returned 0x634378 [0077.166] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x52) returned 0x633de8 [0077.166] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x24) returned 0x6343d8 [0077.166] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x42) returned 0x634048 [0077.166] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x2c) returned 0x638810 [0077.166] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x44) returned 0x634098 [0077.166] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x24) returned 0x633e48 [0077.167] HeapFree (in: hHeap=0x630000, dwFlags=0x0, lpMem=0x6429c8 | out: hHeap=0x630000) returned 1 [0077.167] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x800) returned 0x641f30 [0077.167] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0077.167] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0077.168] GetStartupInfoW (in: lpStartupInfo=0x18f874 | out: lpStartupInfo=0x18f874*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0077.168] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_lockSession" [0077.168] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_lockSession", pNumArgs=0x18f860 | out: pNumArgs=0x18f860) returned 0x642b80*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0077.168] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0077.171] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x0, Size=0x1000) returned 0x644468 [0077.171] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x0, Size=0x40) returned 0x63ac30 [0077.171] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_lockSession", cchWideChar=-1, lpMultiByteStr=0x63ac30, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_lockSession", lpUsedDefaultChar=0x0) returned 32 [0077.172] GetLastError () returned 0x0 [0077.172] SetLastError (dwErrCode=0x0) [0077.172] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_lockSessionW") returned 0x0 [0077.172] GetLastError () returned 0x7f [0077.172] SetLastError (dwErrCode=0x7f) [0077.172] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_lockSessionA") returned 0x0 [0077.172] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_lockSession") returned 0x647c6f74 [0077.172] GetActiveWindow () returned 0x0 [0077.174] GetLastError () returned 0x7f [0077.174] SetLastError (dwErrCode=0x7f) Thread: id = 79 os_tid = 0x13bc Process: id = "39" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x78f3d000" os_pid = "0x1368" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "32" os_parent_pid = "0x1380" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getPromptMask" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "40" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x67273000" os_pid = "0x13c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_releaseSession" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2094 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2095 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2096 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2097 start_va = 0x90000 end_va = 0x93fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 2098 start_va = 0xa0000 end_va = 0xa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 2099 start_va = 0xb0000 end_va = 0xb1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 2100 start_va = 0x100000 end_va = 0x101fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 2101 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2102 start_va = 0x400000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2103 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 2104 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2105 start_va = 0x7e5e0000 end_va = 0x7e602fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e5e0000" filename = "" Region: id = 2106 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2107 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2108 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2109 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 2138 start_va = 0x110000 end_va = 0x1dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 2139 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2140 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2141 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2142 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2143 start_va = 0x500000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 2144 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2145 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2146 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2147 start_va = 0x7e4e0000 end_va = 0x7e5dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e4e0000" filename = "" Region: id = 2148 start_va = 0xc0000 end_va = 0x17dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2196 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2197 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2198 start_va = 0x180000 end_va = 0x1bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 2199 start_va = 0x1d0000 end_va = 0x1dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 2200 start_va = 0x6d0000 end_va = 0x7cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 2201 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 2202 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2203 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 2204 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 2205 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 2206 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2207 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2208 start_va = 0x1c0000 end_va = 0x1c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2209 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2210 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 2211 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2212 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2213 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2214 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 2215 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 2216 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 2247 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 2248 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2249 start_va = 0x500000 end_va = 0x529fff monitored = 0 entry_point = 0x505680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2250 start_va = 0x5d0000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 2251 start_va = 0x7d0000 end_va = 0x957fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 2252 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2258 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2259 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 2260 start_va = 0x960000 end_va = 0xae0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000960000" filename = "" Region: id = 2261 start_va = 0xaf0000 end_va = 0xbcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 2262 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 2263 start_va = 0x500000 end_va = 0x590fff monitored = 0 entry_point = 0x538cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2296 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 2297 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 2298 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 2299 start_va = 0x500000 end_va = 0x507fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 2326 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 2327 start_va = 0x510000 end_va = 0x511fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 2335 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 2336 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 2337 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 2338 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Thread: id = 78 os_tid = 0x13c4 [0077.793] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0077.793] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0077.793] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0077.793] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0077.793] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0077.793] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0077.794] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0077.794] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0077.794] GetProcessHeap () returned 0x5d0000 [0077.794] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0077.795] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0077.795] GetLastError () returned 0x7e [0077.795] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0077.795] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0077.795] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x364) returned 0x5e0a58 [0077.795] SetLastError (dwErrCode=0x7e) [0077.795] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0xe00) returned 0x5e0dc8 [0077.797] GetStartupInfoW (in: lpStartupInfo=0x4ffe30 | out: lpStartupInfo=0x4ffe30*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0077.797] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0077.797] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0077.797] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0077.797] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_releaseSession" [0077.797] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_releaseSession" [0077.797] GetACP () returned 0x4e4 [0077.797] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x220) returned 0x5e1bd0 [0077.797] IsValidCodePage (CodePage=0x4e4) returned 1 [0077.797] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x4ffe50 | out: lpCPInfo=0x4ffe50) returned 1 [0077.797] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x4ff718 | out: lpCPInfo=0x4ff718) returned 1 [0077.797] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4ffd2c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0077.797] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4ffd2c, cbMultiByte=256, lpWideCharStr=0x4ff4b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0077.797] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x4ff72c | out: lpCharType=0x4ff72c) returned 1 [0077.797] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4ffd2c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0077.797] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4ffd2c, cbMultiByte=256, lpWideCharStr=0x4ff468, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0077.798] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0077.798] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0077.798] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0077.798] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x4ff258, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0077.798] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x4ffc2c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿø\x09Ç\x90hþO", lpUsedDefaultChar=0x0) returned 256 [0077.798] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4ffd2c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0077.798] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4ffd2c, cbMultiByte=256, lpWideCharStr=0x4ff488, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0077.798] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0077.798] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x4ff278, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0077.798] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x4ffb2c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿø\x09Ç\x90hþO", lpUsedDefaultChar=0x0) returned 256 [0077.798] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x80) returned 0x5d3860 [0077.798] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0077.798] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x17e) returned 0x5e1df8 [0077.798] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0077.798] GetLastError () returned 0x0 [0077.798] SetLastError (dwErrCode=0x0) [0077.798] GetEnvironmentStringsW () returned 0x5e1f80* [0077.799] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa8c) returned 0x5e2a18 [0077.799] FreeEnvironmentStringsW (penv=0x5e1f80) returned 1 [0077.799] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x90) returned 0x5d4550 [0077.799] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x3e) returned 0x5dad50 [0077.799] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x5c) returned 0x5d8828 [0077.799] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x6e) returned 0x5d4618 [0077.799] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x78) returned 0x5e3cd8 [0077.799] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x62) returned 0x5d49e8 [0077.799] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x28) returned 0x5d3d80 [0077.799] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x48) returned 0x5d3fd0 [0077.799] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x1a) returned 0x5d0570 [0077.799] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x3a) returned 0x5dad98 [0077.799] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x62) returned 0x5d3be0 [0077.799] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x2a) returned 0x5d8470 [0077.799] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x2e) returned 0x5d8668 [0077.800] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x1c) returned 0x5d3db0 [0077.800] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x144) returned 0x5d9a40 [0077.800] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x7c) returned 0x5d8088 [0077.800] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x36) returned 0x5de0e8 [0077.800] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x3a) returned 0x5dade0 [0077.800] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x90) returned 0x5d4388 [0077.800] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x24) returned 0x5d3900 [0077.800] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x30) returned 0x5d84e0 [0077.800] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x36) returned 0x5de168 [0077.800] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x48) returned 0x5d28f8 [0077.800] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x52) returned 0x5d04b8 [0077.800] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x3c) returned 0x5dabe8 [0077.800] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0xd6) returned 0x5d9c00 [0077.800] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x2e) returned 0x5d85f8 [0077.800] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x1e) returned 0x5d2948 [0077.800] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x2c) returned 0x5d8780 [0077.800] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x54) returned 0x5d3df8 [0077.800] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x52) returned 0x5d4058 [0077.800] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x24) returned 0x5d3e58 [0077.800] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x42) returned 0x5d40b8 [0077.800] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x2c) returned 0x5d8550 [0077.800] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x44) returned 0x5d9d30 [0077.800] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x24) returned 0x5d3930 [0077.801] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e2a18 | out: hHeap=0x5d0000) returned 1 [0077.801] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x800) returned 0x5e1f80 [0077.801] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0078.027] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0078.027] GetStartupInfoW (in: lpStartupInfo=0x4ffe94 | out: lpStartupInfo=0x4ffe94*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0078.027] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_releaseSession" [0078.027] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_releaseSession", pNumArgs=0x4ffe80 | out: pNumArgs=0x4ffe80) returned 0x5e2bd0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0078.027] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0078.030] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1000) returned 0x5e44b8 [0078.030] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x46) returned 0x5da738 [0078.030] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_releaseSession", cchWideChar=-1, lpMultiByteStr=0x5da738, cbMultiByte=70, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_releaseSession", lpUsedDefaultChar=0x0) returned 35 [0078.030] GetLastError () returned 0x0 [0078.030] SetLastError (dwErrCode=0x0) [0078.030] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_releaseSessionW") returned 0x0 [0078.030] GetLastError () returned 0x7f [0078.030] SetLastError (dwErrCode=0x7f) [0078.030] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_releaseSessionA") returned 0x0 [0078.031] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_releaseSession") returned 0x647c7018 [0078.031] GetActiveWindow () returned 0x0 [0078.031] GetLastError () returned 0x7f [0078.032] SetLastError (dwErrCode=0x7f) Thread: id = 82 os_tid = 0xb90 Process: id = "41" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x582ae000" os_pid = "0x13e8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "35" os_parent_pid = "0x1370" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getUserData" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "42" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6d283000" os_pid = "0xcf0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_serializeCertificateId" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2229 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2230 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2231 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2232 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 2233 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2234 start_va = 0xee0000 end_va = 0xee1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 2235 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 2236 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2237 start_va = 0x7ea30000 end_va = 0x7ea52fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ea30000" filename = "" Region: id = 2238 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2239 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2240 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2241 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 2242 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 2243 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 2244 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 2265 start_va = 0x400000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2266 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2267 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2268 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2269 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2270 start_va = 0xef0000 end_va = 0x117ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Region: id = 2271 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2272 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2305 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2306 start_va = 0x7e930000 end_va = 0x7ea2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e930000" filename = "" Region: id = 2307 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2308 start_va = 0x570000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 2309 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2310 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2311 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2312 start_va = 0x580000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 2313 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 2314 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2315 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 2316 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 2317 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 2318 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2319 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2320 start_va = 0xee0000 end_va = 0xee3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 2321 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2322 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 2323 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2328 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2329 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2330 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 2331 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 2332 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 2333 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 2334 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2339 start_va = 0x680000 end_va = 0x807fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 2340 start_va = 0xef0000 end_va = 0xf19fff monitored = 0 entry_point = 0xef5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2341 start_va = 0x1080000 end_va = 0x117ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001080000" filename = "" Region: id = 2342 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2359 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2360 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 2361 start_va = 0x810000 end_va = 0x990fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 2362 start_va = 0xef0000 end_va = 0xffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Region: id = 2363 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 2364 start_va = 0xef0000 end_va = 0xf80fff monitored = 0 entry_point = 0xf28cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2365 start_va = 0xff0000 end_va = 0xffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ff0000" filename = "" Region: id = 2374 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 2380 start_va = 0xef0000 end_va = 0xef0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Region: id = 2381 start_va = 0xf00000 end_va = 0xf00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f00000" filename = "" Region: id = 2382 start_va = 0xf00000 end_va = 0xf07fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f00000" filename = "" Region: id = 2418 start_va = 0xf00000 end_va = 0xf00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 2419 start_va = 0xf10000 end_va = 0xf11fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f10000" filename = "" Region: id = 2420 start_va = 0xf00000 end_va = 0xf00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 2421 start_va = 0xf10000 end_va = 0xf10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f10000" filename = "" Region: id = 2422 start_va = 0xf00000 end_va = 0xf00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f00000" filename = "" Region: id = 2423 start_va = 0xf10000 end_va = 0xf10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f10000" filename = "" Thread: id = 81 os_tid = 0x9c8 [0078.570] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0078.570] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0078.570] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0078.570] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0078.570] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0078.570] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0078.571] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0078.571] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0078.571] GetProcessHeap () returned 0x1080000 [0078.571] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0078.572] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0078.572] GetLastError () returned 0x7e [0078.572] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0078.572] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0078.572] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x364) returned 0x10909a0 [0078.572] SetLastError (dwErrCode=0x7e) [0078.572] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0xe00) returned 0x1090d10 [0078.574] GetStartupInfoW (in: lpStartupInfo=0x18fd0c | out: lpStartupInfo=0x18fd0c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0078.574] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0078.574] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0078.574] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0078.575] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_serializeCertificateId" [0078.575] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_serializeCertificateId" [0078.575] GetACP () returned 0x4e4 [0078.575] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x0, Size=0x220) returned 0x1091b18 [0078.575] IsValidCodePage (CodePage=0x4e4) returned 1 [0078.575] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fd2c | out: lpCPInfo=0x18fd2c) returned 1 [0078.575] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f5f4 | out: lpCPInfo=0x18f5f4) returned 1 [0078.575] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc08, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0078.575] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc08, cbMultiByte=256, lpWideCharStr=0x18f398, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0078.575] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f608 | out: lpCharType=0x18f608) returned 1 [0078.575] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc08, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0078.575] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc08, cbMultiByte=256, lpWideCharStr=0x18f348, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0078.575] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0078.575] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0078.576] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0078.576] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f138, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0078.576] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fb08, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x9bãTíDý\x18", lpUsedDefaultChar=0x0) returned 256 [0078.576] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc08, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0078.576] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc08, cbMultiByte=256, lpWideCharStr=0x18f368, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0078.576] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0078.576] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f158, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0078.576] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fa08, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x9bãTíDý\x18", lpUsedDefaultChar=0x0) returned 256 [0078.576] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x0, Size=0x80) returned 0x1083878 [0078.576] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0078.576] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x18e) returned 0x1091d40 [0078.576] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0078.576] GetLastError () returned 0x0 [0078.576] SetLastError (dwErrCode=0x0) [0078.576] GetEnvironmentStringsW () returned 0x1091ed8* [0078.577] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x0, Size=0xa8c) returned 0x1092970 [0078.577] FreeEnvironmentStringsW (penv=0x1091ed8) returned 1 [0078.577] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x90) returned 0x1084568 [0078.577] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x3e) returned 0x108aff0 [0078.577] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x5c) returned 0x1088840 [0078.577] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x6e) returned 0x1084630 [0078.577] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x78) returned 0x1093730 [0078.577] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x62) returned 0x1084a00 [0078.577] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x28) returned 0x1083d98 [0078.577] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x48) returned 0x1083fe8 [0078.577] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x1a) returned 0x1080570 [0078.577] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x3a) returned 0x108b110 [0078.577] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x62) returned 0x1083bf8 [0078.577] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x2a) returned 0x1088680 [0078.577] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x2e) returned 0x1088728 [0078.577] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x1c) returned 0x1083dc8 [0078.577] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x144) returned 0x1089cb8 [0078.578] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x7c) returned 0x10880a0 [0078.578] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x36) returned 0x108deb0 [0078.578] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x3a) returned 0x108af18 [0078.578] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x90) returned 0x10843a0 [0078.578] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x24) returned 0x1083918 [0078.578] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x30) returned 0x1088418 [0078.578] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x36) returned 0x108e1f0 [0078.578] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x48) returned 0x1082908 [0078.578] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x52) returned 0x10804b8 [0078.578] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x3c) returned 0x108aed0 [0078.578] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0xd6) returned 0x1089e78 [0078.578] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x2e) returned 0x1088488 [0078.578] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x1e) returned 0x1082958 [0078.578] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x2c) returned 0x10884c0 [0078.578] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x54) returned 0x1083e10 [0078.578] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x52) returned 0x1084070 [0078.578] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x24) returned 0x1083e70 [0078.578] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x42) returned 0x10840d0 [0078.578] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x2c) returned 0x1088530 [0078.578] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x44) returned 0x1089fa8 [0078.578] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x24) returned 0x1083948 [0078.579] HeapFree (in: hHeap=0x1080000, dwFlags=0x0, lpMem=0x1092970 | out: hHeap=0x1080000) returned 1 [0078.579] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x800) returned 0x1091ed8 [0078.579] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0078.579] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0078.579] GetStartupInfoW (in: lpStartupInfo=0x18fd70 | out: lpStartupInfo=0x18fd70*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0078.579] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_serializeCertificateId" [0078.579] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_serializeCertificateId", pNumArgs=0x18fd5c | out: pNumArgs=0x18fd5c) returned 0x1092b28*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0078.580] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0078.746] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x0, Size=0x1000) returned 0x1094410 [0078.746] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x0, Size=0x56) returned 0x108a6f0 [0078.746] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_serializeCertificateId", cchWideChar=-1, lpMultiByteStr=0x108a6f0, cbMultiByte=86, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_serializeCertificateId", lpUsedDefaultChar=0x0) returned 43 [0078.747] GetLastError () returned 0x0 [0078.747] SetLastError (dwErrCode=0x0) [0078.747] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_serializeCertificateIdW") returned 0x0 [0078.747] GetLastError () returned 0x7f [0078.747] SetLastError (dwErrCode=0x7f) [0078.747] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_serializeCertificateIdA") returned 0x0 [0078.747] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_serializeCertificateId") returned 0x647cdb79 [0078.747] GetActiveWindow () returned 0x0 [0078.965] GetLastError () returned 0x7f [0078.966] SetLastError (dwErrCode=0x7f) Thread: id = 84 os_tid = 0x464 Process: id = "43" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x59d29000" os_pid = "0x310" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "38" os_parent_pid = "0x13d4" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_lockSession" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "44" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x46f9d000" os_pid = "0x5b4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setCertificateIdCertificateBlob" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2343 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2344 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2345 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2346 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 2347 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 2348 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 2349 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 2350 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2351 start_va = 0x660000 end_va = 0x661fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 2352 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 2353 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2354 start_va = 0x7eec0000 end_va = 0x7eee2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eec0000" filename = "" Region: id = 2355 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2356 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2357 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2358 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 2366 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2367 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2368 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2369 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2370 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2371 start_va = 0x670000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 2372 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2373 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2383 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2384 start_va = 0x7edc0000 end_va = 0x7eebffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007edc0000" filename = "" Region: id = 2385 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2386 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2387 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2388 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 2389 start_va = 0x500000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 2390 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 2391 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2392 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 2393 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 2394 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 2395 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2396 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2397 start_va = 0x660000 end_va = 0x663fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 2398 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2424 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 2425 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2426 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2427 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2428 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 2429 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 2430 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 2431 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 2432 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2433 start_va = 0x670000 end_va = 0x699fff monitored = 0 entry_point = 0x675680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2434 start_va = 0x760000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 2435 start_va = 0x860000 end_va = 0x9e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000860000" filename = "" Region: id = 2436 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2446 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2447 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2448 start_va = 0x1f0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 2449 start_va = 0x670000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 2450 start_va = 0x9f0000 end_va = 0xb70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 2451 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 2452 start_va = 0x670000 end_va = 0x700fff monitored = 0 entry_point = 0x6a8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2453 start_va = 0x710000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 2502 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 2503 start_va = 0x670000 end_va = 0x670fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 2504 start_va = 0x680000 end_va = 0x680fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 2505 start_va = 0x680000 end_va = 0x687fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 2545 start_va = 0x680000 end_va = 0x680fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 2548 start_va = 0x690000 end_va = 0x691fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 2549 start_va = 0x680000 end_va = 0x680fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 2550 start_va = 0x690000 end_va = 0x690fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 2551 start_va = 0x680000 end_va = 0x680fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 2552 start_va = 0x690000 end_va = 0x690fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Thread: id = 85 os_tid = 0x7b4 [0079.990] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0079.990] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0079.991] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0079.991] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0079.991] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0079.991] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0079.992] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0079.992] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0079.992] GetProcessHeap () returned 0x760000 [0079.992] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0079.993] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0079.993] GetLastError () returned 0x7e [0079.993] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0079.993] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0079.993] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x364) returned 0x770a88 [0079.993] SetLastError (dwErrCode=0x7e) [0079.993] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xe00) returned 0x770df8 [0079.995] GetStartupInfoW (in: lpStartupInfo=0x18fc20 | out: lpStartupInfo=0x18fc20*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0079.995] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0079.995] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0079.995] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0079.995] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setCertificateIdCertificateBlob" [0079.995] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setCertificateIdCertificateBlob" [0079.995] GetACP () returned 0x4e4 [0079.995] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x220) returned 0x771c00 [0079.996] IsValidCodePage (CodePage=0x4e4) returned 1 [0079.996] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fc40 | out: lpCPInfo=0x18fc40) returned 1 [0079.996] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f508 | out: lpCPInfo=0x18f508) returned 1 [0079.996] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb1c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0079.996] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb1c, cbMultiByte=256, lpWideCharStr=0x18f2a8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0079.996] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f51c | out: lpCharType=0x18f51c) returned 1 [0079.996] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb1c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0079.996] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb1c, cbMultiByte=256, lpWideCharStr=0x18f258, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0079.996] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0079.996] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0079.996] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0079.996] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f048, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0079.996] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fa1c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿî\x99(¶Xü\x18", lpUsedDefaultChar=0x0) returned 256 [0079.996] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb1c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0079.996] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb1c, cbMultiByte=256, lpWideCharStr=0x18f278, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0079.996] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0079.997] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f068, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0079.997] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f91c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿî\x99(¶Xü\x18", lpUsedDefaultChar=0x0) returned 256 [0079.997] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x80) returned 0x763890 [0079.997] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0079.997] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x1a0) returned 0x771e28 [0079.997] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0079.997] GetLastError () returned 0x0 [0079.997] SetLastError (dwErrCode=0x0) [0079.997] GetEnvironmentStringsW () returned 0x771fd0* [0079.997] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0xa8c) returned 0x772a68 [0079.997] FreeEnvironmentStringsW (penv=0x771fd0) returned 1 [0079.997] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x90) returned 0x764580 [0079.997] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x3e) returned 0x76aaf8 [0079.998] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x5c) returned 0x768ab8 [0079.998] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x6e) returned 0x764648 [0079.998] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x78) returned 0x773e28 [0079.998] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x62) returned 0x764a18 [0079.998] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x28) returned 0x763db0 [0079.998] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x48) returned 0x764000 [0079.998] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x1a) returned 0x760570 [0079.998] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x3a) returned 0x76abd0 [0079.998] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x62) returned 0x763c10 [0079.998] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x2a) returned 0x7689d8 [0079.998] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x2e) returned 0x7687a8 [0079.998] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x1c) returned 0x763de0 [0079.998] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x144) returned 0x769cd0 [0079.998] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x7c) returned 0x7680b8 [0079.998] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x36) returned 0x76e518 [0079.998] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x3a) returned 0x76aab0 [0079.998] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x90) returned 0x7643b8 [0079.998] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x24) returned 0x763930 [0079.998] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x30) returned 0x768888 [0079.998] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x36) returned 0x76e258 [0079.998] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x48) returned 0x762918 [0079.998] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x52) returned 0x7604b8 [0079.998] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x3c) returned 0x76ab40 [0079.999] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xd6) returned 0x769e90 [0079.999] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x2e) returned 0x7688c0 [0079.999] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x1e) returned 0x762968 [0079.999] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x2c) returned 0x7688f8 [0079.999] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x54) returned 0x763e28 [0079.999] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x52) returned 0x764088 [0079.999] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x24) returned 0x763e88 [0079.999] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x42) returned 0x7640e8 [0079.999] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x2c) returned 0x768930 [0079.999] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x44) returned 0x769fc0 [0079.999] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x24) returned 0x763960 [0080.000] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x772a68 | out: hHeap=0x760000) returned 1 [0080.000] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x800) returned 0x771fd0 [0080.000] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0080.000] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0080.000] GetStartupInfoW (in: lpStartupInfo=0x18fc84 | out: lpStartupInfo=0x18fc84*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0080.000] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setCertificateIdCertificateBlob" [0080.000] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setCertificateIdCertificateBlob", pNumArgs=0x18fc70 | out: pNumArgs=0x18fc70) returned 0x772c20*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0080.001] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0080.003] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x1000) returned 0x774508 [0080.003] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x68) returned 0x76a708 [0080.003] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_setCertificateIdCertificateBlob", cchWideChar=-1, lpMultiByteStr=0x76a708, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_setCertificateIdCertificateBlob", lpUsedDefaultChar=0x0) returned 52 [0080.003] GetLastError () returned 0x0 [0080.003] SetLastError (dwErrCode=0x0) [0080.004] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_setCertificateIdCertificateBlobW") returned 0x0 [0080.004] GetLastError () returned 0x7f [0080.004] SetLastError (dwErrCode=0x7f) [0080.004] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_setCertificateIdCertificateBlobA") returned 0x0 [0080.004] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_setCertificateIdCertificateBlob") returned 0x647c6cfd [0080.004] GetActiveWindow () returned 0x0 [0080.005] GetLastError () returned 0x7f [0080.005] SetLastError (dwErrCode=0x7f) Thread: id = 88 os_tid = 0x734 Process: id = "45" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x43515000" os_pid = "0x824" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "40" os_parent_pid = "0x13c8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_releaseSession" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "46" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x631b6000" os_pid = "0x980" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setPromptMask" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2402 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2403 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2404 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2405 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 2406 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2407 start_va = 0xed0000 end_va = 0xed1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ed0000" filename = "" Region: id = 2408 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 2409 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2410 start_va = 0x7efc0000 end_va = 0x7efe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efc0000" filename = "" Region: id = 2411 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2412 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2413 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2414 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 2415 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 2416 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 2417 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 2440 start_va = 0x400000 end_va = 0x4affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2441 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2442 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2443 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2444 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2445 start_va = 0xee0000 end_va = 0x113ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 2485 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2486 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2487 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2488 start_va = 0x7eec0000 end_va = 0x7efbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eec0000" filename = "" Region: id = 2489 start_va = 0x4b0000 end_va = 0x56dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2490 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2491 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2492 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2493 start_va = 0x570000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 2494 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 2495 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2496 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 2497 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 2498 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 2499 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2500 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2501 start_va = 0xed0000 end_va = 0xed3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ed0000" filename = "" Region: id = 2531 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2532 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 2533 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2534 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2535 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2536 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 2537 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 2538 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 2539 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 2540 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2541 start_va = 0x670000 end_va = 0x7f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 2542 start_va = 0xee0000 end_va = 0xf09fff monitored = 0 entry_point = 0xee5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2543 start_va = 0x1040000 end_va = 0x113ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 2544 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2571 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2572 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2573 start_va = 0x4a0000 end_va = 0x4affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 2574 start_va = 0x800000 end_va = 0x980fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 2575 start_va = 0x1140000 end_va = 0x12cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001140000" filename = "" Region: id = 2576 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 2577 start_va = 0xee0000 end_va = 0xf70fff monitored = 0 entry_point = 0xf18cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2578 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 2579 start_va = 0xee0000 end_va = 0xee0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 2580 start_va = 0xef0000 end_va = 0xef0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ef0000" filename = "" Region: id = 2581 start_va = 0xef0000 end_va = 0xef7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ef0000" filename = "" Region: id = 2636 start_va = 0xef0000 end_va = 0xef0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Region: id = 2686 start_va = 0xf00000 end_va = 0xf01fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f00000" filename = "" Region: id = 2687 start_va = 0xef0000 end_va = 0xef0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Region: id = 2688 start_va = 0xf00000 end_va = 0xf00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f00000" filename = "" Region: id = 2689 start_va = 0xef0000 end_va = 0xef0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ef0000" filename = "" Region: id = 2690 start_va = 0xf00000 end_va = 0xf00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Thread: id = 87 os_tid = 0xba0 [0080.486] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0080.486] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0080.486] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0080.486] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0080.486] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0080.487] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0080.487] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0080.487] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0080.488] GetProcessHeap () returned 0x1040000 [0080.488] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0080.488] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0080.488] GetLastError () returned 0x7e [0080.488] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0080.488] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0080.488] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x364) returned 0x1050a60 [0080.488] SetLastError (dwErrCode=0x7e) [0080.488] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0xe00) returned 0x1050dd0 [0080.490] GetStartupInfoW (in: lpStartupInfo=0x18f824 | out: lpStartupInfo=0x18f824*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0080.490] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0080.490] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0080.490] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0080.490] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setPromptMask" [0080.490] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setPromptMask" [0080.490] GetACP () returned 0x4e4 [0080.490] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x0, Size=0x220) returned 0x1051bd8 [0080.490] IsValidCodePage (CodePage=0x4e4) returned 1 [0080.490] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f844 | out: lpCPInfo=0x18f844) returned 1 [0080.490] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f10c | out: lpCPInfo=0x18f10c) returned 1 [0080.490] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f720, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0080.490] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f720, cbMultiByte=256, lpWideCharStr=0x18eea8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0080.490] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f120 | out: lpCharType=0x18f120) returned 1 [0080.491] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f720, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0080.491] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f720, cbMultiByte=256, lpWideCharStr=0x18ee68, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0080.491] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0080.491] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0080.491] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0080.491] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ec58, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0080.491] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f620, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿá°3…\\ø\x18", lpUsedDefaultChar=0x0) returned 256 [0080.491] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f720, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0080.491] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f720, cbMultiByte=256, lpWideCharStr=0x18ee78, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0080.491] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0080.491] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ec68, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0080.491] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f520, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿá°3…\\ø\x18", lpUsedDefaultChar=0x0) returned 256 [0080.491] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x0, Size=0x80) returned 0x1043860 [0080.491] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0080.491] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x17c) returned 0x1051e00 [0080.491] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0080.491] GetLastError () returned 0x0 [0080.492] SetLastError (dwErrCode=0x0) [0080.492] GetEnvironmentStringsW () returned 0x1051f88* [0080.492] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x0, Size=0xa8c) returned 0x1052a20 [0080.492] FreeEnvironmentStringsW (penv=0x1051f88) returned 1 [0080.492] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x90) returned 0x1044550 [0080.492] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x3e) returned 0x104a9b0 [0080.492] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x5c) returned 0x1048a90 [0080.492] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x6e) returned 0x1044848 [0080.492] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x78) returned 0x1053c60 [0080.492] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x62) returned 0x10449e8 [0080.492] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x28) returned 0x1043d80 [0080.492] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x48) returned 0x1043fd0 [0080.492] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x1a) returned 0x1043db0 [0080.492] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x3a) returned 0x104b100 [0080.493] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x62) returned 0x1044618 [0080.493] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x2a) returned 0x1048908 [0080.493] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x2e) returned 0x1048940 [0080.493] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x1c) returned 0x10447b8 [0080.493] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x144) returned 0x1049ca8 [0080.493] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x7c) returned 0x1044388 [0080.493] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x36) returned 0x104e170 [0080.493] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x3a) returned 0x104ada0 [0080.493] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x90) returned 0x1043df8 [0080.493] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x24) returned 0x10447e0 [0080.493] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x30) returned 0x1048978 [0080.493] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x36) returned 0x104e130 [0080.493] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x48) returned 0x1043be0 [0080.493] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x52) returned 0x1043900 [0080.493] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x3c) returned 0x104aba8 [0080.493] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0xd6) returned 0x1049e68 [0080.493] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x2e) returned 0x1048860 [0080.493] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x1e) returned 0x1043c30 [0080.493] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x2c) returned 0x1048780 [0080.493] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x54) returned 0x10428f8 [0080.493] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x52) returned 0x10404b8 [0080.493] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x24) returned 0x1044058 [0080.493] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x42) returned 0x1044088 [0080.493] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x2c) returned 0x10487b8 [0080.493] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x44) returned 0x1049f98 [0080.493] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x24) returned 0x10440d8 [0080.494] HeapFree (in: hHeap=0x1040000, dwFlags=0x0, lpMem=0x1052a20 | out: hHeap=0x1040000) returned 1 [0080.494] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x8, Size=0x800) returned 0x1051f88 [0080.494] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0080.494] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0080.495] GetStartupInfoW (in: lpStartupInfo=0x18f888 | out: lpStartupInfo=0x18f888*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0080.495] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setPromptMask" [0080.495] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setPromptMask", pNumArgs=0x18f874 | out: pNumArgs=0x18f874) returned 0x1052bd8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0080.495] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0080.498] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x0, Size=0x1000) returned 0x10544c0 [0080.498] RtlAllocateHeap (HeapHandle=0x1040000, Flags=0x0, Size=0x44) returned 0x10482c8 [0080.498] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_setPromptMask", cchWideChar=-1, lpMultiByteStr=0x10482c8, cbMultiByte=68, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_setPromptMask", lpUsedDefaultChar=0x0) returned 34 [0080.498] GetLastError () returned 0x0 [0080.498] SetLastError (dwErrCode=0x0) [0080.498] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_setPromptMaskW") returned 0x0 [0080.498] GetLastError () returned 0x7f [0080.498] SetLastError (dwErrCode=0x7f) [0080.499] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_setPromptMaskA") returned 0x0 [0080.499] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_setPromptMask") returned 0x647c8071 [0080.499] GetActiveWindow () returned 0x0 [0080.500] GetLastError () returned 0x7f [0080.500] SetLastError (dwErrCode=0x7f) Thread: id = 92 os_tid = 0xc0c Process: id = "47" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x65ab000" os_pid = "0x450" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "42" os_parent_pid = "0xcf0" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_serializeCertificateId" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "48" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x65cf000" os_pid = "0xae4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setUserData" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2456 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2457 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2458 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2459 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 2460 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 2461 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 2462 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 2463 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2464 start_va = 0x940000 end_va = 0x941fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 2465 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 2466 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2467 start_va = 0x7ea20000 end_va = 0x7ea42fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ea20000" filename = "" Region: id = 2468 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2469 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2470 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2471 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 2506 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2507 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2508 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2509 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2510 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2511 start_va = 0x950000 end_va = 0xb3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 2512 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2513 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2546 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2547 start_va = 0x7e920000 end_va = 0x7ea1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e920000" filename = "" Region: id = 2582 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2583 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2584 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2585 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 2586 start_va = 0x500000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 2587 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 2588 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2589 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 2590 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 2591 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 2592 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2593 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2594 start_va = 0x940000 end_va = 0x943fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 2595 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2596 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 2597 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2598 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2599 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2637 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 2638 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 2639 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 2640 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 2641 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2660 start_va = 0x600000 end_va = 0x787fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 2661 start_va = 0x950000 end_va = 0x979fff monitored = 0 entry_point = 0x955680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2662 start_va = 0xa40000 end_va = 0xb3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 2663 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2746 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2747 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2748 start_va = 0x1f0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 2749 start_va = 0x790000 end_va = 0x910fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 2750 start_va = 0xb40000 end_va = 0xcfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b40000" filename = "" Region: id = 2751 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 2752 start_va = 0x950000 end_va = 0x9e0fff monitored = 0 entry_point = 0x988cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2788 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 2807 start_va = 0x950000 end_va = 0x950fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 2808 start_va = 0x960000 end_va = 0x960fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000960000" filename = "" Region: id = 2809 start_va = 0x960000 end_va = 0x967fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000960000" filename = "" Region: id = 2842 start_va = 0x960000 end_va = 0x960fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Region: id = 2843 start_va = 0x970000 end_va = 0x971fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000970000" filename = "" Region: id = 2844 start_va = 0x960000 end_va = 0x960fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Region: id = 2845 start_va = 0x970000 end_va = 0x970fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000970000" filename = "" Region: id = 2846 start_va = 0x960000 end_va = 0x960fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000960000" filename = "" Region: id = 2847 start_va = 0x970000 end_va = 0x970fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Thread: id = 90 os_tid = 0xbe0 [0082.267] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0082.267] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0082.267] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0082.267] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0082.267] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0082.268] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0082.268] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0082.269] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0082.269] GetProcessHeap () returned 0xa40000 [0082.269] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0082.269] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0082.269] GetLastError () returned 0x7e [0082.270] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0082.270] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0082.270] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x364) returned 0xa50a48 [0082.270] SetLastError (dwErrCode=0x7e) [0082.270] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0xe00) returned 0xa50db8 [0082.272] GetStartupInfoW (in: lpStartupInfo=0x18f7e8 | out: lpStartupInfo=0x18f7e8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0082.272] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0082.272] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0082.272] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0082.272] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setUserData" [0082.272] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setUserData" [0082.272] GetACP () returned 0x4e4 [0082.273] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x0, Size=0x220) returned 0xa51bc0 [0082.273] IsValidCodePage (CodePage=0x4e4) returned 1 [0082.273] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f808 | out: lpCPInfo=0x18f808) returned 1 [0082.273] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f0d0 | out: lpCPInfo=0x18f0d0) returned 1 [0082.273] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6e4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0082.273] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6e4, cbMultiByte=256, lpWideCharStr=0x18ee78, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0082.273] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f0e4 | out: lpCharType=0x18f0e4) returned 1 [0082.279] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6e4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0082.279] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6e4, cbMultiByte=256, lpWideCharStr=0x18ee28, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0082.279] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0082.640] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0082.640] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0082.640] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ec18, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0082.640] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f5e4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ!Þ\x06\x07 ø\x18", lpUsedDefaultChar=0x0) returned 256 [0082.640] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6e4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0082.640] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6e4, cbMultiByte=256, lpWideCharStr=0x18ee48, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0082.640] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0082.640] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ec38, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0082.640] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f4e4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ!Þ\x06\x07 ø\x18", lpUsedDefaultChar=0x0) returned 256 [0082.640] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x0, Size=0x80) returned 0xa43850 [0082.640] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0082.640] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x178) returned 0xa51de8 [0082.640] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0082.640] GetLastError () returned 0x0 [0082.640] SetLastError (dwErrCode=0x0) [0082.640] GetEnvironmentStringsW () returned 0xa51f68* [0082.641] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x0, Size=0xa8c) returned 0xa52a00 [0082.641] FreeEnvironmentStringsW (penv=0xa51f68) returned 1 [0082.641] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x90) returned 0xa44540 [0082.641] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x3e) returned 0xa4b0a0 [0082.641] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x5c) returned 0xa48818 [0082.641] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x6e) returned 0xa44608 [0082.641] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x78) returned 0xa53840 [0082.641] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x62) returned 0xa449d8 [0082.641] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x28) returned 0xa43d70 [0082.641] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x48) returned 0xa43fc0 [0082.641] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x1a) returned 0xa40570 [0082.641] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x3a) returned 0xa4aef0 [0082.641] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x62) returned 0xa43bd0 [0082.641] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x2a) returned 0xa48700 [0082.641] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x2e) returned 0xa485e8 [0082.641] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x1c) returned 0xa43da0 [0082.641] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x144) returned 0xa49a30 [0082.641] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x7c) returned 0xa48078 [0082.641] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x36) returned 0xa4e518 [0082.641] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x3a) returned 0xa4ae18 [0082.642] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x90) returned 0xa44378 [0082.642] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x24) returned 0xa438f0 [0082.642] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x30) returned 0xa48578 [0082.642] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x36) returned 0xa4e1d8 [0082.642] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x48) returned 0xa428f0 [0082.642] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x52) returned 0xa404b8 [0082.642] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x3c) returned 0xa4a9e0 [0082.642] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0xd6) returned 0xa49e50 [0082.642] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x2e) returned 0xa485b0 [0082.642] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x1e) returned 0xa42940 [0082.642] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x2c) returned 0xa48508 [0082.642] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x54) returned 0xa43de8 [0082.642] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x52) returned 0xa44048 [0082.642] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x24) returned 0xa43e48 [0082.642] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x42) returned 0xa440a8 [0082.642] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x2c) returned 0xa48620 [0082.642] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x44) returned 0xa49f80 [0082.642] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x24) returned 0xa43920 [0082.643] HeapFree (in: hHeap=0xa40000, dwFlags=0x0, lpMem=0xa52a00 | out: hHeap=0xa40000) returned 1 [0082.643] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x8, Size=0x800) returned 0xa51f68 [0082.643] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0082.643] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0082.643] GetStartupInfoW (in: lpStartupInfo=0x18f84c | out: lpStartupInfo=0x18f84c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0082.643] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setUserData" [0082.643] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setUserData", pNumArgs=0x18f838 | out: pNumArgs=0x18f838) returned 0xa52bb8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0082.644] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0082.646] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x0, Size=0x1000) returned 0xa544a0 [0082.646] RtlAllocateHeap (HeapHandle=0xa40000, Flags=0x0, Size=0x40) returned 0xa4b058 [0082.646] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_setUserData", cchWideChar=-1, lpMultiByteStr=0xa4b058, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_setUserData", lpUsedDefaultChar=0x0) returned 32 [0082.646] GetLastError () returned 0x0 [0082.646] SetLastError (dwErrCode=0x0) [0082.646] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_setUserDataW") returned 0x0 [0082.647] GetLastError () returned 0x7f [0082.647] SetLastError (dwErrCode=0x7f) [0082.647] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_setUserDataA") returned 0x0 [0082.647] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_setUserData") returned 0x647c80d5 [0082.647] GetActiveWindow () returned 0x0 [0082.824] GetLastError () returned 0x7f [0082.824] SetLastError (dwErrCode=0x7f) Thread: id = 95 os_tid = 0xc20 Process: id = "49" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x61e9000" os_pid = "0xc14" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_sign" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2555 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2556 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2557 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2558 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 2559 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 2560 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 2561 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 2562 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2563 start_va = 0x6e0000 end_va = 0x6e1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 2564 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 2565 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2566 start_va = 0x7ed40000 end_va = 0x7ed62fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed40000" filename = "" Region: id = 2567 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2568 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2569 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2570 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 2628 start_va = 0x400000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2629 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2630 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2631 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2632 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2633 start_va = 0x6f0000 end_va = 0x7effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 2634 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2635 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2674 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2675 start_va = 0x7ec40000 end_va = 0x7ed3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ec40000" filename = "" Region: id = 2676 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2677 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 2678 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2679 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2680 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2681 start_va = 0x560000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 2682 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 2683 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2684 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 2685 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 2727 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 2728 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2729 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2730 start_va = 0x6e0000 end_va = 0x6e3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 2731 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2732 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 2733 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2734 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2735 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2736 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 2737 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 2738 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 2739 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 2740 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2743 start_va = 0x7f0000 end_va = 0x977fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 2744 start_va = 0x980000 end_va = 0x9a9fff monitored = 0 entry_point = 0x985680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2745 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2753 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2754 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 2755 start_va = 0x980000 end_va = 0xb00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000980000" filename = "" Region: id = 2756 start_va = 0xb10000 end_va = 0xb9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 2757 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 2789 start_va = 0xba0000 end_va = 0xc30fff monitored = 0 entry_point = 0xbd8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2790 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 2810 start_va = 0xb10000 end_va = 0xb10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 2811 start_va = 0xb90000 end_va = 0xb9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 2812 start_va = 0xb20000 end_va = 0xb20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 2813 start_va = 0xb20000 end_va = 0xb27fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 2848 start_va = 0xb20000 end_va = 0xb20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 2849 start_va = 0xb30000 end_va = 0xb31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 2850 start_va = 0xb20000 end_va = 0xb20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 2851 start_va = 0xb30000 end_va = 0xb30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 2852 start_va = 0xb20000 end_va = 0xb20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 2853 start_va = 0xb30000 end_va = 0xb30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Thread: id = 93 os_tid = 0xc18 [0082.650] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0082.650] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0082.651] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0082.651] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0082.651] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0082.651] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0082.652] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0082.652] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0082.652] GetProcessHeap () returned 0x6f0000 [0082.652] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0082.653] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0082.653] GetLastError () returned 0x7e [0082.653] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0082.653] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0082.653] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x364) returned 0x700a38 [0082.653] SetLastError (dwErrCode=0x7e) [0082.653] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0xe00) returned 0x700da8 [0082.655] GetStartupInfoW (in: lpStartupInfo=0x18fba8 | out: lpStartupInfo=0x18fba8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0082.655] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0082.655] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0082.655] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0082.655] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_sign" [0082.655] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_sign" [0082.656] GetACP () returned 0x4e4 [0082.656] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x0, Size=0x220) returned 0x701bb0 [0082.656] IsValidCodePage (CodePage=0x4e4) returned 1 [0082.656] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fbc8 | out: lpCPInfo=0x18fbc8) returned 1 [0082.656] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f490 | out: lpCPInfo=0x18f490) returned 1 [0082.656] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18faa4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0082.656] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18faa4, cbMultiByte=256, lpWideCharStr=0x18f238, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0082.656] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f4a4 | out: lpCharType=0x18f4a4) returned 1 [0082.656] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18faa4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0082.656] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18faa4, cbMultiByte=256, lpWideCharStr=0x18f1e8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0082.656] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0082.656] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0082.656] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0082.656] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18efd8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0082.656] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f9a4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿq\x1f\x98Pàû\x18", lpUsedDefaultChar=0x0) returned 256 [0082.657] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18faa4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0082.657] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18faa4, cbMultiByte=256, lpWideCharStr=0x18f208, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0082.657] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0082.657] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18eff8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0082.657] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f8a4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿq\x1f\x98Pàû\x18", lpUsedDefaultChar=0x0) returned 256 [0082.657] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x0, Size=0x80) returned 0x6f3840 [0082.657] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0082.657] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x16a) returned 0x701dd8 [0082.657] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0082.657] GetLastError () returned 0x0 [0082.657] SetLastError (dwErrCode=0x0) [0082.657] GetEnvironmentStringsW () returned 0x701f50* [0082.658] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x0, Size=0xa8c) returned 0x7029e8 [0082.658] FreeEnvironmentStringsW (penv=0x701f50) returned 1 [0082.658] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x90) returned 0x6f4790 [0082.658] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x3e) returned 0x6faf70 [0082.658] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x5c) returned 0x6f8a68 [0082.658] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x6e) returned 0x6f4858 [0082.658] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x78) returned 0x7041a8 [0082.658] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x62) returned 0x6f4c28 [0082.658] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x28) returned 0x6f3d60 [0082.658] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x48) returned 0x6f3fb0 [0082.658] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x1a) returned 0x6f0570 [0082.658] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x3a) returned 0x6fad78 [0082.658] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x62) returned 0x6f3bc0 [0082.658] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x2a) returned 0x6f8988 [0082.658] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x2e) returned 0x6f88e0 [0082.658] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x1c) returned 0x6f3d90 [0082.659] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x144) returned 0x6f9c80 [0082.659] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x7c) returned 0x6f82c8 [0082.659] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x36) returned 0x6fe388 [0082.659] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x3a) returned 0x6faaf0 [0082.659] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x90) returned 0x6f4368 [0082.659] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x24) returned 0x6f38e0 [0082.659] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x30) returned 0x6f8758 [0082.659] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x36) returned 0x6fe608 [0082.659] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x48) returned 0x6f28e0 [0082.659] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x52) returned 0x6f04b8 [0082.659] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x3c) returned 0x6fae50 [0082.659] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0xd6) returned 0x6f9e40 [0082.659] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x2e) returned 0x6f8790 [0082.659] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x1e) returned 0x6f2930 [0082.659] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x2c) returned 0x6f87c8 [0082.659] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x54) returned 0x6f3dd8 [0082.659] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x52) returned 0x6f4038 [0082.659] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x24) returned 0x6f3e38 [0082.659] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x42) returned 0x6f4098 [0082.659] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x2c) returned 0x6f8838 [0082.659] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x44) returned 0x6f9f70 [0082.659] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x24) returned 0x6f3910 [0082.660] HeapFree (in: hHeap=0x6f0000, dwFlags=0x0, lpMem=0x7029e8 | out: hHeap=0x6f0000) returned 1 [0082.660] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x800) returned 0x701f50 [0082.660] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0082.660] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0082.660] GetStartupInfoW (in: lpStartupInfo=0x18fc0c | out: lpStartupInfo=0x18fc0c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0082.660] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_sign" [0082.660] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_sign", pNumArgs=0x18fbf8 | out: pNumArgs=0x18fbf8) returned 0x702ba0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0082.661] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0082.664] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x0, Size=0x1000) returned 0x704488 [0082.664] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x0, Size=0x32) returned 0x6fdf48 [0082.664] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_sign", cchWideChar=-1, lpMultiByteStr=0x6fdf48, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_sign", lpUsedDefaultChar=0x0) returned 25 [0082.664] GetLastError () returned 0x0 [0082.664] SetLastError (dwErrCode=0x0) [0082.664] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_signW") returned 0x0 [0082.665] GetLastError () returned 0x7f [0082.665] SetLastError (dwErrCode=0x7f) [0082.665] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_signA") returned 0x0 [0082.665] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_sign") returned 0x647c70c6 [0082.665] GetActiveWindow () returned 0x0 [0082.870] GetLastError () returned 0x7f [0082.870] SetLastError (dwErrCode=0x7f) Thread: id = 96 os_tid = 0xc28 Process: id = "50" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x619b000" os_pid = "0xc10" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "44" os_parent_pid = "0x5b4" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setCertificateIdCertificateBlob" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "51" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x28f79000" os_pid = "0xc24" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "46" os_parent_pid = "0x980" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setPromptMask" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "52" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x52802000" os_pid = "0xc2c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signAny" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2772 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2773 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2774 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2775 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 2776 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 2777 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 2778 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 2779 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2780 start_va = 0xcc0000 end_va = 0xcc1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 2781 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 2782 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2783 start_va = 0x7eff0000 end_va = 0x7f012fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eff0000" filename = "" Region: id = 2784 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2785 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2786 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2787 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 2798 start_va = 0x400000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2799 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2800 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2801 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2802 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2803 start_va = 0xcd0000 end_va = 0xfbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 2829 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2830 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2831 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2832 start_va = 0x7eef0000 end_va = 0x7efeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eef0000" filename = "" Region: id = 2833 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2834 start_va = 0x590000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 2835 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2836 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2837 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2838 start_va = 0x5a0000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 2839 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 2840 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2841 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 2872 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 2873 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 2874 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2875 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2876 start_va = 0xcc0000 end_va = 0xcc3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 2877 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2878 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 2879 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2880 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2881 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2882 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 2883 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 2884 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 2885 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 2886 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2896 start_va = 0x6a0000 end_va = 0x827fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 2897 start_va = 0xcd0000 end_va = 0xcf9fff monitored = 0 entry_point = 0xcd5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2898 start_va = 0xec0000 end_va = 0xfbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ec0000" filename = "" Region: id = 2899 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2926 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2927 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 2928 start_va = 0x830000 end_va = 0x9b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 2929 start_va = 0xcd0000 end_va = 0xe4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 2930 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 2931 start_va = 0xcd0000 end_va = 0xd60fff monitored = 0 entry_point = 0xd08cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2932 start_va = 0xe40000 end_va = 0xe4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e40000" filename = "" Region: id = 2940 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 2941 start_va = 0xcd0000 end_va = 0xcd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 2942 start_va = 0xce0000 end_va = 0xce0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 2943 start_va = 0xce0000 end_va = 0xce7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 2955 start_va = 0xce0000 end_va = 0xce0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 2956 start_va = 0xcf0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 2973 start_va = 0xce0000 end_va = 0xce0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 2974 start_va = 0xcf0000 end_va = 0xcf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 2975 start_va = 0xce0000 end_va = 0xce0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 2976 start_va = 0xcf0000 end_va = 0xcf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Thread: id = 97 os_tid = 0xc30 [0083.687] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0083.687] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0083.687] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0083.687] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0083.688] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0083.688] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0083.688] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0083.689] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0083.689] GetProcessHeap () returned 0xec0000 [0083.689] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0083.689] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0083.689] GetLastError () returned 0x7e [0083.689] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0083.690] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0083.690] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x364) returned 0xed0a40 [0083.690] SetLastError (dwErrCode=0x7e) [0083.690] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0xe00) returned 0xed0db0 [0083.692] GetStartupInfoW (in: lpStartupInfo=0x18fa94 | out: lpStartupInfo=0x18fa94*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0083.692] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0083.692] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0083.692] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0083.692] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signAny" [0083.692] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signAny" [0083.692] GetACP () returned 0x4e4 [0083.693] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x0, Size=0x220) returned 0xed1bb8 [0083.693] IsValidCodePage (CodePage=0x4e4) returned 1 [0083.693] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fab4 | out: lpCPInfo=0x18fab4) returned 1 [0083.693] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f37c | out: lpCPInfo=0x18f37c) returned 1 [0083.693] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f990, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0083.693] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f990, cbMultiByte=256, lpWideCharStr=0x18f118, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0083.693] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f390 | out: lpCharType=0x18f390) returned 1 [0083.693] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f990, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0083.693] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f990, cbMultiByte=256, lpWideCharStr=0x18f0d8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0083.693] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0083.693] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0083.693] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0083.693] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18eec8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0083.693] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f890, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ&\x04/^Ìú\x18", lpUsedDefaultChar=0x0) returned 256 [0083.693] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f990, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0083.694] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f990, cbMultiByte=256, lpWideCharStr=0x18f0e8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0083.694] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0083.694] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18eed8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0083.694] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f790, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ&\x04/^Ìú\x18", lpUsedDefaultChar=0x0) returned 256 [0083.694] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x0, Size=0x80) returned 0xec3848 [0083.694] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0083.694] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x170) returned 0xed1de0 [0083.694] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0083.694] GetLastError () returned 0x0 [0083.694] SetLastError (dwErrCode=0x0) [0083.694] GetEnvironmentStringsW () returned 0xed1f58* [0083.694] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x0, Size=0xa8c) returned 0xed29f0 [0083.695] FreeEnvironmentStringsW (penv=0xed1f58) returned 1 [0083.695] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x90) returned 0xec4798 [0083.695] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x3e) returned 0xecaaf8 [0083.695] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x5c) returned 0xec8a70 [0083.695] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x6e) returned 0xec4860 [0083.695] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x78) returned 0xed3bb0 [0083.695] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x62) returned 0xec4c30 [0083.695] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x28) returned 0xec3d68 [0083.695] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x48) returned 0xec3fb8 [0083.695] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x1a) returned 0xec0570 [0083.695] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x3a) returned 0xecacf0 [0083.695] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x62) returned 0xec3bc8 [0083.695] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x2a) returned 0xec8920 [0083.695] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x2e) returned 0xec86f0 [0083.695] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x1c) returned 0xec3d98 [0083.695] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x144) returned 0xec9c88 [0083.695] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x7c) returned 0xec82d0 [0083.696] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x36) returned 0xece190 [0083.696] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x3a) returned 0xecb050 [0083.696] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x90) returned 0xec45d0 [0083.696] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x24) returned 0xec38e8 [0083.696] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x30) returned 0xec8728 [0083.696] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x36) returned 0xece550 [0083.696] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x48) returned 0xec28e8 [0083.696] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x52) returned 0xec04b8 [0083.696] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x3c) returned 0xecadc8 [0083.696] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0xd6) returned 0xec9e48 [0083.696] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x2e) returned 0xec8958 [0083.696] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x1e) returned 0xec2938 [0083.696] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x2c) returned 0xec89c8 [0083.696] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x54) returned 0xec3de0 [0083.696] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x52) returned 0xec4040 [0083.696] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x24) returned 0xec3e40 [0083.696] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x42) returned 0xec40a0 [0083.696] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x2c) returned 0xec8990 [0083.696] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x44) returned 0xec9f78 [0083.696] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x24) returned 0xec3918 [0083.697] HeapFree (in: hHeap=0xec0000, dwFlags=0x0, lpMem=0xed29f0 | out: hHeap=0xec0000) returned 1 [0083.798] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x800) returned 0xed1f58 [0083.798] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0083.799] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0083.799] GetStartupInfoW (in: lpStartupInfo=0x18faf8 | out: lpStartupInfo=0x18faf8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0083.799] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signAny" [0083.799] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signAny", pNumArgs=0x18fae4 | out: pNumArgs=0x18fae4) returned 0xed2ba8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0083.799] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0083.802] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x0, Size=0x1000) returned 0xed4490 [0083.802] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x0, Size=0x38) returned 0xece390 [0083.802] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_signAny", cchWideChar=-1, lpMultiByteStr=0xece390, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_signAny", lpUsedDefaultChar=0x0) returned 28 [0083.803] GetLastError () returned 0x0 [0083.803] SetLastError (dwErrCode=0x0) [0083.803] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_signAnyW") returned 0x0 [0083.803] GetLastError () returned 0x7f [0083.803] SetLastError (dwErrCode=0x7f) [0083.803] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_signAnyA") returned 0x0 [0083.803] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_signAny") returned 0x647c779a [0083.803] GetActiveWindow () returned 0x0 [0083.841] GetLastError () returned 0x7f [0083.841] SetLastError (dwErrCode=0x7f) Thread: id = 99 os_tid = 0xc38 Process: id = "53" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x58205000" os_pid = "0xc3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "48" os_parent_pid = "0xae4" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setUserData" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "54" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6298e000" os_pid = "0xc40" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "49" os_parent_pid = "0xc14" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_sign" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "55" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x611a000" os_pid = "0xc44" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signRecover" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2910 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2911 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2912 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2913 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 2914 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 2915 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 2916 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 2917 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2918 start_va = 0x450000 end_va = 0x451fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 2919 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 2920 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2921 start_va = 0x7e2e0000 end_va = 0x7e302fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e2e0000" filename = "" Region: id = 2922 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2923 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2924 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2925 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 2933 start_va = 0x460000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 2934 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2935 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2936 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2937 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2938 start_va = 0x530000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 2939 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2944 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2945 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2946 start_va = 0x7e1e0000 end_va = 0x7e2dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e1e0000" filename = "" Region: id = 2947 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2948 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2949 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2950 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2951 start_va = 0x6c0000 end_va = 0x7bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 2952 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 2953 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2954 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 2957 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 2958 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 2959 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2960 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2961 start_va = 0x4c0000 end_va = 0x4c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 2962 start_va = 0x520000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 2963 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2964 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 2965 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2966 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2967 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2968 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 2969 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 2970 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 2971 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 2972 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2977 start_va = 0x4d0000 end_va = 0x4f9fff monitored = 0 entry_point = 0x4d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2978 start_va = 0x7c0000 end_va = 0x947fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 2979 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2980 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2981 start_va = 0x4d0000 end_va = 0x4d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 2982 start_va = 0x950000 end_va = 0xad0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 2983 start_va = 0xae0000 end_va = 0xc3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 2984 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 2985 start_va = 0xae0000 end_va = 0xb70fff monitored = 0 entry_point = 0xb18cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2986 start_va = 0xc30000 end_va = 0xc3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 2987 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 2988 start_va = 0x4e0000 end_va = 0x4e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 2989 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 2990 start_va = 0x4f0000 end_va = 0x4f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 2991 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 2992 start_va = 0x500000 end_va = 0x501fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 2993 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 2994 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 2995 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 2996 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Thread: id = 100 os_tid = 0xc48 [0084.355] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0084.355] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0084.356] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0084.356] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0084.356] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0084.356] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0084.357] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0084.357] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0084.358] GetProcessHeap () returned 0x5c0000 [0084.358] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0084.358] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0084.358] GetLastError () returned 0x7e [0084.358] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0084.358] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0084.358] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x364) returned 0x5d0a50 [0084.359] SetLastError (dwErrCode=0x7e) [0084.359] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0xe00) returned 0x5d0dc0 [0084.361] GetStartupInfoW (in: lpStartupInfo=0x18f914 | out: lpStartupInfo=0x18f914*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0084.361] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0084.361] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0084.361] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0084.361] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signRecover" [0084.361] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signRecover" [0084.361] GetACP () returned 0x4e4 [0084.361] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x0, Size=0x220) returned 0x5d1bc8 [0084.361] IsValidCodePage (CodePage=0x4e4) returned 1 [0084.361] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f934 | out: lpCPInfo=0x18f934) returned 1 [0084.361] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f1fc | out: lpCPInfo=0x18f1fc) returned 1 [0084.361] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f810, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0084.361] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f810, cbMultiByte=256, lpWideCharStr=0x18ef98, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0084.362] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f210 | out: lpCharType=0x18f210) returned 1 [0084.362] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f810, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0084.362] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f810, cbMultiByte=256, lpWideCharStr=0x18ef58, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0084.362] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0084.362] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0084.362] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0084.362] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ed48, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0084.362] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f710, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ«f\x94rLù\x18", lpUsedDefaultChar=0x0) returned 256 [0084.362] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f810, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0084.362] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f810, cbMultiByte=256, lpWideCharStr=0x18ef68, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0084.362] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0084.362] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ed58, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0084.362] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f610, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ«f\x94rLù\x18", lpUsedDefaultChar=0x0) returned 256 [0084.363] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x0, Size=0x80) returned 0x5c3850 [0084.363] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0084.363] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x178) returned 0x5d1df0 [0084.363] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0084.363] GetLastError () returned 0x0 [0084.363] SetLastError (dwErrCode=0x0) [0084.363] GetEnvironmentStringsW () returned 0x5d1f70* [0084.363] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x0, Size=0xa8c) returned 0x5d2a08 [0084.364] FreeEnvironmentStringsW (penv=0x5d1f70) returned 1 [0084.364] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x90) returned 0x5c47a8 [0084.364] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x3e) returned 0x5caeb0 [0084.364] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x5c) returned 0x5c8a80 [0084.364] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x6e) returned 0x5c4870 [0084.364] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x78) returned 0x5d3a48 [0084.364] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x62) returned 0x5c4c40 [0084.364] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x28) returned 0x5c3d70 [0084.364] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x48) returned 0x5c4228 [0084.364] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x1a) returned 0x5c0570 [0084.364] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x3a) returned 0x5ca9e8 [0084.364] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x62) returned 0x5c3bd0 [0084.364] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x2a) returned 0x5c8738 [0084.364] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x2e) returned 0x5c89a0 [0084.365] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x1c) returned 0x5c3da0 [0084.365] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x144) returned 0x5c9c98 [0084.365] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x7c) returned 0x5c82e0 [0084.365] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x36) returned 0x5ce460 [0084.365] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x3a) returned 0x5ca9a0 [0084.365] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x90) returned 0x5c45e0 [0084.365] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x24) returned 0x5c38f0 [0084.365] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x30) returned 0x5c87a8 [0084.365] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x36) returned 0x5ce4e0 [0084.365] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x48) returned 0x5c28f0 [0084.365] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x52) returned 0x5c04b8 [0084.365] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x3c) returned 0x5caa30 [0084.365] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0xd6) returned 0x5c9e58 [0084.365] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x2e) returned 0x5c8888 [0084.365] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x1e) returned 0x5c2940 [0084.365] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x2c) returned 0x5c8658 [0084.365] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x54) returned 0x5c3de8 [0084.365] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x52) returned 0x5c42b0 [0084.365] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x24) returned 0x5c3e48 [0084.365] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x42) returned 0x5c4310 [0084.365] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x2c) returned 0x5c8770 [0084.365] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x44) returned 0x5c9f88 [0084.365] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x24) returned 0x5c3920 [0084.366] HeapFree (in: hHeap=0x5c0000, dwFlags=0x0, lpMem=0x5d2a08 | out: hHeap=0x5c0000) returned 1 [0084.366] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x800) returned 0x5d1f70 [0084.366] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0084.366] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0084.366] GetStartupInfoW (in: lpStartupInfo=0x18f978 | out: lpStartupInfo=0x18f978*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0084.367] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signRecover" [0084.367] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signRecover", pNumArgs=0x18f964 | out: pNumArgs=0x18f964) returned 0x5d2bc0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0084.367] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0084.371] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x0, Size=0x1000) returned 0x5d44a8 [0084.371] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x0, Size=0x40) returned 0x5cadd8 [0084.371] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_signRecover", cchWideChar=-1, lpMultiByteStr=0x5cadd8, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_signRecover", lpUsedDefaultChar=0x0) returned 32 [0084.371] GetLastError () returned 0x0 [0084.372] SetLastError (dwErrCode=0x0) [0084.372] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_signRecoverW") returned 0x0 [0084.372] GetLastError () returned 0x7f [0084.372] SetLastError (dwErrCode=0x7f) [0084.372] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_signRecoverA") returned 0x0 [0084.372] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_signRecover") returned 0x647c727b [0084.372] GetActiveWindow () returned 0x0 [0084.373] GetLastError () returned 0x7f [0084.373] SetLastError (dwErrCode=0x7f) Thread: id = 102 os_tid = 0xc50 Process: id = "56" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x272cd000" os_pid = "0xc54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "52" os_parent_pid = "0xc2c" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signAny" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "57" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x5a2ed000" os_pid = "0xc58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "55" os_parent_pid = "0xc44" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signRecover" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "58" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x42c34000" os_pid = "0xc5c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_unwrap" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2999 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3000 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3001 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3002 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 3003 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 3004 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3005 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 3006 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3007 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3008 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 3009 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3010 start_va = 0x7e680000 end_va = 0x7e6a2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e680000" filename = "" Region: id = 3011 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3012 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3013 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3014 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 3015 start_va = 0x410000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 3016 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3017 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3018 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3019 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3020 start_va = 0x510000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 3021 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3022 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3023 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3024 start_va = 0x7e580000 end_va = 0x7e67ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e580000" filename = "" Region: id = 3025 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3026 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3027 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3028 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3029 start_va = 0x6f0000 end_va = 0x7effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 3030 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 3031 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3032 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 3033 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 3034 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3035 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3036 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3037 start_va = 0x4c0000 end_va = 0x4c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 3038 start_va = 0x500000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 3039 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3040 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3041 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3042 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3043 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3044 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3045 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 3046 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 3047 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 3048 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3049 start_va = 0x4d0000 end_va = 0x4f9fff monitored = 0 entry_point = 0x4d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3050 start_va = 0x7f0000 end_va = 0x977fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 3051 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3052 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3053 start_va = 0x4d0000 end_va = 0x4d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 3054 start_va = 0x980000 end_va = 0xb00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000980000" filename = "" Region: id = 3055 start_va = 0xb10000 end_va = 0xccffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 3056 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 3057 start_va = 0x510000 end_va = 0x5a0fff monitored = 0 entry_point = 0x548cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 3058 start_va = 0x5f0000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 3059 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 3060 start_va = 0x4e0000 end_va = 0x4e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 3061 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 3062 start_va = 0x4f0000 end_va = 0x4f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 3063 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 3064 start_va = 0x510000 end_va = 0x511fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 3065 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 3066 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 3067 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 3068 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Thread: id = 103 os_tid = 0xc60 [0085.430] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0085.431] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0085.431] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0085.431] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0085.431] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0085.431] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0085.432] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0085.432] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0085.432] GetProcessHeap () returned 0x5f0000 [0085.432] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0085.433] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0085.433] GetLastError () returned 0x7e [0085.433] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0085.433] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0085.433] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x364) returned 0x600a40 [0085.433] SetLastError (dwErrCode=0x7e) [0085.433] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0xe00) returned 0x600db0 [0085.435] GetStartupInfoW (in: lpStartupInfo=0x18fd58 | out: lpStartupInfo=0x18fd58*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0085.435] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0085.435] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0085.435] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0085.435] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_unwrap" [0085.435] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_unwrap" [0085.435] GetACP () returned 0x4e4 [0085.435] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x220) returned 0x601bb8 [0085.435] IsValidCodePage (CodePage=0x4e4) returned 1 [0085.435] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fd78 | out: lpCPInfo=0x18fd78) returned 1 [0085.435] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f640 | out: lpCPInfo=0x18f640) returned 1 [0085.435] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc54, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0085.435] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc54, cbMultiByte=256, lpWideCharStr=0x18f3e8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0085.435] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f654 | out: lpCharType=0x18f654) returned 1 [0085.436] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc54, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0085.436] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc54, cbMultiByte=256, lpWideCharStr=0x18f398, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0085.436] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0085.436] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0085.436] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0085.436] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f188, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0085.436] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fb54, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿõ\x15^E\x90ý\x18", lpUsedDefaultChar=0x0) returned 256 [0085.436] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc54, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0085.436] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc54, cbMultiByte=256, lpWideCharStr=0x18f3b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0085.436] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0085.436] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f1a8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0085.436] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fa54, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿõ\x15^E\x90ý\x18", lpUsedDefaultChar=0x0) returned 256 [0085.436] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x80) returned 0x5f3848 [0085.436] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0085.436] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x16e) returned 0x601de0 [0085.436] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0085.436] GetLastError () returned 0x0 [0085.436] SetLastError (dwErrCode=0x0) [0085.437] GetEnvironmentStringsW () returned 0x601f58* [0085.437] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0xa8c) returned 0x6029f0 [0085.437] FreeEnvironmentStringsW (penv=0x601f58) returned 1 [0085.437] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x90) returned 0x5f4538 [0085.437] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x3e) returned 0x5fabd0 [0085.437] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x5c) returned 0x5f8810 [0085.437] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x6e) returned 0x5f4600 [0085.437] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x78) returned 0x603fb0 [0085.437] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x62) returned 0x5f49d0 [0085.437] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x28) returned 0x5f3d68 [0085.437] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x48) returned 0x5f3fb8 [0085.437] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x1a) returned 0x5f0570 [0085.437] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x3a) returned 0x5fb0e0 [0085.437] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x62) returned 0x5f3bc8 [0085.438] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x2a) returned 0x5f8768 [0085.438] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x2e) returned 0x5f8570 [0085.438] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x1c) returned 0x5f3d98 [0085.438] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x144) returned 0x5f9c88 [0085.438] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x7c) returned 0x5f8070 [0085.438] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x36) returned 0x5fe010 [0085.438] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x3a) returned 0x5fac18 [0085.438] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x90) returned 0x5f4370 [0085.438] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x24) returned 0x5f38e8 [0085.438] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x30) returned 0x5f8458 [0085.438] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x36) returned 0x5fe610 [0085.438] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x48) returned 0x5f28e8 [0085.438] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x52) returned 0x5f04b8 [0085.438] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x3c) returned 0x5fad38 [0085.438] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0xd6) returned 0x5f9e48 [0085.438] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x2e) returned 0x5f84c8 [0085.438] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x1e) returned 0x5f2938 [0085.438] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x2c) returned 0x5f83e8 [0085.438] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x54) returned 0x5f3de0 [0085.438] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x52) returned 0x5f4040 [0085.438] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x24) returned 0x5f3e40 [0085.438] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x42) returned 0x5f40a0 [0085.438] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x2c) returned 0x5f85a8 [0085.438] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x44) returned 0x5f9f78 [0085.438] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x24) returned 0x5f3918 [0085.439] HeapFree (in: hHeap=0x5f0000, dwFlags=0x0, lpMem=0x6029f0 | out: hHeap=0x5f0000) returned 1 [0085.439] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x8, Size=0x800) returned 0x601f58 [0085.439] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0085.439] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0085.439] GetStartupInfoW (in: lpStartupInfo=0x18fdbc | out: lpStartupInfo=0x18fdbc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0085.439] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_unwrap" [0085.439] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_unwrap", pNumArgs=0x18fda8 | out: pNumArgs=0x18fda8) returned 0x602ba8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0085.440] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0085.493] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x1000) returned 0x604490 [0085.493] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x36) returned 0x5fe210 [0085.493] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_unwrap", cchWideChar=-1, lpMultiByteStr=0x5fe210, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_unwrap", lpUsedDefaultChar=0x0) returned 27 [0085.493] GetLastError () returned 0x0 [0085.493] SetLastError (dwErrCode=0x0) [0085.494] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_unwrapW") returned 0x0 [0085.494] GetLastError () returned 0x7f [0085.494] SetLastError (dwErrCode=0x7f) [0085.494] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_unwrapA") returned 0x0 [0085.494] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_unwrap") returned 0x647c75e5 [0085.494] GetActiveWindow () returned 0x0 [0085.495] GetLastError () returned 0x7f [0085.495] SetLastError (dwErrCode=0x7f) Thread: id = 105 os_tid = 0xc68 Process: id = "59" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x462c8000" os_pid = "0xc6c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "58" os_parent_pid = "0xc5c" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_unwrap" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "60" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x42e4d000" os_pid = "0xc70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_del" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3071 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3072 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3073 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3074 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 3075 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 3076 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3077 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 3078 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3079 start_va = 0xfe0000 end_va = 0xfe1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 3080 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 3081 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3082 start_va = 0x7ee50000 end_va = 0x7ee72fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ee50000" filename = "" Region: id = 3083 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3084 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3085 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3086 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 3087 start_va = 0x400000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3088 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3089 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3090 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3091 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3092 start_va = 0xff0000 end_va = 0x127ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ff0000" filename = "" Region: id = 3093 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3094 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3095 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3096 start_va = 0x7ed50000 end_va = 0x7ee4ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed50000" filename = "" Region: id = 3097 start_va = 0x4c0000 end_va = 0x57dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3098 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3099 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3100 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3101 start_va = 0x580000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 3102 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 3103 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3104 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 3105 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 3106 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3107 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3108 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3109 start_va = 0xfe0000 end_va = 0xfe3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 3110 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3111 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3112 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3113 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3114 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3115 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3116 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 3117 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 3118 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 3119 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3120 start_va = 0x680000 end_va = 0x807fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 3121 start_va = 0xff0000 end_va = 0x1019fff monitored = 0 entry_point = 0xff5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3122 start_va = 0x1180000 end_va = 0x127ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001180000" filename = "" Region: id = 3123 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3124 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3125 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3126 start_va = 0x4b0000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 3127 start_va = 0x810000 end_va = 0x990fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 3128 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 3129 start_va = 0x2740000 end_va = 0x293ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002740000" filename = "" Region: id = 3130 start_va = 0xff0000 end_va = 0x1080fff monitored = 0 entry_point = 0x1028cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 3131 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 3132 start_va = 0xff0000 end_va = 0xff0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ff0000" filename = "" Region: id = 3133 start_va = 0x1000000 end_va = 0x1000fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001000000" filename = "" Region: id = 3134 start_va = 0x1000000 end_va = 0x1007fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001000000" filename = "" Region: id = 3135 start_va = 0x1000000 end_va = 0x1000fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 3136 start_va = 0x1010000 end_va = 0x1011fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001010000" filename = "" Region: id = 3137 start_va = 0x1000000 end_va = 0x1000fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 3138 start_va = 0x1010000 end_va = 0x1010fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001010000" filename = "" Region: id = 3139 start_va = 0x1000000 end_va = 0x1000fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001000000" filename = "" Region: id = 3140 start_va = 0x1010000 end_va = 0x1010fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001010000" filename = "" Thread: id = 106 os_tid = 0xc74 [0087.722] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0087.722] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0087.723] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0087.723] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0087.723] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0087.723] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0087.724] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0087.724] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0087.724] GetProcessHeap () returned 0x1180000 [0087.724] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0087.724] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0087.724] GetLastError () returned 0x7e [0087.725] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0087.725] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0087.725] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x364) returned 0x1190a20 [0087.725] SetLastError (dwErrCode=0x7e) [0087.725] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0xe00) returned 0x1190d90 [0087.727] GetStartupInfoW (in: lpStartupInfo=0x18f75c | out: lpStartupInfo=0x18f75c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0087.727] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0087.727] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0087.727] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0087.727] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_del" [0087.727] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_del" [0087.727] GetACP () returned 0x4e4 [0087.727] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x0, Size=0x220) returned 0x1191b98 [0087.727] IsValidCodePage (CodePage=0x4e4) returned 1 [0087.727] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f77c | out: lpCPInfo=0x18f77c) returned 1 [0087.727] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f044 | out: lpCPInfo=0x18f044) returned 1 [0087.727] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f658, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0087.727] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f658, cbMultiByte=256, lpWideCharStr=0x18ede8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0087.727] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f058 | out: lpCharType=0x18f058) returned 1 [0087.727] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f658, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0087.727] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f658, cbMultiByte=256, lpWideCharStr=0x18ed98, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0087.727] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0087.728] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0087.728] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0087.728] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18eb88, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0087.728] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f558, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿxGW¡\x94÷\x18", lpUsedDefaultChar=0x0) returned 256 [0087.728] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f658, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0087.728] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f658, cbMultiByte=256, lpWideCharStr=0x18edb8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0087.728] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0087.728] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18eba8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0087.728] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f458, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿxGW¡\x94÷\x18", lpUsedDefaultChar=0x0) returned 256 [0087.728] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x0, Size=0x80) returned 0x1183828 [0087.728] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0087.728] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x15a) returned 0x1189c68 [0087.728] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0087.728] GetLastError () returned 0x0 [0087.728] SetLastError (dwErrCode=0x0) [0087.728] GetEnvironmentStringsW () returned 0x1191dc0* [0087.729] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x0, Size=0xa8c) returned 0x1192858 [0087.729] FreeEnvironmentStringsW (penv=0x1191dc0) returned 1 [0087.729] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x90) returned 0x1184778 [0087.729] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x3e) returned 0x118afa0 [0087.729] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x5c) returned 0x1188a50 [0087.729] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x6e) returned 0x1184840 [0087.729] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x78) returned 0x1194018 [0087.729] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x62) returned 0x1184c10 [0087.729] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x28) returned 0x1183d48 [0087.729] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x48) returned 0x1183f98 [0087.729] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x1a) returned 0x1180570 [0087.729] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x3a) returned 0x118b108 [0087.729] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x62) returned 0x1183ba8 [0087.729] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x2a) returned 0x1188778 [0087.729] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x2e) returned 0x1188820 [0087.729] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x1c) returned 0x1183d78 [0087.729] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x144) returned 0x1191dc0 [0087.729] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x7c) returned 0x11882b0 [0087.729] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x36) returned 0x118df70 [0087.729] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x3a) returned 0x118a9b8 [0087.729] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x90) returned 0x11845b0 [0087.730] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x24) returned 0x11838c8 [0087.730] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x30) returned 0x1188938 [0087.730] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x36) returned 0x118e230 [0087.730] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x48) returned 0x11828d0 [0087.730] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x52) returned 0x11804b8 [0087.730] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x3c) returned 0x118adf0 [0087.730] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0xd6) returned 0x1189e28 [0087.730] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x2e) returned 0x1188970 [0087.730] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x1e) returned 0x1182920 [0087.730] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x2c) returned 0x1188660 [0087.730] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x54) returned 0x1183dc0 [0087.730] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x52) returned 0x1184020 [0087.730] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x24) returned 0x1183e20 [0087.730] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x42) returned 0x1184080 [0087.730] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x2c) returned 0x11887b0 [0087.730] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x44) returned 0x1189f58 [0087.730] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x24) returned 0x11838f8 [0087.730] HeapFree (in: hHeap=0x1180000, dwFlags=0x0, lpMem=0x1192858 | out: hHeap=0x1180000) returned 1 [0087.731] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x8, Size=0x800) returned 0x1191f10 [0087.731] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0087.731] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0087.731] GetStartupInfoW (in: lpStartupInfo=0x18f7c0 | out: lpStartupInfo=0x18f7c0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0087.731] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_del" [0087.731] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_del", pNumArgs=0x18f7ac | out: pNumArgs=0x18f7ac) returned 0x1192b60*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0087.732] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0087.735] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x0, Size=0x1000) returned 0x11942f8 [0087.735] RtlAllocateHeap (HeapHandle=0x1180000, Flags=0x0, Size=0x22) returned 0x118a6a0 [0087.735] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_data_del", cchWideChar=-1, lpMultiByteStr=0x118a6a0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_data_del", lpUsedDefaultChar=0x0) returned 17 [0087.735] GetLastError () returned 0x0 [0087.735] SetLastError (dwErrCode=0x0) [0087.735] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_delW") returned 0x0 [0087.736] GetLastError () returned 0x7f [0087.736] SetLastError (dwErrCode=0x7f) [0087.736] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_delA") returned 0x0 [0087.736] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_del") returned 0x647cc884 [0087.736] GetActiveWindow () returned 0x0 [0087.738] GetLastError () returned 0x7f [0087.738] SetLastError (dwErrCode=0x7f) Thread: id = 108 os_tid = 0xc7c Process: id = "61" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x66626000" os_pid = "0xc80" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "60" os_parent_pid = "0xc70" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_del" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "62" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x66667000" os_pid = "0xc9c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_enumDataObjects" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3155 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3156 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3157 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3158 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 3159 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 3160 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3161 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 3162 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3163 start_va = 0xb00000 end_va = 0xb01fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 3164 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 3165 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3166 start_va = 0x7e130000 end_va = 0x7e152fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e130000" filename = "" Region: id = 3167 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3168 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3169 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3170 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 3171 start_va = 0x400000 end_va = 0x4affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3172 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3173 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3174 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3175 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3176 start_va = 0xb10000 end_va = 0xc2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 3177 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3178 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3179 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3180 start_va = 0x7e030000 end_va = 0x7e12ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e030000" filename = "" Region: id = 3181 start_va = 0x4b0000 end_va = 0x56dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3182 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3183 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3184 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3185 start_va = 0x570000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 3186 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 3187 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3188 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 3189 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 3190 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3191 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3192 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3193 start_va = 0xb00000 end_va = 0xb03fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 3194 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3195 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3196 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3197 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3198 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3205 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3206 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 3207 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 3208 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 3209 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3210 start_va = 0x670000 end_va = 0x7f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 3211 start_va = 0xc30000 end_va = 0xc59fff monitored = 0 entry_point = 0xc35680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3212 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3213 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3214 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3215 start_va = 0x4a0000 end_va = 0x4affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 3216 start_va = 0x800000 end_va = 0x980fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 3217 start_va = 0xc30000 end_va = 0xc8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 3218 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 3219 start_va = 0xc90000 end_va = 0xd20fff monitored = 0 entry_point = 0xcc8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 3220 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 3221 start_va = 0xb10000 end_va = 0xb10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 3222 start_va = 0xb30000 end_va = 0xc2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 3223 start_va = 0xb20000 end_va = 0xb20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 3224 start_va = 0xb20000 end_va = 0xb27fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 3231 start_va = 0xb20000 end_va = 0xb20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 3232 start_va = 0xc30000 end_va = 0xc31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 3233 start_va = 0xc80000 end_va = 0xc8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 3234 start_va = 0xb20000 end_va = 0xb20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 3235 start_va = 0xc30000 end_va = 0xc30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 3236 start_va = 0xb20000 end_va = 0xb20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 3237 start_va = 0xc30000 end_va = 0xc30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Thread: id = 115 os_tid = 0xca0 [0088.760] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0088.760] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0088.761] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0088.761] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0088.817] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0088.818] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0088.818] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0088.818] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0088.819] GetProcessHeap () returned 0xb30000 [0088.819] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0088.819] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0088.819] GetLastError () returned 0x7e [0088.819] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0088.819] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0088.819] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x364) returned 0xb40a40 [0088.819] SetLastError (dwErrCode=0x7e) [0088.820] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0xe00) returned 0xb40db0 [0088.821] GetStartupInfoW (in: lpStartupInfo=0x18fad0 | out: lpStartupInfo=0x18fad0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0088.821] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0088.821] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0088.821] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0088.821] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_enumDataObjects" [0088.821] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_enumDataObjects" [0088.821] GetACP () returned 0x4e4 [0088.821] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x0, Size=0x220) returned 0xb41bb8 [0088.821] IsValidCodePage (CodePage=0x4e4) returned 1 [0088.821] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18faf0 | out: lpCPInfo=0x18faf0) returned 1 [0088.821] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f3b8 | out: lpCPInfo=0x18f3b8) returned 1 [0088.821] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f9cc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0088.821] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f9cc, cbMultiByte=256, lpWideCharStr=0x18f158, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0088.821] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f3cc | out: lpCharType=0x18f3cc) returned 1 [0088.822] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f9cc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0088.822] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f9cc, cbMultiByte=256, lpWideCharStr=0x18f108, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0088.822] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0088.822] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0088.822] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0088.822] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18eef8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0088.822] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f8cc, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ¿B&<\x08û\x18", lpUsedDefaultChar=0x0) returned 256 [0088.822] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f9cc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0088.822] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f9cc, cbMultiByte=256, lpWideCharStr=0x18f128, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0088.822] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0088.822] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ef18, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0088.822] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f7cc, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ¿B&<\x08û\x18", lpUsedDefaultChar=0x0) returned 256 [0088.822] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x0, Size=0x80) returned 0xb33848 [0088.822] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0088.822] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x172) returned 0xb41de0 [0088.822] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0088.822] GetLastError () returned 0x0 [0088.823] SetLastError (dwErrCode=0x0) [0088.823] GetEnvironmentStringsW () returned 0xb41f60* [0088.823] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x0, Size=0xa8c) returned 0xb429f8 [0088.823] FreeEnvironmentStringsW (penv=0xb41f60) returned 1 [0088.823] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x90) returned 0xb34538 [0088.823] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x3e) returned 0xb3aee8 [0088.823] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x5c) returned 0xb38810 [0088.823] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x6e) returned 0xb34600 [0088.823] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x78) returned 0xb43bb8 [0088.823] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x62) returned 0xb349d0 [0088.823] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x28) returned 0xb33d68 [0088.823] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x48) returned 0xb33fb8 [0088.823] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x1a) returned 0xb30570 [0088.824] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x3a) returned 0xb3af30 [0088.824] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x62) returned 0xb33bc8 [0088.824] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x2a) returned 0xb38538 [0088.824] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x2e) returned 0xb38490 [0088.824] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x1c) returned 0xb33d98 [0088.824] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x144) returned 0xb39a28 [0088.824] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x7c) returned 0xb38070 [0088.824] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x36) returned 0xb3e6d0 [0088.824] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x3a) returned 0xb3acf0 [0088.824] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x90) returned 0xb34370 [0088.824] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x24) returned 0xb338e8 [0088.824] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x30) returned 0xb384c8 [0088.824] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x36) returned 0xb3e010 [0088.824] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x48) returned 0xb328e8 [0088.824] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x52) returned 0xb304b8 [0088.824] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x3c) returned 0xb3aaf8 [0088.824] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0xd6) returned 0xb39e48 [0088.824] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x2e) returned 0xb38420 [0088.824] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x1e) returned 0xb32938 [0088.824] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x2c) returned 0xb38730 [0088.824] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x54) returned 0xb33de0 [0088.824] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x52) returned 0xb34040 [0088.824] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x24) returned 0xb33e40 [0088.824] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x42) returned 0xb340a0 [0088.824] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x2c) returned 0xb38570 [0088.824] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x44) returned 0xb39f78 [0088.824] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x24) returned 0xb33918 [0088.825] HeapFree (in: hHeap=0xb30000, dwFlags=0x0, lpMem=0xb429f8 | out: hHeap=0xb30000) returned 1 [0088.825] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x8, Size=0x800) returned 0xb41f60 [0088.826] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0088.826] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0088.826] GetStartupInfoW (in: lpStartupInfo=0x18fb34 | out: lpStartupInfo=0x18fb34*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0088.826] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_enumDataObjects" [0088.826] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_enumDataObjects", pNumArgs=0x18fb20 | out: pNumArgs=0x18fb20) returned 0xb42bb0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0088.827] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0088.831] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x0, Size=0x1000) returned 0xb44498 [0088.831] RtlAllocateHeap (HeapHandle=0xb30000, Flags=0x0, Size=0x3a) returned 0xb3a9d8 [0088.831] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_data_enumDataObjects", cchWideChar=-1, lpMultiByteStr=0xb3a9d8, cbMultiByte=58, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_data_enumDataObjects", lpUsedDefaultChar=0x0) returned 29 [0088.831] GetLastError () returned 0x0 [0088.831] SetLastError (dwErrCode=0x0) [0088.831] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_enumDataObjectsW") returned 0x0 [0088.831] GetLastError () returned 0x7f [0088.832] SetLastError (dwErrCode=0x7f) [0088.832] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_enumDataObjectsA") returned 0x0 [0088.832] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_enumDataObjects") returned 0x647ccc50 [0088.832] GetActiveWindow () returned 0x0 [0088.833] GetLastError () returned 0x7f [0088.833] SetLastError (dwErrCode=0x7f) Thread: id = 119 os_tid = 0xce8 Process: id = "63" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x63c8b000" os_pid = "0xcf4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "62" os_parent_pid = "0xc9c" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_enumDataObjects" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "64" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x64680000" os_pid = "0x414" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_freeDataIdList" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3242 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3243 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3244 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3245 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 3246 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 3247 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3248 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 3249 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3250 start_va = 0xe80000 end_va = 0xe81fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e80000" filename = "" Region: id = 3251 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 3252 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3253 start_va = 0x7f0e0000 end_va = 0x7f102fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f0e0000" filename = "" Region: id = 3254 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3255 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3256 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3257 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 3260 start_va = 0x400000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3261 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3262 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3263 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3264 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3265 start_va = 0xe90000 end_va = 0x10dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e90000" filename = "" Region: id = 3266 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3267 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3268 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3269 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3270 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3271 start_va = 0x5b0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 3272 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3273 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3274 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3275 start_va = 0x5c0000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 3276 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 3277 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3278 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 3279 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 3280 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3281 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3282 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3283 start_va = 0xe80000 end_va = 0xe83fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e80000" filename = "" Region: id = 3284 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3285 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3286 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3287 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3288 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3289 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3290 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 3291 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 3292 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 3293 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3294 start_va = 0x6c0000 end_va = 0x847fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 3295 start_va = 0xe90000 end_va = 0xeb9fff monitored = 0 entry_point = 0xe95680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3296 start_va = 0xfe0000 end_va = 0x10dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 3297 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3299 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3300 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 3301 start_va = 0x850000 end_va = 0x9d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 3302 start_va = 0xe90000 end_va = 0xf7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e90000" filename = "" Region: id = 3303 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 3304 start_va = 0xe90000 end_va = 0xf20fff monitored = 0 entry_point = 0xec8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 3305 start_va = 0xf70000 end_va = 0xf7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f70000" filename = "" Region: id = 3306 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 3307 start_va = 0xe90000 end_va = 0xe90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e90000" filename = "" Region: id = 3308 start_va = 0xea0000 end_va = 0xea0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ea0000" filename = "" Region: id = 3309 start_va = 0xea0000 end_va = 0xea7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ea0000" filename = "" Region: id = 3326 start_va = 0xea0000 end_va = 0xea0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 3327 start_va = 0xeb0000 end_va = 0xeb1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000eb0000" filename = "" Region: id = 3337 start_va = 0xea0000 end_va = 0xea0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 3338 start_va = 0xeb0000 end_va = 0xeb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000eb0000" filename = "" Region: id = 3339 start_va = 0xea0000 end_va = 0xea0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ea0000" filename = "" Region: id = 3340 start_va = 0xeb0000 end_va = 0xeb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Thread: id = 124 os_tid = 0x3a8 [0089.896] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0089.896] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0089.896] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0089.896] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0089.897] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0089.897] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0089.897] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0089.897] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0089.898] GetProcessHeap () returned 0xfe0000 [0089.898] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0089.898] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0089.898] GetLastError () returned 0x7e [0089.898] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0089.898] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0089.898] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x364) returned 0xff0a40 [0089.898] SetLastError (dwErrCode=0x7e) [0089.899] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0xe00) returned 0xff0db0 [0089.900] GetStartupInfoW (in: lpStartupInfo=0x18fbe0 | out: lpStartupInfo=0x18fbe0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0089.900] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0089.900] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0089.900] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0089.900] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_freeDataIdList" [0089.900] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_freeDataIdList" [0089.900] GetACP () returned 0x4e4 [0089.900] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x0, Size=0x220) returned 0xff1bb8 [0089.900] IsValidCodePage (CodePage=0x4e4) returned 1 [0089.900] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fc00 | out: lpCPInfo=0x18fc00) returned 1 [0089.900] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f4c8 | out: lpCPInfo=0x18f4c8) returned 1 [0089.901] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fadc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0089.901] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fadc, cbMultiByte=256, lpWideCharStr=0x18f268, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0089.901] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f4dc | out: lpCharType=0x18f4dc) returned 1 [0089.901] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fadc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0089.901] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fadc, cbMultiByte=256, lpWideCharStr=0x18f218, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0089.901] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0089.901] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0089.901] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0089.901] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f008, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0089.901] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f9dc, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x96kª\x09\x18ü\x18", lpUsedDefaultChar=0x0) returned 256 [0089.901] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fadc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0089.901] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fadc, cbMultiByte=256, lpWideCharStr=0x18f238, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0089.901] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0089.901] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f028, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0089.901] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f8dc, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x96kª\x09\x18ü\x18", lpUsedDefaultChar=0x0) returned 256 [0089.901] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x0, Size=0x80) returned 0xfe3848 [0089.902] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0089.902] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x170) returned 0xff1de0 [0089.902] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0089.902] GetLastError () returned 0x0 [0089.902] SetLastError (dwErrCode=0x0) [0089.902] GetEnvironmentStringsW () returned 0xff1f58* [0089.902] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x0, Size=0xa8c) returned 0xff29f0 [0089.921] FreeEnvironmentStringsW (penv=0xff1f58) returned 1 [0089.921] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x90) returned 0xfe4798 [0089.921] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x3e) returned 0xfeadc8 [0089.921] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x5c) returned 0xfe8a70 [0089.921] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x6e) returned 0xfe4860 [0089.921] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x78) returned 0xff3fb0 [0089.922] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x62) returned 0xfe4c30 [0089.922] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x28) returned 0xfe3d68 [0089.922] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x48) returned 0xfe3fb8 [0089.922] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x1a) returned 0xfe0570 [0089.922] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x3a) returned 0xfeabd0 [0089.922] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x62) returned 0xfe3bc8 [0089.922] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x2a) returned 0xfe86f0 [0089.922] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x2e) returned 0xfe8920 [0089.922] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x1c) returned 0xfe3d98 [0089.922] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x144) returned 0xfe9c88 [0089.922] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x7c) returned 0xfe82d0 [0089.922] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x36) returned 0xfee1d0 [0089.922] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x3a) returned 0xfea9d8 [0089.922] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x90) returned 0xfe45d0 [0089.922] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x24) returned 0xfe38e8 [0089.922] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x30) returned 0xfe8990 [0089.922] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x36) returned 0xfee210 [0089.922] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x48) returned 0xfe28e8 [0089.922] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x52) returned 0xfe04b8 [0089.922] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x3c) returned 0xfeb0e0 [0089.922] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0xd6) returned 0xfe9e48 [0089.922] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x2e) returned 0xfe89c8 [0089.922] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x1e) returned 0xfe2938 [0089.922] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x2c) returned 0xfe87d0 [0089.922] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x54) returned 0xfe3de0 [0089.922] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x52) returned 0xfe4040 [0089.922] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x24) returned 0xfe3e40 [0089.922] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x42) returned 0xfe40a0 [0089.922] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x2c) returned 0xfe8808 [0089.923] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x44) returned 0xfe9f78 [0089.923] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x24) returned 0xfe3918 [0089.923] HeapFree (in: hHeap=0xfe0000, dwFlags=0x0, lpMem=0xff29f0 | out: hHeap=0xfe0000) returned 1 [0089.923] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x8, Size=0x800) returned 0xff1f58 [0089.923] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0089.923] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0089.924] GetStartupInfoW (in: lpStartupInfo=0x18fc44 | out: lpStartupInfo=0x18fc44*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0089.924] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_freeDataIdList" [0089.924] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_freeDataIdList", pNumArgs=0x18fc30 | out: pNumArgs=0x18fc30) returned 0xff2ba8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0089.924] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0089.927] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x0, Size=0x1000) returned 0xff4490 [0089.927] RtlAllocateHeap (HeapHandle=0xfe0000, Flags=0x0, Size=0x38) returned 0xfee390 [0089.927] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_data_freeDataIdList", cchWideChar=-1, lpMultiByteStr=0xfee390, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_data_freeDataIdList", lpUsedDefaultChar=0x0) returned 28 [0089.927] GetLastError () returned 0x0 [0089.927] SetLastError (dwErrCode=0x0) [0089.927] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_freeDataIdListW") returned 0x0 [0089.927] GetLastError () returned 0x7f [0089.927] SetLastError (dwErrCode=0x7f) [0089.927] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_freeDataIdListA") returned 0x0 [0089.927] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_freeDataIdList") returned 0x647ccb5d [0089.927] GetActiveWindow () returned 0x0 [0089.928] GetLastError () returned 0x7f [0089.928] SetLastError (dwErrCode=0x7f) Thread: id = 126 os_tid = 0xb9c Process: id = "65" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x79497000" os_pid = "0x13f8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_get" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3310 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3311 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3312 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3313 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 3314 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 3315 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3316 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 3317 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3318 start_va = 0xc20000 end_va = 0xc21fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 3319 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 3320 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3321 start_va = 0x7ed70000 end_va = 0x7ed92fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed70000" filename = "" Region: id = 3322 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3323 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3324 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3325 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 3329 start_va = 0x1c0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3330 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3331 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3332 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3333 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3334 start_va = 0xc30000 end_va = 0xd5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 3335 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3336 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3341 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3342 start_va = 0x7ec70000 end_va = 0x7ed6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ec70000" filename = "" Region: id = 3343 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3344 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3345 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3346 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 3347 start_va = 0x500000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 3348 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 3349 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3350 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 3351 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 3352 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3353 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3354 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3355 start_va = 0xc20000 end_va = 0xc23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 3356 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3357 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3358 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3359 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3360 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3361 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3362 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 3363 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 3364 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 3365 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3366 start_va = 0x600000 end_va = 0x787fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 3367 start_va = 0xc30000 end_va = 0xc59fff monitored = 0 entry_point = 0xc35680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3368 start_va = 0xc60000 end_va = 0xd5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 3369 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3372 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3373 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3374 start_va = 0x1e0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 3375 start_va = 0x790000 end_va = 0x910fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 3376 start_va = 0xd60000 end_va = 0xdcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d60000" filename = "" Region: id = 3377 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 3378 start_va = 0xdd0000 end_va = 0xe60fff monitored = 0 entry_point = 0xe08cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 3395 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 3396 start_va = 0xc30000 end_va = 0xc30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 3397 start_va = 0xc40000 end_va = 0xc40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c40000" filename = "" Region: id = 3398 start_va = 0xc40000 end_va = 0xc47fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c40000" filename = "" Region: id = 3409 start_va = 0xc40000 end_va = 0xc40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 3410 start_va = 0xc50000 end_va = 0xc51fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c50000" filename = "" Region: id = 3411 start_va = 0xc40000 end_va = 0xc40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 3445 start_va = 0xc50000 end_va = 0xc50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c50000" filename = "" Region: id = 3446 start_va = 0xc40000 end_va = 0xc40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c40000" filename = "" Region: id = 3447 start_va = 0xc50000 end_va = 0xc50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Thread: id = 127 os_tid = 0x49c [0090.532] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0090.532] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0090.532] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0090.532] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0090.533] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0090.533] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0090.533] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0090.533] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0090.534] GetProcessHeap () returned 0xc60000 [0090.534] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0090.534] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0090.534] GetLastError () returned 0x7e [0090.534] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0090.534] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0090.534] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x364) returned 0xc70a20 [0090.534] SetLastError (dwErrCode=0x7e) [0090.535] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0xe00) returned 0xc70d90 [0090.536] GetStartupInfoW (in: lpStartupInfo=0x18f7cc | out: lpStartupInfo=0x18f7cc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0090.536] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0090.536] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0090.536] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0090.536] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_get" [0090.536] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_get" [0090.536] GetACP () returned 0x4e4 [0090.536] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x0, Size=0x220) returned 0xc71b98 [0090.536] IsValidCodePage (CodePage=0x4e4) returned 1 [0090.536] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f7ec | out: lpCPInfo=0x18f7ec) returned 1 [0090.536] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f0b4 | out: lpCPInfo=0x18f0b4) returned 1 [0090.536] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6c8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0090.537] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6c8, cbMultiByte=256, lpWideCharStr=0x18ee58, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0090.537] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f0c8 | out: lpCharType=0x18f0c8) returned 1 [0090.537] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6c8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0090.537] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6c8, cbMultiByte=256, lpWideCharStr=0x18ee08, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0090.537] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0090.537] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0090.537] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0090.537] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ebf8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0090.537] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f5c8, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ'=tÝ\x04ø\x18", lpUsedDefaultChar=0x0) returned 256 [0090.537] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6c8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0090.537] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6c8, cbMultiByte=256, lpWideCharStr=0x18ee28, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0090.537] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0090.537] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ec18, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0090.537] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f4c8, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ'=tÝ\x04ø\x18", lpUsedDefaultChar=0x0) returned 256 [0090.537] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x0, Size=0x80) returned 0xc63828 [0090.537] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0090.538] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x15a) returned 0xc69a08 [0090.538] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0090.538] GetLastError () returned 0x0 [0090.538] SetLastError (dwErrCode=0x0) [0090.538] GetEnvironmentStringsW () returned 0xc71dc0* [0090.538] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x0, Size=0xa8c) returned 0xc72858 [0090.538] FreeEnvironmentStringsW (penv=0xc71dc0) returned 1 [0090.538] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x90) returned 0xc64518 [0090.538] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x3e) returned 0xc6abb0 [0090.538] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x5c) returned 0xc687f0 [0090.538] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x6e) returned 0xc645e0 [0090.538] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x78) returned 0xc73c18 [0090.539] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x62) returned 0xc649b0 [0090.539] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x28) returned 0xc63d48 [0090.539] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x48) returned 0xc63f98 [0090.539] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x1a) returned 0xc60570 [0090.539] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x3a) returned 0xc6a970 [0090.539] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x62) returned 0xc63ba8 [0090.539] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x2a) returned 0xc685c0 [0090.539] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x2e) returned 0xc68518 [0090.539] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x1c) returned 0xc63d78 [0090.539] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x144) returned 0xc71dc0 [0090.539] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x7c) returned 0xc68050 [0090.539] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x36) returned 0xc6e030 [0090.539] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x3a) returned 0xc6afa0 [0090.539] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x90) returned 0xc64350 [0090.539] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x24) returned 0xc638c8 [0090.539] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x30) returned 0xc68668 [0090.539] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x36) returned 0xc6e130 [0090.539] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x48) returned 0xc628d0 [0090.539] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x52) returned 0xc604b8 [0090.539] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x3c) returned 0xc6afe8 [0090.539] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0xd6) returned 0xc69e28 [0090.539] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x2e) returned 0xc686d8 [0090.539] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x1e) returned 0xc62920 [0090.539] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x2c) returned 0xc686a0 [0090.539] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x54) returned 0xc63dc0 [0090.539] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x52) returned 0xc64020 [0090.539] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x24) returned 0xc63e20 [0090.539] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x42) returned 0xc64080 [0090.539] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x2c) returned 0xc68710 [0090.539] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x44) returned 0xc69f58 [0090.539] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x24) returned 0xc638f8 [0090.540] HeapFree (in: hHeap=0xc60000, dwFlags=0x0, lpMem=0xc72858 | out: hHeap=0xc60000) returned 1 [0090.540] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x8, Size=0x800) returned 0xc71f10 [0090.540] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0090.540] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0090.540] GetStartupInfoW (in: lpStartupInfo=0x18f830 | out: lpStartupInfo=0x18f830*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0090.541] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_get" [0090.541] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_get", pNumArgs=0x18f81c | out: pNumArgs=0x18f81c) returned 0xc72b60*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0090.541] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0090.544] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x0, Size=0x1000) returned 0xc742f8 [0090.544] RtlAllocateHeap (HeapHandle=0xc60000, Flags=0x0, Size=0x22) returned 0xc6a6a0 [0090.544] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_data_get", cchWideChar=-1, lpMultiByteStr=0xc6a6a0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_data_get", lpUsedDefaultChar=0x0) returned 17 [0090.544] GetLastError () returned 0x0 [0090.544] SetLastError (dwErrCode=0x0) [0090.544] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_getW") returned 0x0 [0090.544] GetLastError () returned 0x7f [0090.544] SetLastError (dwErrCode=0x7f) [0090.545] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_getA") returned 0x0 [0090.545] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_get") returned 0x647cc130 [0090.545] GetActiveWindow () returned 0x0 [0090.545] GetLastError () returned 0x7f [0090.546] SetLastError (dwErrCode=0x7f) Thread: id = 129 os_tid = 0xa68 Process: id = "66" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x63f51000" os_pid = "0xdd0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "64" os_parent_pid = "0x414" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_freeDataIdList" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "67" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x63fb0000" os_pid = "0xd78" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_put" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3379 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3380 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3381 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3382 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 3383 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 3384 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3385 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 3386 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3387 start_va = 0xa20000 end_va = 0xa21fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Region: id = 3388 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 3389 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3390 start_va = 0x7fa60000 end_va = 0x7fa82fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fa60000" filename = "" Region: id = 3391 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3392 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3393 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3394 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 3399 start_va = 0x400000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3400 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3401 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3402 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3403 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3404 start_va = 0xa30000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 3405 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3406 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3412 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3413 start_va = 0x7f960000 end_va = 0x7fa5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f960000" filename = "" Region: id = 3414 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3415 start_va = 0x560000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 3416 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3417 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3418 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3419 start_va = 0x570000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 3420 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 3421 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3422 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 3423 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 3424 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3425 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3426 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3427 start_va = 0xa20000 end_va = 0xa23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Region: id = 3428 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3448 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3449 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3450 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3451 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3452 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3453 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 3454 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 3455 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 3456 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3457 start_va = 0x670000 end_va = 0x7f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 3458 start_va = 0xa30000 end_va = 0xa59fff monitored = 0 entry_point = 0xa35680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3459 start_va = 0xbf0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bf0000" filename = "" Region: id = 3460 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3467 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3468 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 3469 start_va = 0x800000 end_va = 0x980fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 3470 start_va = 0xa30000 end_va = 0xb8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 3471 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 3472 start_va = 0xa30000 end_va = 0xac0fff monitored = 0 entry_point = 0xa68cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 3473 start_va = 0xb80000 end_va = 0xb8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 3509 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 3510 start_va = 0xa30000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 3511 start_va = 0xa40000 end_va = 0xa40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a40000" filename = "" Region: id = 3512 start_va = 0xa40000 end_va = 0xa47fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a40000" filename = "" Region: id = 3561 start_va = 0xa40000 end_va = 0xa40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 3562 start_va = 0xa50000 end_va = 0xa51fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a50000" filename = "" Region: id = 3563 start_va = 0xa40000 end_va = 0xa40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 3564 start_va = 0xa50000 end_va = 0xa50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a50000" filename = "" Region: id = 3614 start_va = 0xa40000 end_va = 0xa40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a40000" filename = "" Region: id = 3615 start_va = 0xa50000 end_va = 0xa50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Thread: id = 130 os_tid = 0xda0 [0091.063] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0091.064] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0091.064] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0091.064] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0091.064] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0091.064] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0091.065] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0091.065] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0091.066] GetProcessHeap () returned 0xbf0000 [0091.066] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0091.066] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0091.066] GetLastError () returned 0x7e [0091.066] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0091.066] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0091.066] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x364) returned 0xc00a20 [0091.067] SetLastError (dwErrCode=0x7e) [0091.067] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0xe00) returned 0xc00d90 [0091.069] GetStartupInfoW (in: lpStartupInfo=0x18f734 | out: lpStartupInfo=0x18f734*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0091.069] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0091.069] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0091.069] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0091.069] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_put" [0091.069] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_put" [0091.069] GetACP () returned 0x4e4 [0091.069] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x0, Size=0x220) returned 0xc01b98 [0091.069] IsValidCodePage (CodePage=0x4e4) returned 1 [0091.069] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f754 | out: lpCPInfo=0x18f754) returned 1 [0091.069] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f01c | out: lpCPInfo=0x18f01c) returned 1 [0091.069] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f630, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0091.069] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f630, cbMultiByte=256, lpWideCharStr=0x18edb8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0091.069] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f030 | out: lpCharType=0x18f030) returned 1 [0091.069] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f630, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0091.069] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f630, cbMultiByte=256, lpWideCharStr=0x18ed78, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0091.069] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0091.070] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0091.070] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0091.070] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18eb68, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0091.070] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f530, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ¼\x0bøâl÷\x18", lpUsedDefaultChar=0x0) returned 256 [0091.070] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f630, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0091.070] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f630, cbMultiByte=256, lpWideCharStr=0x18ed88, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0091.070] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0091.070] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18eb78, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0091.070] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f430, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ¼\x0bøâl÷\x18", lpUsedDefaultChar=0x0) returned 256 [0091.070] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x0, Size=0x80) returned 0xbf3828 [0091.070] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0091.070] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x15a) returned 0xbf9c68 [0091.070] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0091.070] GetLastError () returned 0x0 [0091.070] SetLastError (dwErrCode=0x0) [0091.070] GetEnvironmentStringsW () returned 0xc01dc0* [0091.071] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x0, Size=0xa8c) returned 0xc02858 [0091.071] FreeEnvironmentStringsW (penv=0xc01dc0) returned 1 [0091.071] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x90) returned 0xbf4518 [0091.071] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x3e) returned 0xbfab68 [0091.071] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x5c) returned 0xbf8a50 [0091.071] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x6e) returned 0xbf45e0 [0091.071] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x78) returned 0xc03318 [0091.071] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x62) returned 0xbf49b0 [0091.071] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x28) returned 0xbf3d48 [0091.071] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x48) returned 0xbf3f98 [0091.071] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x1a) returned 0xbf0570 [0091.072] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x3a) returned 0xbfafe8 [0091.072] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x62) returned 0xbf3ba8 [0091.072] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x2a) returned 0xbf8778 [0091.225] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x2e) returned 0xbf8938 [0091.225] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x1c) returned 0xbf3d78 [0091.225] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x144) returned 0xc01dc0 [0091.225] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x7c) returned 0xbf8050 [0091.225] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x36) returned 0xbfe6b0 [0091.225] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x3a) returned 0xbfabf8 [0091.225] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x90) returned 0xbf4350 [0091.225] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x24) returned 0xbf38c8 [0091.225] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x30) returned 0xbf8890 [0091.225] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x36) returned 0xbfe270 [0091.225] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x48) returned 0xbf28d0 [0091.226] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x52) returned 0xbf04b8 [0091.226] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x3c) returned 0xbfaec8 [0091.226] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0xd6) returned 0xbf9e28 [0091.226] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x2e) returned 0xbf8970 [0091.226] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x1e) returned 0xbf2920 [0091.226] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x2c) returned 0xbf8740 [0091.226] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x54) returned 0xbf3dc0 [0091.226] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x52) returned 0xbf4020 [0091.226] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x24) returned 0xbf3e20 [0091.226] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x42) returned 0xbf4080 [0091.226] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x2c) returned 0xbf87b0 [0091.226] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x44) returned 0xbf9f58 [0091.226] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x24) returned 0xbf38f8 [0091.226] HeapFree (in: hHeap=0xbf0000, dwFlags=0x0, lpMem=0xc02858 | out: hHeap=0xbf0000) returned 1 [0091.226] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x800) returned 0xc01f10 [0091.227] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0091.227] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0091.227] GetStartupInfoW (in: lpStartupInfo=0x18f798 | out: lpStartupInfo=0x18f798*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0091.227] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_put" [0091.227] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_put", pNumArgs=0x18f784 | out: pNumArgs=0x18f784) returned 0xc02b60*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0091.227] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0091.230] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x0, Size=0x1000) returned 0xc042f8 [0091.230] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x0, Size=0x22) returned 0xbfa6a0 [0091.230] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_data_put", cchWideChar=-1, lpMultiByteStr=0xbfa6a0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_data_put", lpUsedDefaultChar=0x0) returned 17 [0091.230] GetLastError () returned 0x0 [0091.230] SetLastError (dwErrCode=0x0) [0091.231] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_putW") returned 0x0 [0091.231] GetLastError () returned 0x7f [0091.231] SetLastError (dwErrCode=0x7f) [0091.231] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_putA") returned 0x0 [0091.231] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_put") returned 0x647cc4df [0091.231] GetActiveWindow () returned 0x0 [0091.232] GetLastError () returned 0x7f [0091.232] SetLastError (dwErrCode=0x7f) Thread: id = 132 os_tid = 0xcc4 Process: id = "68" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x63ec4000" os_pid = "0xcb8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setCrypto" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3429 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3430 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3431 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3432 start_va = 0x90000 end_va = 0x93fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 3433 start_va = 0xa0000 end_va = 0xa1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3434 start_va = 0xb0000 end_va = 0x1affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 3435 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 3436 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3437 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3438 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 3439 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3440 start_va = 0x7ee70000 end_va = 0x7ee92fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ee70000" filename = "" Region: id = 3441 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3442 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3443 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3444 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 3461 start_va = 0x400000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3462 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3463 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3464 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3465 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3466 start_va = 0x4e0000 end_va = 0x72ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 3492 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3493 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3494 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3495 start_va = 0x7ed70000 end_va = 0x7ee6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed70000" filename = "" Region: id = 3496 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3497 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 3498 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3499 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3500 start_va = 0x4e0000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 3501 start_va = 0x520000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 3502 start_va = 0x630000 end_va = 0x72ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 3503 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 3504 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3505 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 3506 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 3507 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3508 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3521 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3522 start_va = 0xa0000 end_va = 0xa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 3523 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3524 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3525 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3526 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3527 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3528 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3529 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 3530 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 3531 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 3532 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3533 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3534 start_va = 0x730000 end_va = 0x8b7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000730000" filename = "" Region: id = 3535 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3536 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3537 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 3538 start_va = 0x8c0000 end_va = 0xa40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 3539 start_va = 0xa50000 end_va = 0xc4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 3540 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 3541 start_va = 0xa50000 end_va = 0xae0fff monitored = 0 entry_point = 0xa88cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 3542 start_va = 0xc40000 end_va = 0xc4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 3584 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 3585 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 3586 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3587 start_va = 0x1f0000 end_va = 0x1f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3657 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 3707 start_va = 0x4c0000 end_va = 0x4c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 3718 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 3719 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 3720 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3721 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Thread: id = 133 os_tid = 0x7a0 [0091.565] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0091.565] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0091.565] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0091.565] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0091.565] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0091.566] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0091.566] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0091.567] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0091.567] GetProcessHeap () returned 0x630000 [0091.567] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0091.568] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0091.568] GetLastError () returned 0x7e [0091.568] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0091.568] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0091.568] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x364) returned 0x640a00 [0091.568] SetLastError (dwErrCode=0x7e) [0091.569] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0xe00) returned 0x640d70 [0091.571] GetStartupInfoW (in: lpStartupInfo=0x1afb80 | out: lpStartupInfo=0x1afb80*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0091.571] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0091.571] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0091.571] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0091.571] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setCrypto" [0091.571] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setCrypto" [0091.571] GetACP () returned 0x4e4 [0091.571] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x0, Size=0x220) returned 0x641b78 [0091.571] IsValidCodePage (CodePage=0x4e4) returned 1 [0091.572] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1afba0 | out: lpCPInfo=0x1afba0) returned 1 [0091.572] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1af468 | out: lpCPInfo=0x1af468) returned 1 [0091.572] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1afa7c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0091.572] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1afa7c, cbMultiByte=256, lpWideCharStr=0x1af208, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0091.572] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x1af47c | out: lpCharType=0x1af47c) returned 1 [0091.573] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1afa7c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0091.573] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1afa7c, cbMultiByte=256, lpWideCharStr=0x1af1b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0091.573] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0091.573] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0091.573] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0091.573] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x1aefa8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0091.573] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x1af97c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿY#Ò8¸û\x1a", lpUsedDefaultChar=0x0) returned 256 [0091.573] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1afa7c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0091.573] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1afa7c, cbMultiByte=256, lpWideCharStr=0x1af1d8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0091.573] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0091.573] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x1aefc8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0091.573] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x1af87c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿY#Ò8¸û\x1a", lpUsedDefaultChar=0x0) returned 256 [0091.574] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x0, Size=0x80) returned 0x633840 [0091.574] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0091.574] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x16a) returned 0x641da0 [0091.574] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0091.574] GetLastError () returned 0x0 [0091.574] SetLastError (dwErrCode=0x0) [0091.574] GetEnvironmentStringsW () returned 0x641f18* [0091.574] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x0, Size=0xa8c) returned 0x6429b0 [0091.575] FreeEnvironmentStringsW (penv=0x641f18) returned 1 [0091.575] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x90) returned 0x634530 [0091.575] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x3e) returned 0x63a950 [0091.575] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x5c) returned 0x638a30 [0091.575] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x6e) returned 0x634828 [0091.575] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x78) returned 0x643af0 [0091.575] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x62) returned 0x633fb0 [0091.575] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x28) returned 0x639e08 [0091.575] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x48) returned 0x633d60 [0091.575] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x1a) returned 0x6345f8 [0091.576] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x3a) returned 0x63b058 [0091.576] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x62) returned 0x634798 [0091.576] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x2a) returned 0x6388a8 [0091.576] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x2e) returned 0x638950 [0091.576] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x1c) returned 0x634620 [0091.576] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x144) returned 0x639c48 [0091.576] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x7c) returned 0x638290 [0091.576] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x36) returned 0x63df50 [0091.576] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x3a) returned 0x63afc8 [0091.576] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x90) returned 0x63a258 [0091.576] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x24) returned 0x633bc0 [0091.576] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x30) returned 0x6388e0 [0091.576] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x36) returned 0x63e250 [0091.576] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x48) returned 0x6338e0 [0091.576] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x52) returned 0x6328e0 [0091.576] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x3c) returned 0x63ab00 [0091.576] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0xd6) returned 0x6304a0 [0091.576] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x2e) returned 0x638918 [0091.576] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x1e) returned 0x630580 [0091.576] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x2c) returned 0x638720 [0091.576] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x54) returned 0x634368 [0091.576] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x52) returned 0x633dd8 [0091.576] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x24) returned 0x6343c8 [0091.577] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x42) returned 0x634038 [0091.577] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x2c) returned 0x638988 [0091.577] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x44) returned 0x634088 [0091.577] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x24) returned 0x633e38 [0091.578] HeapFree (in: hHeap=0x630000, dwFlags=0x0, lpMem=0x6429b0 | out: hHeap=0x630000) returned 1 [0091.578] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x8, Size=0x800) returned 0x641f18 [0091.578] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0091.578] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0091.578] GetStartupInfoW (in: lpStartupInfo=0x1afbe4 | out: lpStartupInfo=0x1afbe4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0091.578] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setCrypto" [0091.578] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setCrypto", pNumArgs=0x1afbd0 | out: pNumArgs=0x1afbd0) returned 0x642b68*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0091.579] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0091.582] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x0, Size=0x1000) returned 0x644450 [0091.582] RtlAllocateHeap (HeapHandle=0x630000, Flags=0x0, Size=0x32) returned 0x63e390 [0091.582] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_engine_setCrypto", cchWideChar=-1, lpMultiByteStr=0x63e390, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_engine_setCrypto", lpUsedDefaultChar=0x0) returned 25 [0091.583] GetLastError () returned 0x0 [0091.583] SetLastError (dwErrCode=0x0) [0091.583] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_engine_setCryptoW") returned 0x0 [0091.583] GetLastError () returned 0x7f [0091.583] SetLastError (dwErrCode=0x7f) [0091.583] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_engine_setCryptoA") returned 0x0 [0091.584] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_engine_setCrypto") returned 0x647c16e4 [0091.584] GetActiveWindow () returned 0x0 [0091.585] GetLastError () returned 0x7f [0091.585] SetLastError (dwErrCode=0x7f) Thread: id = 137 os_tid = 0xd9c Process: id = "69" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x488dc000" os_pid = "0xda8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setSystem" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3476 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3477 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3478 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3479 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 3480 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 3481 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3482 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 3483 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3484 start_va = 0xcf0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 3485 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 3486 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3487 start_va = 0x7f4f0000 end_va = 0x7f512fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f4f0000" filename = "" Region: id = 3488 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3489 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3490 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3491 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 3513 start_va = 0x400000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3514 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3515 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3516 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3517 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3518 start_va = 0xd00000 end_va = 0xe9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 3519 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3520 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3565 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3566 start_va = 0x7f3f0000 end_va = 0x7f4effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f3f0000" filename = "" Region: id = 3567 start_va = 0x4a0000 end_va = 0x55dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3568 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3569 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3570 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3571 start_va = 0x560000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 3572 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 3573 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3574 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 3575 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 3576 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3577 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3578 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3579 start_va = 0xcf0000 end_va = 0xcf3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 3580 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3581 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3582 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3583 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3616 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3617 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3618 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 3619 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 3620 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 3621 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3622 start_va = 0x660000 end_va = 0x7e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 3623 start_va = 0xd00000 end_va = 0xd29fff monitored = 0 entry_point = 0xd05680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3624 start_va = 0xda0000 end_va = 0xe9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 3625 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3626 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3627 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3628 start_va = 0x490000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 3629 start_va = 0x7f0000 end_va = 0x970fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 3630 start_va = 0xea0000 end_va = 0x101ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 3631 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 3632 start_va = 0xd00000 end_va = 0xd90fff monitored = 0 entry_point = 0xd38cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 3656 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 3708 start_va = 0xd00000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 3709 start_va = 0xd10000 end_va = 0xd10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 3710 start_va = 0xd10000 end_va = 0xd17fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 3742 start_va = 0xd10000 end_va = 0xd10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d10000" filename = "" Region: id = 3753 start_va = 0xd20000 end_va = 0xd21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d20000" filename = "" Region: id = 3754 start_va = 0xd10000 end_va = 0xd10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d10000" filename = "" Region: id = 3755 start_va = 0xd20000 end_va = 0xd20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d20000" filename = "" Region: id = 3756 start_va = 0xd10000 end_va = 0xd10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 3757 start_va = 0xd20000 end_va = 0xd20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Thread: id = 135 os_tid = 0xda4 [0092.004] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0092.004] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0092.005] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0092.005] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0092.005] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0092.005] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0092.006] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0092.006] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0092.006] GetProcessHeap () returned 0xda0000 [0092.006] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0092.007] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0092.007] GetLastError () returned 0x7e [0092.007] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0092.007] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0092.007] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x364) returned 0xdb0a38 [0092.007] SetLastError (dwErrCode=0x7e) [0092.007] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0xe00) returned 0xdb0da8 [0092.010] GetStartupInfoW (in: lpStartupInfo=0x18f6e8 | out: lpStartupInfo=0x18f6e8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0092.010] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0092.010] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0092.010] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0092.010] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setSystem" [0092.010] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setSystem" [0092.010] GetACP () returned 0x4e4 [0092.010] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x0, Size=0x220) returned 0xdb1bb0 [0092.010] IsValidCodePage (CodePage=0x4e4) returned 1 [0092.010] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f708 | out: lpCPInfo=0x18f708) returned 1 [0092.010] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18efd0 | out: lpCPInfo=0x18efd0) returned 1 [0092.010] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f5e4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0092.010] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f5e4, cbMultiByte=256, lpWideCharStr=0x18ed78, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0092.010] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18efe4 | out: lpCharType=0x18efe4) returned 1 [0092.011] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f5e4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0092.011] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f5e4, cbMultiByte=256, lpWideCharStr=0x18ed28, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0092.011] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0092.011] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0092.011] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0092.011] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18eb18, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0092.011] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f4e4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿRYr8 ÷\x18", lpUsedDefaultChar=0x0) returned 256 [0092.011] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f5e4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0092.011] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f5e4, cbMultiByte=256, lpWideCharStr=0x18ed48, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0092.011] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0092.011] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18eb38, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0092.011] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f3e4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿRYr8 ÷\x18", lpUsedDefaultChar=0x0) returned 256 [0092.012] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x0, Size=0x80) returned 0xda3840 [0092.012] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0092.012] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x16a) returned 0xdb1dd8 [0092.012] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0092.012] GetLastError () returned 0x0 [0092.012] SetLastError (dwErrCode=0x0) [0092.012] GetEnvironmentStringsW () returned 0xdb1f50* [0092.012] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x0, Size=0xa8c) returned 0xdb29e8 [0092.012] FreeEnvironmentStringsW (penv=0xdb1f50) returned 1 [0092.012] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x90) returned 0xda4530 [0092.012] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x3e) returned 0xdaafb8 [0092.013] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x5c) returned 0xda8808 [0092.013] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x6e) returned 0xda45f8 [0092.013] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x78) returned 0xdb42a8 [0092.013] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x62) returned 0xda49c8 [0092.013] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x28) returned 0xda3d60 [0092.013] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x48) returned 0xda3fb0 [0092.013] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x1a) returned 0xda0570 [0092.013] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x3a) returned 0xdaaf28 [0092.013] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x62) returned 0xda3bc0 [0092.013] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x2a) returned 0xda83e0 [0092.013] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x2e) returned 0xda86b8 [0092.013] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x1c) returned 0xda3d90 [0092.013] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x144) returned 0xda9c80 [0092.013] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x7c) returned 0xda8068 [0092.013] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x36) returned 0xdae508 [0092.013] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x3a) returned 0xdaae98 [0092.013] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x90) returned 0xda4368 [0092.013] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x24) returned 0xda38e0 [0092.013] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x30) returned 0xda84f8 [0092.013] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x36) returned 0xdae148 [0092.014] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x48) returned 0xda28e0 [0092.014] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x52) returned 0xda04b8 [0092.014] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x3c) returned 0xdaaa60 [0092.014] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0xd6) returned 0xda9e40 [0092.014] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x2e) returned 0xda86f0 [0092.014] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x1e) returned 0xda2930 [0092.014] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x2c) returned 0xda8610 [0092.014] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x54) returned 0xda3dd8 [0092.014] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x52) returned 0xda4038 [0092.014] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x24) returned 0xda3e38 [0092.014] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x42) returned 0xda4098 [0092.014] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x2c) returned 0xda8450 [0092.014] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x44) returned 0xda9f70 [0092.014] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x24) returned 0xda3910 [0092.015] HeapFree (in: hHeap=0xda0000, dwFlags=0x0, lpMem=0xdb29e8 | out: hHeap=0xda0000) returned 1 [0092.016] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x8, Size=0x800) returned 0xdb1f50 [0092.016] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0092.016] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0092.016] GetStartupInfoW (in: lpStartupInfo=0x18f74c | out: lpStartupInfo=0x18f74c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0092.016] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setSystem" [0092.016] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setSystem", pNumArgs=0x18f738 | out: pNumArgs=0x18f738) returned 0xdb2ba0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0092.017] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0092.020] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x0, Size=0x1000) returned 0xdb4488 [0092.020] RtlAllocateHeap (HeapHandle=0xda0000, Flags=0x0, Size=0x32) returned 0xdae388 [0092.020] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_engine_setSystem", cchWideChar=-1, lpMultiByteStr=0xdae388, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_engine_setSystem", lpUsedDefaultChar=0x0) returned 25 [0092.020] GetLastError () returned 0x0 [0092.020] SetLastError (dwErrCode=0x0) [0092.020] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_engine_setSystemW") returned 0x0 [0092.020] GetLastError () returned 0x7f [0092.020] SetLastError (dwErrCode=0x7f) [0092.021] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_engine_setSystemA") returned 0x0 [0092.021] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_engine_setSystem") returned 0x647c1699 [0092.021] GetActiveWindow () returned 0x0 [0092.199] GetLastError () returned 0x7f [0092.200] SetLastError (dwErrCode=0x7f) Thread: id = 140 os_tid = 0xd70 Process: id = "70" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x63e07000" os_pid = "0xcc0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "65" os_parent_pid = "0x13f8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_get" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "71" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x633f5000" os_pid = "0x10e8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_forkFixup" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3545 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3546 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3547 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3548 start_va = 0x90000 end_va = 0x93fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 3549 start_va = 0xa0000 end_va = 0xa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 3550 start_va = 0xb0000 end_va = 0xb1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 3551 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 3552 start_va = 0xf0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 3553 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3554 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 3555 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3556 start_va = 0x7e3d0000 end_va = 0x7e3f2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e3d0000" filename = "" Region: id = 3557 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3558 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3559 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3560 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 3588 start_va = 0x400000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3589 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3590 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3591 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3592 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3593 start_va = 0x400000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3594 start_va = 0x5a0000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 3595 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3633 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3634 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3635 start_va = 0x7e2d0000 end_va = 0x7e3cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e2d0000" filename = "" Region: id = 3636 start_va = 0x5b0000 end_va = 0x66dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3637 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3638 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3639 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3640 start_va = 0x450000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 3641 start_va = 0x670000 end_va = 0x76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 3642 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 3643 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3644 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 3645 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 3646 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3647 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3658 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3659 start_va = 0xe0000 end_va = 0xe3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 3660 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3661 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3662 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3663 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3664 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3665 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3666 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 3667 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 3668 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 3669 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3704 start_va = 0x550000 end_va = 0x579fff monitored = 0 entry_point = 0x555680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3705 start_va = 0x770000 end_va = 0x8f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 3706 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3711 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3712 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 3713 start_va = 0x900000 end_va = 0xa80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000900000" filename = "" Region: id = 3714 start_va = 0xa90000 end_va = 0xc8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a90000" filename = "" Region: id = 3715 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 3716 start_va = 0xa90000 end_va = 0xb20fff monitored = 0 entry_point = 0xac8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 3717 start_va = 0xc80000 end_va = 0xc8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 3743 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 3758 start_va = 0x1f0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 3759 start_va = 0xa90000 end_va = 0xb8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a90000" filename = "" Region: id = 3760 start_va = 0x550000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 3761 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3762 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3763 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3764 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3765 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3766 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3767 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3768 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3769 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3770 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3771 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3772 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3773 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3774 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3775 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3776 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3777 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3778 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3779 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3780 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3781 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3782 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3783 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3784 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3785 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3786 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3787 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3788 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3789 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3790 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3791 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3792 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3793 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3794 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3795 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3796 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3797 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3798 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3897 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3898 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3899 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3900 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3901 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3902 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3903 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3904 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3905 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3906 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3907 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3908 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3909 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3910 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3911 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3912 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3913 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3914 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3915 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3916 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3917 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3918 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3919 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3920 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3921 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3922 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3923 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3924 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3925 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3926 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3927 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3928 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3929 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3930 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3931 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3932 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3933 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3934 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3935 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3936 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3937 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3938 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3939 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3940 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3941 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3942 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3943 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3944 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3945 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3946 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3947 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3948 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3949 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3950 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3951 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3952 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4059 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4060 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4061 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4062 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4063 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4064 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4065 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4066 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4067 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4068 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4069 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4070 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4071 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4072 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4073 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4074 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4075 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4076 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4077 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4078 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4079 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4080 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4081 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4082 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4083 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4084 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4085 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4086 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4087 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4088 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4089 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4090 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4091 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4092 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4093 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4094 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4095 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4096 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4097 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4098 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4099 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4100 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4101 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4102 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4103 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4104 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4105 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4106 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4107 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4108 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4109 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4110 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4111 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4112 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4113 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4114 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4115 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4116 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4117 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4118 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4119 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4120 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4121 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4122 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4123 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4124 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4125 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4126 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4127 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4128 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4129 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4130 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4203 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4204 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4205 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4206 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4207 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4208 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4209 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4210 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4211 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4212 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4213 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4214 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4215 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4216 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4217 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4218 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4219 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4220 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4221 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4222 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4223 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4224 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4225 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4226 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4227 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4228 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4229 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4230 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4231 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4232 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4233 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4234 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4235 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4236 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4237 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4238 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4239 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4240 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4241 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4242 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4243 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4244 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4245 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4246 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4247 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4248 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4249 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4250 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4251 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4252 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4253 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4254 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4255 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4256 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4257 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4258 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4259 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4260 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4261 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4262 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4263 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4264 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4265 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4266 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4267 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4268 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4269 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4270 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4271 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4272 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4273 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4274 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4365 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4366 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4367 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4368 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4369 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4370 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4371 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4372 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4373 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4374 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4375 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4376 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4377 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 13857 start_va = 0x1f0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 13858 start_va = 0x400000 end_va = 0x41ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 13859 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 13860 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Thread: id = 138 os_tid = 0xcb4 [0092.412] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0092.412] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0092.412] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0092.412] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0092.412] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0092.412] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0092.413] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0092.413] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0092.414] GetProcessHeap () returned 0x450000 [0092.414] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0092.414] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0092.414] GetLastError () returned 0x7e [0092.414] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0092.414] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0092.414] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x364) returned 0x4609f0 [0092.414] SetLastError (dwErrCode=0x7e) [0092.415] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xe00) returned 0x460d60 [0092.417] GetStartupInfoW (in: lpStartupInfo=0x1efd74 | out: lpStartupInfo=0x1efd74*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0092.417] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0092.417] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0092.417] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0092.417] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_forkFixup" [0092.417] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_forkFixup" [0092.417] GetACP () returned 0x4e4 [0092.417] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x220) returned 0x461b68 [0092.417] IsValidCodePage (CodePage=0x4e4) returned 1 [0092.417] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1efd94 | out: lpCPInfo=0x1efd94) returned 1 [0092.417] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1ef65c | out: lpCPInfo=0x1ef65c) returned 1 [0092.417] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1efc70, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0092.417] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1efc70, cbMultiByte=256, lpWideCharStr=0x1ef3f8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0092.417] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x1ef670 | out: lpCharType=0x1ef670) returned 1 [0092.418] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1efc70, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0092.418] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1efc70, cbMultiByte=256, lpWideCharStr=0x1ef3b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0092.418] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0092.418] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0092.418] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0092.418] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x1ef1a8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0092.418] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x1efb70, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿôI¸Þ¬ý\x1e", lpUsedDefaultChar=0x0) returned 256 [0092.418] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1efc70, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0092.418] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1efc70, cbMultiByte=256, lpWideCharStr=0x1ef3c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0092.418] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0092.418] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x1ef1b8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0092.418] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x1efa70, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿôI¸Þ¬ý\x1e", lpUsedDefaultChar=0x0) returned 256 [0092.418] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x80) returned 0x453830 [0092.419] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0092.419] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x15c) returned 0x459c38 [0092.419] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0092.419] GetLastError () returned 0x0 [0092.419] SetLastError (dwErrCode=0x0) [0092.419] GetEnvironmentStringsW () returned 0x461d90* [0092.419] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0xa8c) returned 0x462828 [0092.419] FreeEnvironmentStringsW (penv=0x461d90) returned 1 [0092.419] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x90) returned 0x454520 [0092.419] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x3e) returned 0x45aaa8 [0092.419] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x5c) returned 0x458a20 [0092.419] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x6e) returned 0x454818 [0092.419] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x78) returned 0x463fe8 [0092.420] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x62) returned 0x453fa0 [0092.420] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x28) returned 0x459df8 [0092.420] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x48) returned 0x453d50 [0092.420] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x1a) returned 0x4545e8 [0092.420] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x3a) returned 0x45ac58 [0092.420] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x62) returned 0x454788 [0092.420] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x2a) returned 0x458780 [0092.420] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x2e) returned 0x458908 [0092.420] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x1c) returned 0x454610 [0092.420] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x144) returned 0x461d90 [0092.420] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x7c) returned 0x458280 [0092.420] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x36) returned 0x45e400 [0092.420] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x3a) returned 0x45aee0 [0092.420] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x90) returned 0x45a248 [0092.420] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x24) returned 0x453bb0 [0092.420] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x30) returned 0x4586a0 [0092.420] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x36) returned 0x45e040 [0092.420] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x48) returned 0x4538d0 [0092.420] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x52) returned 0x4528d8 [0092.420] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x3c) returned 0x45ac10 [0092.420] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0xd6) returned 0x4504a0 [0092.420] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x2e) returned 0x458860 [0092.420] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x1e) returned 0x450580 [0092.420] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x2c) returned 0x4586d8 [0092.420] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x54) returned 0x454358 [0092.420] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x52) returned 0x453dc8 [0092.420] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x24) returned 0x4543b8 [0092.421] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x42) returned 0x454028 [0092.421] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x2c) returned 0x458710 [0092.421] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x44) returned 0x454078 [0092.421] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x24) returned 0x453e28 [0092.421] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x462828 | out: hHeap=0x450000) returned 1 [0092.421] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x8, Size=0x800) returned 0x461ee0 [0092.421] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0092.421] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0092.422] GetStartupInfoW (in: lpStartupInfo=0x1efdd8 | out: lpStartupInfo=0x1efdd8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0092.422] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_forkFixup" [0092.422] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_forkFixup", pNumArgs=0x1efdc4 | out: pNumArgs=0x1efdc4) returned 0x462b30*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0092.422] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0092.425] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x1000) returned 0x4642c8 [0092.425] RtlAllocateHeap (HeapHandle=0x450000, Flags=0x0, Size=0x24) returned 0x45a360 [0092.425] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_forkFixup", cchWideChar=-1, lpMultiByteStr=0x45a360, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_forkFixup", lpUsedDefaultChar=0x0) returned 18 [0092.426] GetLastError () returned 0x0 [0092.426] SetLastError (dwErrCode=0x0) [0092.426] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_forkFixupW") returned 0x0 [0092.426] GetLastError () returned 0x7f [0092.426] SetLastError (dwErrCode=0x7f) [0092.426] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_forkFixupA") returned 0x0 [0092.427] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_forkFixup") returned 0x647cbbb3 [0092.427] GetActiveWindow () returned 0x0 [0092.571] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4642c8 | out: hHeap=0x450000) returned 1 [0092.571] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x45a360 | out: hHeap=0x450000) returned 1 [0092.571] GetCurrentProcessId () returned 0x10e8 [0092.571] GetCurrentThreadId () returned 0xcb4 [0092.571] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0092.581] Thread32First (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.581] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.582] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.583] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.583] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.584] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.584] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.585] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.585] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.586] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.587] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.587] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.588] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.589] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.590] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.590] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.591] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.591] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.592] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.592] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.593] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.594] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.594] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.595] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.595] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.596] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.597] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.597] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.598] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.598] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.599] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.600] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.600] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.601] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.601] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.602] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.602] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.836] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.836] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.837] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.838] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.838] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.839] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.840] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.840] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.841] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.842] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.842] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.843] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.844] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.845] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.846] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.846] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.847] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.848] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.848] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.849] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.849] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.850] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.850] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.851] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.852] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.852] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.853] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.854] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.854] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.855] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.855] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.856] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.857] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.857] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.858] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.858] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.859] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.860] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.860] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.861] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.861] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.862] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.862] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.863] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.864] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.864] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.865] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.865] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.866] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.867] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.867] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.868] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.868] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.869] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.870] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0092.870] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.096] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.096] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.097] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.098] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.098] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.099] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.100] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.100] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.101] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.102] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.102] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.103] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.104] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.105] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.105] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.106] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.106] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.107] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.108] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.108] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.109] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.109] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.110] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.111] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.111] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.112] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.112] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.113] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.113] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.114] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.115] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.115] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.116] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.116] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.117] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.118] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.118] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.119] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.119] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.120] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.120] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.121] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.166] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.167] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.168] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.168] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.169] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.169] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.170] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.171] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.171] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.172] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.173] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.173] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.174] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.174] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.175] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.175] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.176] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.177] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.177] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.178] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.178] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.179] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.179] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.180] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.181] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.181] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.182] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.182] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.183] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.183] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.325] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.325] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.326] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.327] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.327] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.328] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.329] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.329] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.330] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.331] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.331] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.332] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.333] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.333] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.334] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.334] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.335] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.335] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.336] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.337] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.338] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.338] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.339] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.340] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.340] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.341] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.342] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.342] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.343] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.343] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.344] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.344] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.345] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.346] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.346] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.347] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.347] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.348] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.348] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.349] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.350] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.350] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.351] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.351] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.352] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.352] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.353] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.354] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.355] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.355] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.356] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.356] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.357] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.357] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.358] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.359] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.359] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.360] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.361] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.361] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.362] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.362] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.363] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.363] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.364] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.365] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.365] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.366] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.366] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.367] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.367] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.368] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.552] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.553] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.554] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.554] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.555] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.555] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.556] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.557] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.557] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.558] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.558] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.559] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0093.560] Thread32Next (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0095.253] CloseHandle (hObject=0x150) returned 1 [0095.253] OpenThread (dwDesiredAccess=0x100000, bInheritHandle=0, dwThreadId=0x13fc) returned 0x150 [0095.253] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xffffffff) returned 0x0 [0152.451] CloseHandle (hObject=0x150) returned 1 [0152.451] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0152.462] Thread32First (hSnapshot=0x150, lpte=0x1efda8) returned 1 [0154.471] CloseHandle (hObject=0x150) returned 1 [0154.471] FreeLibrary (hLibModule=0x647c0000) returned 1 [0154.472] LocalFree (hMem=0x462b30) returned 0x0 [0154.473] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0154.473] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0154.473] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x453830 | out: hHeap=0x450000) returned 1 [0154.474] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x461ee0 | out: hHeap=0x450000) returned 1 [0154.474] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-2", hFile=0x0, dwFlags=0x800) returned 0x772e0000 [0154.474] GetProcAddress (hModule=0x772e0000, lpProcName="AppPolicyGetProcessTerminationMethod") returned 0x0 [0154.474] GetModuleHandleExW (in: dwFlags=0x0, lpModuleName="mscoree.dll", phModule=0x1efdd0 | out: phModule=0x1efdd0) returned 0 [0154.474] ExitProcess (uExitCode=0x0) [0154.475] HeapFree (in: hHeap=0x450000, dwFlags=0x0, lpMem=0x4609f0 | out: hHeap=0x450000) returned 1 Thread: id = 143 os_tid = 0x13fc Process: id = "72" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x567a5000" os_pid = "0x1150" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "67" os_parent_pid = "0xd78" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_put" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "73" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x1500c000" os_pid = "0x97c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getFeatures" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3598 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3599 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3600 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3601 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 3602 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 3603 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3604 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 3605 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3606 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3607 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 3608 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3609 start_va = 0x7e6e0000 end_va = 0x7e702fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e6e0000" filename = "" Region: id = 3610 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3611 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3612 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3613 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 3648 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3649 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3650 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3651 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3652 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3653 start_va = 0x410000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 3670 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3671 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3672 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3673 start_va = 0x7e5e0000 end_va = 0x7e6dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e5e0000" filename = "" Region: id = 3674 start_va = 0x520000 end_va = 0x5ddfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3675 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3676 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3677 start_va = 0x5e0000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 3678 start_va = 0x620000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 3679 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 3680 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3681 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 3682 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 3683 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3684 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3685 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3686 start_va = 0x400000 end_va = 0x403fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3687 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3722 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3723 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3724 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3725 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3726 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3727 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 3728 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 3729 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 3730 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3731 start_va = 0x720000 end_va = 0x8a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 3732 start_va = 0x8b0000 end_va = 0x8d9fff monitored = 0 entry_point = 0x8b5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3733 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3744 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3745 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3746 start_va = 0x1f0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 3747 start_va = 0x8b0000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 3748 start_va = 0xa40000 end_va = 0xaaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 3749 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 3750 start_va = 0xab0000 end_va = 0xb40fff monitored = 0 entry_point = 0xae8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 3820 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 3821 start_va = 0x410000 end_va = 0x41ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 3822 start_va = 0x420000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 3823 start_va = 0xab0000 end_va = 0xbaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 3824 start_va = 0xa40000 end_va = 0xa5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 3825 start_va = 0xaa0000 end_va = 0xaaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000aa0000" filename = "" Region: id = 3826 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3827 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3828 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3829 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3830 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3831 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3832 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3833 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3834 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3835 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3836 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3837 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3838 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3839 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3840 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3841 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3842 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3843 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3844 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3845 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3846 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3847 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3848 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3849 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3850 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3851 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3852 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3853 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3854 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3855 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3856 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3857 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3858 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3859 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3860 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3861 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3862 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3863 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3864 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3865 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3866 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3867 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3868 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3869 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3870 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3871 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3872 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3873 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3874 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3875 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3876 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3877 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3878 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3879 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3880 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3971 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3972 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3973 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3974 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3975 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3976 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3977 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3978 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3979 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3980 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3981 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3982 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3983 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3984 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3985 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3986 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3987 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3988 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3989 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3990 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3991 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3992 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3993 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3994 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3995 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3996 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3997 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3998 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3999 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4000 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4001 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4002 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4003 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4004 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4005 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4006 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4007 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4008 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4009 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4010 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4011 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4012 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4013 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4014 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4015 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4016 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4017 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4018 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4019 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4020 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4021 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4022 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4023 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4024 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4025 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4026 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4027 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4028 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4029 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4030 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4031 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4032 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4033 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4132 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4133 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4134 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4135 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4136 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4137 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4138 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4139 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4140 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4141 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4142 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4143 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4144 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4145 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4146 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4147 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4148 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4149 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4150 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4151 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4152 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4153 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4154 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4155 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4156 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4157 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4158 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4159 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4160 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4161 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4162 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4163 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4164 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4165 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4166 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4167 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4168 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4169 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4170 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4171 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4172 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4173 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4174 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4175 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4176 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4177 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4178 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4179 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4180 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4181 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4182 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4183 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4184 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4185 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4186 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4187 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4188 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4189 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4278 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4279 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4280 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4281 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4282 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4283 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4284 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4285 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4286 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4287 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4288 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4289 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4290 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4291 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4292 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4293 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4294 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4295 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4296 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4297 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4298 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4299 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4300 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4301 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4302 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4303 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4304 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4305 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4306 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4307 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4308 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4309 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4310 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4311 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4312 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4313 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4314 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4315 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4316 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4317 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4318 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4319 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4320 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4321 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4322 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4323 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4324 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4325 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4326 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4327 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4328 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4329 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4330 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4331 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4332 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4333 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4334 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4335 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4336 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4337 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4338 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4339 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4340 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4341 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4342 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4343 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4344 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4345 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4346 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4347 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4389 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4390 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4391 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4392 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4393 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 13866 start_va = 0x410000 end_va = 0x41ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 13867 start_va = 0x5e0000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 13868 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 13869 start_va = 0x410000 end_va = 0x415fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Thread: id = 141 os_tid = 0xcd0 [0092.526] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0092.527] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0092.527] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0092.527] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0092.527] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0092.527] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0092.528] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0092.528] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0092.528] GetProcessHeap () returned 0x420000 [0092.528] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0092.528] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0092.528] GetLastError () returned 0x7e [0092.528] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0092.529] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0092.529] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x364) returned 0x430a28 [0092.529] SetLastError (dwErrCode=0x7e) [0092.529] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0xe00) returned 0x430d98 [0092.530] GetStartupInfoW (in: lpStartupInfo=0x18fe64 | out: lpStartupInfo=0x18fe64*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0092.531] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0092.531] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0092.531] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0092.531] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getFeatures" [0092.531] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getFeatures" [0092.531] GetACP () returned 0x4e4 [0092.531] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x220) returned 0x431ba0 [0092.531] IsValidCodePage (CodePage=0x4e4) returned 1 [0092.531] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fe84 | out: lpCPInfo=0x18fe84) returned 1 [0092.531] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f74c | out: lpCPInfo=0x18f74c) returned 1 [0092.531] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd60, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0092.531] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd60, cbMultiByte=256, lpWideCharStr=0x18f4e8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0092.531] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f760 | out: lpCharType=0x18f760) returned 1 [0092.531] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd60, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0092.531] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd60, cbMultiByte=256, lpWideCharStr=0x18f4a8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0092.531] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0092.531] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0092.531] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0092.531] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f298, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0092.532] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fc60, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x9f\x86ôê\x9cþ\x18", lpUsedDefaultChar=0x0) returned 256 [0092.532] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd60, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0092.532] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd60, cbMultiByte=256, lpWideCharStr=0x18f4b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0092.532] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0092.532] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f2a8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0092.532] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fb60, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x9f\x86ôê\x9cþ\x18", lpUsedDefaultChar=0x0) returned 256 [0092.532] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x80) returned 0x423830 [0092.532] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0092.532] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x160) returned 0x429c70 [0092.532] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0092.532] GetLastError () returned 0x0 [0092.532] SetLastError (dwErrCode=0x0) [0092.532] GetEnvironmentStringsW () returned 0x431dc8* [0092.532] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xa8c) returned 0x432860 [0092.533] FreeEnvironmentStringsW (penv=0x431dc8) returned 1 [0092.533] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x90) returned 0x424520 [0092.533] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x3e) returned 0x42aae0 [0092.533] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x5c) returned 0x428a58 [0092.533] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x6e) returned 0x4245e8 [0092.533] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x78) returned 0x433620 [0092.533] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x62) returned 0x4249b8 [0092.533] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x28) returned 0x423d50 [0092.533] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x48) returned 0x423fa0 [0092.533] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x1a) returned 0x420570 [0092.533] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x3a) returned 0x42adf8 [0092.533] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x62) returned 0x423bb0 [0092.533] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x2a) returned 0x428940 [0092.533] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x2e) returned 0x428748 [0092.533] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x1c) returned 0x423d80 [0092.533] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x144) returned 0x431dc8 [0092.533] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x7c) returned 0x428058 [0092.533] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x36) returned 0x42e0f8 [0092.533] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x3a) returned 0x42ad20 [0092.533] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x90) returned 0x424358 [0092.533] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x24) returned 0x4238d0 [0092.533] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x30) returned 0x428630 [0092.533] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x36) returned 0x42df38 [0092.533] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x48) returned 0x4228d8 [0092.533] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x52) returned 0x4204b8 [0092.533] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x3c) returned 0x42aa50 [0092.533] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0xd6) returned 0x429e30 [0092.534] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x2e) returned 0x4287f0 [0092.534] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x1e) returned 0x422928 [0092.534] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x2c) returned 0x428898 [0092.534] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x54) returned 0x423dc8 [0092.534] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x52) returned 0x424028 [0092.534] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x24) returned 0x423e28 [0092.534] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x42) returned 0x424088 [0092.534] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x2c) returned 0x428828 [0092.534] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x44) returned 0x429f60 [0092.534] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x24) returned 0x423900 [0092.535] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x432860 | out: hHeap=0x420000) returned 1 [0092.535] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x800) returned 0x431f18 [0092.535] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0092.535] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0092.535] GetStartupInfoW (in: lpStartupInfo=0x18fec8 | out: lpStartupInfo=0x18fec8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0092.535] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getFeatures" [0092.535] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getFeatures", pNumArgs=0x18feb4 | out: pNumArgs=0x18feb4) returned 0x432b68*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0092.536] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0092.748] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1000) returned 0x434300 [0092.748] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x28) returned 0x42a6a8 [0092.748] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_getFeatures", cchWideChar=-1, lpMultiByteStr=0x42a6a8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_getFeatures", lpUsedDefaultChar=0x0) returned 20 [0092.748] GetLastError () returned 0x0 [0092.748] SetLastError (dwErrCode=0x0) [0092.748] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_getFeaturesW") returned 0x0 [0092.748] GetLastError () returned 0x7f [0092.748] SetLastError (dwErrCode=0x7f) [0092.748] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_getFeaturesA") returned 0x0 [0092.748] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_getFeatures") returned 0x647caac0 [0092.748] GetActiveWindow () returned 0x0 [0092.749] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x434300 | out: hHeap=0x420000) returned 1 [0092.750] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x42a6a8 | out: hHeap=0x420000) returned 1 [0092.750] GetCurrentProcessId () returned 0x97c [0092.750] GetCurrentThreadId () returned 0xcd0 [0092.750] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0092.758] Thread32First (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.758] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.759] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.760] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.760] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.761] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.761] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.762] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.763] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.763] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.764] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.764] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.765] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.765] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.766] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.767] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.767] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.768] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.768] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.769] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.770] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.770] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.771] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.771] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.772] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.773] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.773] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.774] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.774] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.776] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.776] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.777] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.777] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.778] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.778] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.779] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.780] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.780] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.781] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.781] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.782] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.783] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.783] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.784] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.784] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.785] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.786] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.786] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.787] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.787] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.788] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.789] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.789] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.790] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.790] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.987] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.988] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.989] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.989] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.990] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.990] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.991] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.991] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.992] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.993] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.993] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.994] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.994] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.995] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.996] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.996] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.997] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.997] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.998] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.999] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0092.999] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.000] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.000] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.001] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.001] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.002] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.003] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.003] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.004] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.004] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.005] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.006] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.006] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.007] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.007] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.008] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.008] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.009] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.011] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.012] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.012] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.013] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.013] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.014] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.014] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.015] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.016] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.016] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.017] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.017] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.018] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.019] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.019] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.020] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.020] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.021] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.022] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.022] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.023] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.023] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.024] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.024] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.256] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.257] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.257] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.258] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.258] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.259] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.260] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.260] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.261] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.261] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.262] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.263] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.263] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.264] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.264] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.265] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.266] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.266] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.267] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.267] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.268] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.268] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.269] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.270] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.270] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.271] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.271] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.272] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.273] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.273] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.274] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.274] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.275] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.276] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.276] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.277] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.278] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.278] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.279] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.279] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.280] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.281] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.281] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.282] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.282] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.283] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.283] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.284] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.285] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.285] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.286] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.286] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.287] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.288] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.288] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.289] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.289] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.290] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.427] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.468] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.469] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.470] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.470] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.471] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.471] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.472] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.472] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.473] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.474] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.474] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.475] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.475] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.476] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.476] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.477] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.478] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.479] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.479] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.480] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.481] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.481] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.482] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.482] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.483] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.483] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.484] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.485] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.485] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.486] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.486] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.487] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.488] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.488] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.489] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.489] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.490] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.490] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.491] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.492] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.492] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.493] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.493] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.494] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.495] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.495] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.496] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.496] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.497] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.498] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.498] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.499] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.499] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.500] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.501] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.501] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.502] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.502] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.503] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.503] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.504] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.505] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.505] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.506] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.506] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.507] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.507] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.508] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.509] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.717] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.718] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.718] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.719] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0093.720] Thread32Next (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0095.263] CloseHandle (hObject=0x150) returned 1 [0095.264] OpenThread (dwDesiredAccess=0x100000, bInheritHandle=0, dwThreadId=0x1194) returned 0x150 [0095.264] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xffffffff) returned 0x0 [0152.615] CloseHandle (hObject=0x150) returned 1 [0152.615] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0152.627] Thread32First (hSnapshot=0x150, lpte=0x18fe98) returned 1 [0154.411] CloseHandle (hObject=0x150) returned 1 [0154.411] FreeLibrary (hLibModule=0x647c0000) returned 1 [0154.412] LocalFree (hMem=0x432b68) returned 0x0 [0154.412] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0154.413] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0154.413] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x423830 | out: hHeap=0x420000) returned 1 [0154.414] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x431f18 | out: hHeap=0x420000) returned 1 [0154.414] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-2", hFile=0x0, dwFlags=0x800) returned 0x772e0000 [0154.414] GetProcAddress (hModule=0x772e0000, lpProcName="AppPolicyGetProcessTerminationMethod") returned 0x0 [0154.414] GetModuleHandleExW (in: dwFlags=0x0, lpModuleName="mscoree.dll", phModule=0x18fec0 | out: phModule=0x18fec0) returned 0 [0154.664] ExitProcess (uExitCode=0x0) [0154.665] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x430a28 | out: hHeap=0x420000) returned 1 Thread: id = 144 os_tid = 0x1194 Process: id = "74" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x5dd23000" os_pid = "0x116c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getLogLevel" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3688 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3689 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3690 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3691 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 3692 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 3693 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3694 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 3695 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3696 start_va = 0xd00000 end_va = 0xd01fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 3697 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 3698 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3699 start_va = 0x7e920000 end_va = 0x7e942fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e920000" filename = "" Region: id = 3700 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3701 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3702 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3703 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 3734 start_va = 0x400000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3735 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3736 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3737 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3738 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3739 start_va = 0xd10000 end_va = 0xe3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d10000" filename = "" Region: id = 3740 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3741 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3799 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3800 start_va = 0x7e820000 end_va = 0x7e91ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e820000" filename = "" Region: id = 3801 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3802 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 3803 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3804 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3805 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3806 start_va = 0x4f0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 3807 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 3808 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3809 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 3810 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 3811 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 3812 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3813 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3814 start_va = 0xd00000 end_va = 0xd03fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 3815 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3816 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3817 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3953 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3954 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3955 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 3956 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 3957 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 3958 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 3959 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3960 start_va = 0x5f0000 end_va = 0x777fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 3961 start_va = 0xd10000 end_va = 0xd39fff monitored = 0 entry_point = 0xd15680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3962 start_va = 0xd40000 end_va = 0xe3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d40000" filename = "" Region: id = 3963 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3964 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3965 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 3966 start_va = 0x780000 end_va = 0x900fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 3967 start_va = 0xe40000 end_va = 0xeeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e40000" filename = "" Region: id = 3968 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 3969 start_va = 0xe40000 end_va = 0xed0fff monitored = 0 entry_point = 0xe78cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 3970 start_va = 0xee0000 end_va = 0xeeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 4131 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 4275 start_va = 0xd10000 end_va = 0xd10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d10000" filename = "" Region: id = 4276 start_va = 0xd20000 end_va = 0xd20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d20000" filename = "" Region: id = 4277 start_va = 0xd20000 end_va = 0xd27fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d20000" filename = "" Region: id = 4380 start_va = 0xd20000 end_va = 0xd20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 4420 start_va = 0xd30000 end_va = 0xd31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d30000" filename = "" Region: id = 4421 start_va = 0xd20000 end_va = 0xd20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 4422 start_va = 0xd30000 end_va = 0xd30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d30000" filename = "" Region: id = 4423 start_va = 0xd20000 end_va = 0xd20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d20000" filename = "" Region: id = 4424 start_va = 0xd30000 end_va = 0xd30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d30000" filename = "" Thread: id = 145 os_tid = 0x1134 [0092.976] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0092.976] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0092.976] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0092.977] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0092.977] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0092.977] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0092.977] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0092.978] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0092.979] GetProcessHeap () returned 0xd40000 [0092.979] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0092.979] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0092.979] GetLastError () returned 0x7e [0092.979] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0092.979] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0092.979] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x364) returned 0xd50a28 [0092.980] SetLastError (dwErrCode=0x7e) [0092.980] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0xe00) returned 0xd50d98 [0092.981] GetStartupInfoW (in: lpStartupInfo=0x18f704 | out: lpStartupInfo=0x18f704*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0092.981] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0092.981] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0092.981] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0092.981] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getLogLevel" [0092.981] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getLogLevel" [0092.981] GetACP () returned 0x4e4 [0092.982] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x0, Size=0x220) returned 0xd51ba0 [0092.982] IsValidCodePage (CodePage=0x4e4) returned 1 [0092.982] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f724 | out: lpCPInfo=0x18f724) returned 1 [0092.982] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18efec | out: lpCPInfo=0x18efec) returned 1 [0092.982] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f600, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0092.982] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f600, cbMultiByte=256, lpWideCharStr=0x18ed88, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0092.982] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f000 | out: lpCharType=0x18f000) returned 1 [0092.982] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f600, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0092.982] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f600, cbMultiByte=256, lpWideCharStr=0x18ed48, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0092.982] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0092.982] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0092.982] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0092.982] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18eb38, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0092.982] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f500, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿáUôÇ<÷\x18", lpUsedDefaultChar=0x0) returned 256 [0092.982] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f600, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0092.982] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f600, cbMultiByte=256, lpWideCharStr=0x18ed58, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0092.982] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0092.982] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18eb48, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0092.982] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f400, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿáUôÇ<÷\x18", lpUsedDefaultChar=0x0) returned 256 [0092.983] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x0, Size=0x80) returned 0xd43830 [0092.983] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0092.983] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x160) returned 0xd49c70 [0092.983] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0092.983] GetLastError () returned 0x0 [0092.983] SetLastError (dwErrCode=0x0) [0092.983] GetEnvironmentStringsW () returned 0xd51dc8* [0092.983] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x0, Size=0xa8c) returned 0xd52860 [0092.983] FreeEnvironmentStringsW (penv=0xd51dc8) returned 1 [0092.983] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x90) returned 0xd44520 [0092.983] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x3e) returned 0xd4ae88 [0092.983] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x5c) returned 0xd487f8 [0092.983] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x6e) returned 0xd445e8 [0092.983] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x78) returned 0xd53d20 [0092.984] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x62) returned 0xd449b8 [0092.984] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x28) returned 0xd43d50 [0092.984] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x48) returned 0xd43fa0 [0092.984] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x1a) returned 0xd40570 [0092.984] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x3a) returned 0xd4a9c0 [0092.984] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x62) returned 0xd43bb0 [0092.984] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x2a) returned 0xd48718 [0092.984] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x2e) returned 0xd484b0 [0092.984] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x1c) returned 0xd43d80 [0092.984] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x144) returned 0xd51dc8 [0092.984] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x7c) returned 0xd48058 [0092.984] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x36) returned 0xd4e5f8 [0092.984] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x3a) returned 0xd4ad68 [0092.984] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x90) returned 0xd44358 [0092.984] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x24) returned 0xd438d0 [0092.984] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x30) returned 0xd48520 [0092.984] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x36) returned 0xd4e278 [0092.984] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x48) returned 0xd428d8 [0092.984] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x52) returned 0xd404b8 [0092.984] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x3c) returned 0xd4ae40 [0092.984] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0xd6) returned 0xd49e30 [0092.984] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x2e) returned 0xd48750 [0092.984] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x1e) returned 0xd42928 [0092.984] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x2c) returned 0xd486e0 [0092.984] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x54) returned 0xd43dc8 [0092.984] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x52) returned 0xd44028 [0092.984] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x24) returned 0xd43e28 [0092.984] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x42) returned 0xd44088 [0092.984] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x2c) returned 0xd484e8 [0092.985] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x44) returned 0xd49f60 [0092.985] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x24) returned 0xd43900 [0092.985] HeapFree (in: hHeap=0xd40000, dwFlags=0x0, lpMem=0xd52860 | out: hHeap=0xd40000) returned 1 [0092.985] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x8, Size=0x800) returned 0xd51f18 [0092.985] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0092.985] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0092.985] GetStartupInfoW (in: lpStartupInfo=0x18f768 | out: lpStartupInfo=0x18f768*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0092.985] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getLogLevel" [0092.986] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getLogLevel", pNumArgs=0x18f754 | out: pNumArgs=0x18f754) returned 0xd52b68*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0092.986] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0093.255] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x0, Size=0x1000) returned 0xd54300 [0093.255] RtlAllocateHeap (HeapHandle=0xd40000, Flags=0x0, Size=0x28) returned 0xd4a6a8 [0093.255] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_getLogLevel", cchWideChar=-1, lpMultiByteStr=0xd4a6a8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_getLogLevel", lpUsedDefaultChar=0x0) returned 20 [0093.255] GetLastError () returned 0x0 [0093.255] SetLastError (dwErrCode=0x0) [0093.255] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_getLogLevelW") returned 0x0 [0093.255] GetLastError () returned 0x7f [0093.255] SetLastError (dwErrCode=0x7f) [0093.255] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_getLogLevelA") returned 0x0 [0093.256] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_getLogLevel") returned 0x647cb01c [0093.256] GetActiveWindow () returned 0x0 [0093.373] GetLastError () returned 0x7f [0093.373] SetLastError (dwErrCode=0x7f) Thread: id = 147 os_tid = 0xccc Process: id = "75" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x4843b000" os_pid = "0x10e4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getMessage" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3881 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3882 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3883 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3884 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 3885 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 3886 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3887 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 3888 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3889 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3890 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 3891 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3892 start_va = 0x7e930000 end_va = 0x7e952fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e930000" filename = "" Region: id = 3893 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3894 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3895 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3896 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 4034 start_va = 0x410000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 4035 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4036 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4037 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4038 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4039 start_va = 0x410000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 4040 start_va = 0x560000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 4190 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4191 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4192 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4193 start_va = 0x7e830000 end_va = 0x7e92ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e830000" filename = "" Region: id = 4194 start_va = 0x570000 end_va = 0x62dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4195 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4196 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 4197 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4198 start_va = 0x630000 end_va = 0x72ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 4199 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 4200 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4201 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 4202 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 4348 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 4349 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4350 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4351 start_va = 0x400000 end_va = 0x403fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 4352 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4353 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4354 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4355 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 4356 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 4357 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 4358 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 4359 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 4360 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 4361 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 4362 start_va = 0x530000 end_va = 0x559fff monitored = 0 entry_point = 0x535680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4363 start_va = 0x730000 end_va = 0x8b7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000730000" filename = "" Region: id = 4364 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4394 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4395 start_va = 0x410000 end_va = 0x410fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 4396 start_va = 0x430000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 4397 start_va = 0x8c0000 end_va = 0xa40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 4398 start_va = 0xa50000 end_va = 0xc4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 4399 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 4400 start_va = 0xa50000 end_va = 0xae0fff monitored = 0 entry_point = 0xa88cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 4401 start_va = 0xc40000 end_va = 0xc4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 4445 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 4446 start_va = 0x420000 end_va = 0x42ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 4447 start_va = 0xa50000 end_va = 0xb4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 4448 start_va = 0x530000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 4449 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4450 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4451 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4452 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4453 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4454 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4455 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4456 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4457 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4458 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4459 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4460 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4461 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4462 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4463 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4464 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4465 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4466 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4467 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4468 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4469 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4470 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4471 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4472 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4473 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4474 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4475 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4476 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4477 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4478 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4479 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4480 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4481 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4482 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4503 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4504 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4505 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4506 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4507 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4508 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4509 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4510 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4511 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4512 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4513 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4514 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4515 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4516 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4517 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4518 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4519 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4520 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4521 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4522 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4523 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4524 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4525 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4526 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4527 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4528 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4529 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4530 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4531 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4532 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4533 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4534 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4535 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4536 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4537 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4538 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4539 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4540 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4541 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4542 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4543 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4544 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4545 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4546 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4547 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4548 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4549 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4550 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4551 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4552 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4553 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4554 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4555 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4556 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4557 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4572 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4573 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4574 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4575 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4576 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4577 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4578 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4579 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4580 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4581 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4582 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4583 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4584 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4585 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4586 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4587 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4588 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4589 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4590 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4591 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4592 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4593 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4594 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4595 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4596 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4597 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4598 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4599 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4600 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4601 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4602 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4603 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4604 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4605 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4606 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4607 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4608 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4609 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4610 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4611 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4612 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4613 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4614 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4615 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4616 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4617 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4618 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4619 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4620 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4621 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4622 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4623 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4624 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4625 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4626 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4627 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4628 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4629 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4630 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4631 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4632 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4633 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4634 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4635 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4636 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4637 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4638 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4685 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4686 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4687 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4688 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4689 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4690 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4691 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4692 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4693 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4694 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4695 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4696 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4697 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4698 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4699 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4700 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4701 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4702 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4703 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4704 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4705 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4706 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4707 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4708 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4709 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4710 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4711 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4712 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4713 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4714 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4715 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4716 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4717 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4718 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4719 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4720 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4721 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4722 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4723 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4724 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4725 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4726 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4727 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4728 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4729 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4730 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4731 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4732 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4733 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4734 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4735 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4802 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4803 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4804 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4805 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4806 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4807 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4808 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4809 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4810 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4811 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4812 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4813 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4814 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4815 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4816 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4817 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4818 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4819 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4820 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4821 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4822 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4823 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4824 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4825 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4826 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4827 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4828 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4829 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4830 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4831 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4832 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4833 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4834 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4835 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4836 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4837 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4838 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4839 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4840 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4841 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4842 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4843 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4844 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4845 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4846 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4847 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4848 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4849 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4850 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4851 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4852 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4853 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4854 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4935 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4936 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4937 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4938 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4939 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4940 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4941 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4942 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4943 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4944 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4945 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4946 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4947 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4948 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4949 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4950 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4951 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4952 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4953 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4954 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4955 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4956 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4957 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4958 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4959 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4960 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4961 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4962 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4963 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4964 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4965 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4966 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4967 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4968 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4969 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4970 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4971 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4972 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4973 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4974 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4975 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4976 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4977 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4978 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4979 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4980 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4981 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4982 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4983 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4984 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4985 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4986 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4987 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4988 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4989 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4990 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4991 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4992 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4993 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4994 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4995 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4996 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5058 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5059 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5060 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5061 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5062 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5063 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5064 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5065 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5066 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5067 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5068 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5069 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5070 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5071 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5072 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5073 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5074 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5075 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5076 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5077 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5078 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5079 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5080 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5081 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5082 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5083 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5084 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5085 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5086 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5087 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5088 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5089 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5090 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5091 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5092 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5093 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5094 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5095 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5096 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5097 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5098 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5099 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5100 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5101 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5102 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5103 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5104 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5105 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5106 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5107 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5108 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5109 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5110 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5111 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5112 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5113 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5114 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5115 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5116 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5117 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5118 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5172 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5173 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5174 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5175 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5176 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5177 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5178 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5179 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5180 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5181 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5182 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5183 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5184 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5185 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5186 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5187 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5188 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5189 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5190 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5191 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5192 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5193 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5194 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5195 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5196 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5197 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5198 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5199 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5200 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5201 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5202 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5203 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5204 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5205 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5206 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5207 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5208 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5209 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5210 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5211 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5212 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5213 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5214 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5215 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5216 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5217 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5218 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5219 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5220 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5221 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5222 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5223 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5224 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5225 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5226 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5227 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5228 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5229 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5230 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5231 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5232 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5233 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5234 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5235 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5324 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5325 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5326 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5327 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5328 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5329 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5330 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5331 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 5332 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 13938 start_va = 0x420000 end_va = 0x42ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 13939 start_va = 0x530000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 13940 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 13941 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Thread: id = 148 os_tid = 0xd50 [0093.782] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0093.782] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0093.782] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0093.782] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0093.782] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0093.782] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0093.783] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0093.783] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0093.783] GetProcessHeap () returned 0x430000 [0093.783] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0093.784] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0093.784] GetLastError () returned 0x7e [0093.784] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0093.784] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0093.784] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x364) returned 0x440a28 [0093.784] SetLastError (dwErrCode=0x7e) [0093.784] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xe00) returned 0x440d98 [0093.786] GetStartupInfoW (in: lpStartupInfo=0x18fca4 | out: lpStartupInfo=0x18fca4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0093.786] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0093.786] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0093.786] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0093.786] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getMessage" [0093.786] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getMessage" [0093.786] GetACP () returned 0x4e4 [0093.786] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x0, Size=0x220) returned 0x441ba0 [0093.786] IsValidCodePage (CodePage=0x4e4) returned 1 [0093.786] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fcc4 | out: lpCPInfo=0x18fcc4) returned 1 [0093.786] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f58c | out: lpCPInfo=0x18f58c) returned 1 [0093.786] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fba0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0093.786] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fba0, cbMultiByte=256, lpWideCharStr=0x18f328, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0093.786] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f5a0 | out: lpCharType=0x18f5a0) returned 1 [0093.787] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fba0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0093.787] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fba0, cbMultiByte=256, lpWideCharStr=0x18f2e8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0093.787] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0093.787] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0093.787] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0093.787] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f0d8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0093.787] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18faa0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿïÜü\x18", lpUsedDefaultChar=0x0) returned 256 [0093.787] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fba0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0093.787] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fba0, cbMultiByte=256, lpWideCharStr=0x18f2f8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0093.787] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0093.787] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f0e8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0093.787] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f9a0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿïÜü\x18", lpUsedDefaultChar=0x0) returned 256 [0093.787] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x0, Size=0x80) returned 0x433830 [0093.787] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0093.787] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x15e) returned 0x439c70 [0093.787] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0093.787] GetLastError () returned 0x0 [0093.787] SetLastError (dwErrCode=0x0) [0093.787] GetEnvironmentStringsW () returned 0x441dc8* [0093.788] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x0, Size=0xa8c) returned 0x442860 [0093.788] FreeEnvironmentStringsW (penv=0x441dc8) returned 1 [0093.788] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x90) returned 0x434780 [0093.788] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x3e) returned 0x43b110 [0093.788] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x5c) returned 0x438a58 [0093.788] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x6e) returned 0x434848 [0093.788] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x78) returned 0x443ba0 [0093.788] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x62) returned 0x434c18 [0093.788] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x28) returned 0x433d50 [0093.788] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x48) returned 0x433fa0 [0093.788] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x1a) returned 0x430570 [0093.788] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x3a) returned 0x43ac48 [0093.788] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x62) returned 0x433bb0 [0093.788] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x2a) returned 0x4389b0 [0093.789] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x2e) returned 0x438668 [0093.789] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x1c) returned 0x433d80 [0093.789] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x144) returned 0x441dc8 [0093.789] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x7c) returned 0x4382b8 [0093.789] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x36) returned 0x43e0f8 [0093.789] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x3a) returned 0x43ad20 [0093.789] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x90) returned 0x434358 [0093.789] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x24) returned 0x4338d0 [0093.789] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x30) returned 0x438978 [0093.789] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x36) returned 0x43e278 [0093.789] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x48) returned 0x4328d8 [0093.789] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x52) returned 0x4304b8 [0093.789] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x3c) returned 0x43abb8 [0093.789] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xd6) returned 0x439e30 [0093.789] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x2e) returned 0x438748 [0093.789] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x1e) returned 0x432928 [0093.789] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x2c) returned 0x4386a0 [0093.789] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x54) returned 0x433dc8 [0093.789] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x52) returned 0x434028 [0093.789] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x24) returned 0x433e28 [0093.789] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x42) returned 0x434088 [0093.789] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x2c) returned 0x438780 [0093.789] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x44) returned 0x439f60 [0093.789] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x24) returned 0x433900 [0093.790] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x442860 | out: hHeap=0x430000) returned 1 [0093.790] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x800) returned 0x441f18 [0093.790] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0093.790] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0093.790] GetStartupInfoW (in: lpStartupInfo=0x18fd08 | out: lpStartupInfo=0x18fd08*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0093.790] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getMessage" [0093.790] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getMessage", pNumArgs=0x18fcf4 | out: pNumArgs=0x18fcf4) returned 0x442b68*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0093.995] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0093.997] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x0, Size=0x1000) returned 0x444300 [0093.997] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x0, Size=0x26) returned 0x43a6a8 [0093.998] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_getMessage", cchWideChar=-1, lpMultiByteStr=0x43a6a8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_getMessage", lpUsedDefaultChar=0x0) returned 19 [0093.998] GetLastError () returned 0x0 [0093.998] SetLastError (dwErrCode=0x0) [0093.998] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_getMessageW") returned 0x0 [0093.998] GetLastError () returned 0x7f [0093.998] SetLastError (dwErrCode=0x7f) [0093.998] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_getMessageA") returned 0x0 [0093.998] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_getMessage") returned 0x647ca2d0 [0093.998] GetActiveWindow () returned 0x0 [0093.999] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x444300 | out: hHeap=0x430000) returned 1 [0093.999] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x43a6a8 | out: hHeap=0x430000) returned 1 [0093.999] GetCurrentProcessId () returned 0x10e4 [0093.999] GetCurrentThreadId () returned 0xd50 [0093.999] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0094.007] Thread32First (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.007] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.008] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.009] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.009] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.010] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.011] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.011] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.012] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.012] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.013] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.014] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.014] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.015] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.015] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.016] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.017] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.017] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.018] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.018] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.019] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.019] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.020] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.021] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.021] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.022] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.022] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.023] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.023] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.024] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.025] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.025] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.026] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.264] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.265] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.266] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.266] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.267] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.268] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.268] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.269] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.270] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.270] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.271] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.272] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.272] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.273] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.274] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.275] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.277] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.277] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.278] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.279] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.280] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.280] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.281] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.282] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.283] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.283] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.284] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.285] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.285] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.286] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.287] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.287] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.288] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.289] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.289] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.290] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.291] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.292] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.292] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.293] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.294] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.295] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.296] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.297] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.297] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.298] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.299] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.300] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.301] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.301] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.302] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.303] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.304] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.305] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.305] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.532] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.532] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.533] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.534] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.534] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.535] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.536] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.536] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.537] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.538] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.538] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.539] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.539] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.540] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.541] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.541] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.542] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.542] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.543] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.544] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.544] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.545] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.545] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.546] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.547] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.547] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.548] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.548] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.549] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.550] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.550] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.551] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.551] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.552] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.552] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.553] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.554] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.554] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.555] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.555] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.556] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.557] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.557] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.558] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.559] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.559] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.560] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.560] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.561] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.562] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.562] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.563] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.563] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.564] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.564] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.565] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.566] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.566] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.567] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.567] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.568] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.569] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.569] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.570] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.570] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.571] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.571] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.906] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.907] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.907] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.908] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.908] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.909] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.910] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.910] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.911] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.911] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.912] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.913] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.913] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.914] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.914] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.915] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.916] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.917] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.917] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.918] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.918] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.919] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.920] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.920] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.921] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.921] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.922] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.923] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.923] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.924] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.924] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.925] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.926] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.926] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.927] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.927] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.928] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.928] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.929] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.930] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.930] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.931] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.940] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.941] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.942] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.942] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.943] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.944] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.944] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.945] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0094.946] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.211] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.211] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.212] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.213] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.214] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.215] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.215] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.216] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.217] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.217] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.218] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.219] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.219] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.220] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.221] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.221] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.222] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.222] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.223] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.224] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.224] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.225] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.225] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.226] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.226] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.227] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.228] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.229] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.229] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.230] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.230] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.231] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.231] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.232] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.233] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.233] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.234] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.234] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.235] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.236] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.236] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.237] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.237] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.238] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.238] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.239] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.240] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.240] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.241] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.241] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.242] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.243] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.243] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.409] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.410] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.410] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.411] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.411] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.412] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.413] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.413] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.414] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.414] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.415] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.416] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.417] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.417] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.418] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.418] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.419] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.420] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.420] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.421] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.421] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.422] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.423] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.423] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.424] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.424] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.425] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.426] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.426] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.427] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.427] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.428] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.429] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.429] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.430] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.430] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.431] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.432] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.433] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.433] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.434] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.434] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.435] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.436] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.436] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.437] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.438] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.438] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.439] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.439] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.440] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.440] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.441] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.442] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.442] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.443] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.443] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.444] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.445] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.445] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.446] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.446] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.564] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.565] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.566] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.566] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.567] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.567] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.568] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.569] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.569] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.570] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.570] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.571] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.572] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.573] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.573] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.574] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.575] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.575] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.576] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.576] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.577] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.578] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.578] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.579] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.580] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.580] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.581] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.581] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.582] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.582] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.583] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.584] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.584] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.585] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.585] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.586] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.587] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.587] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.588] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.589] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.589] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.590] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.591] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.591] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.592] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.592] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.593] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.594] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.594] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.595] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.596] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.596] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.597] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.597] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.598] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.599] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.600] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.601] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.601] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.602] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.603] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.760] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.761] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.762] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.762] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.763] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.764] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.765] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.766] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.766] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.767] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.768] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.769] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.770] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.770] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.771] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.773] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.774] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.774] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.775] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.776] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.777] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.778] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.778] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.779] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.780] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.780] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.781] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.781] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.782] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.783] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.783] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.784] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.784] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.785] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.786] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.786] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.787] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.788] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.788] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.789] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.790] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.790] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.791] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.791] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.792] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.793] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.793] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.794] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.795] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.795] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.796] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.796] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.797] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.798] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.798] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.799] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.800] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.800] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.801] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.801] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.802] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.803] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.803] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.804] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.965] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.966] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.966] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.967] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.967] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.968] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.969] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.969] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0095.970] Thread32Next (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0096.664] CloseHandle (hObject=0x150) returned 1 [0096.664] OpenThread (dwDesiredAccess=0x100000, bInheritHandle=0, dwThreadId=0xd58) returned 0x150 [0096.664] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xffffffff) returned 0x0 [0153.649] CloseHandle (hObject=0x150) returned 1 [0153.650] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0153.659] Thread32First (hSnapshot=0x150, lpte=0x18fcd8) returned 1 [0155.932] CloseHandle (hObject=0x150) returned 1 [0155.932] FreeLibrary (hLibModule=0x647c0000) returned 1 [0155.934] LocalFree (hMem=0x442b68) returned 0x0 [0155.934] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0155.934] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0155.935] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x433830 | out: hHeap=0x430000) returned 1 [0155.936] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x441f18 | out: hHeap=0x430000) returned 1 [0155.936] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-2", hFile=0x0, dwFlags=0x800) returned 0x772e0000 [0155.937] GetProcAddress (hModule=0x772e0000, lpProcName="AppPolicyGetProcessTerminationMethod") returned 0x0 [0155.937] GetModuleHandleExW (in: dwFlags=0x0, lpModuleName="mscoree.dll", phModule=0x18fd00 | out: phModule=0x18fd00) returned 0 [0155.937] ExitProcess (uExitCode=0x0) [0155.938] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x440a28 | out: hHeap=0x430000) returned 1 Thread: id = 151 os_tid = 0xd58 Process: id = "76" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x291af000" os_pid = "0x234" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "68" os_parent_pid = "0xcb8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setCrypto" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "77" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x626a9000" os_pid = "0x1354" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "69" os_parent_pid = "0xda8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setSystem" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "78" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x7cd55000" os_pid = "0xd48" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getVersion" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4043 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4044 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4045 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 4046 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 4047 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 4048 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4049 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 4050 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4051 start_va = 0x9c0000 end_va = 0x9c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 4052 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 4053 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4054 start_va = 0x7e8d0000 end_va = 0x7e8f2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e8d0000" filename = "" Region: id = 4055 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4056 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4057 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4058 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 4381 start_va = 0x400000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 4382 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4383 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4384 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4385 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4386 start_va = 0x9d0000 end_va = 0xcbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 4387 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4388 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4426 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4427 start_va = 0x7e7d0000 end_va = 0x7e8cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e7d0000" filename = "" Region: id = 4428 start_va = 0x490000 end_va = 0x54dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4429 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4430 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 4431 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4432 start_va = 0x550000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 4433 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 4434 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4435 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 4436 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 4437 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 4438 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4439 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4440 start_va = 0x9c0000 end_va = 0x9c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 4441 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4442 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4443 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4444 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 4493 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 4494 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 4495 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 4496 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 4497 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 4498 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 4499 start_va = 0x650000 end_va = 0x7d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 4500 start_va = 0x9d0000 end_va = 0x9f9fff monitored = 0 entry_point = 0x9d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4501 start_va = 0xbc0000 end_va = 0xcbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bc0000" filename = "" Region: id = 4502 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4655 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4656 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 4657 start_va = 0x480000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 4658 start_va = 0x7e0000 end_va = 0x960fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 4659 start_va = 0x9d0000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 4660 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 4661 start_va = 0x9d0000 end_va = 0xa60fff monitored = 0 entry_point = 0xa08cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 4662 start_va = 0xa70000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 4736 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 4737 start_va = 0x9d0000 end_va = 0x9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 4738 start_va = 0xa80000 end_va = 0xb7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 4739 start_va = 0x9d0000 end_va = 0x9effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 4740 start_va = 0x9f0000 end_va = 0x9f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 4741 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4742 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4743 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4744 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4745 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4746 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4747 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4748 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4749 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4750 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4751 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4752 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4753 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4754 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4755 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4756 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4757 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4758 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4759 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4760 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4761 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4762 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4763 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4764 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4765 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4766 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4767 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4768 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4769 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4770 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4771 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4772 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4773 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4774 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4775 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4776 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4777 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4778 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4779 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4780 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4781 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4782 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4783 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4784 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4785 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4786 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4787 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4788 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4789 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4855 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4856 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4857 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4858 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4859 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4860 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4861 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4862 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4863 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4864 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4865 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4866 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4867 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4868 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4869 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4870 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4871 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4872 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4873 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4874 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4875 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4876 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4877 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4878 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4879 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4880 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4881 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4882 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4883 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4884 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4885 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4886 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4887 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4888 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4889 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4890 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4891 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4892 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4893 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4894 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4895 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4896 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4897 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4898 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4899 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4900 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4901 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4902 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4903 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4904 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4905 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4906 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4907 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4908 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4909 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4910 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4997 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4998 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 4999 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5000 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5001 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5002 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5003 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5004 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5005 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5006 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5007 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5008 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5009 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5010 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5011 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5012 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5013 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5014 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5015 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5016 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5017 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5018 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5019 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5020 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5021 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5022 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5023 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5024 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5025 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5026 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5027 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5028 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5029 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5030 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5031 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5032 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5033 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5034 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5035 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5036 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5037 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5038 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5039 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5040 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5041 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5042 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5043 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5044 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5045 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5046 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5119 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5120 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5121 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5122 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5123 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5124 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5125 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5126 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5127 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5128 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5129 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5130 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5131 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5132 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5133 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5134 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5135 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5136 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5137 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5138 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5139 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5140 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5141 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5142 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5143 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5144 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5145 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5146 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5147 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5148 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5149 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5150 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5151 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5152 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5153 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5154 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5155 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5156 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5157 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5158 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5159 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5160 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5161 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5162 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5163 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5164 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5165 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5236 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5237 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5238 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5239 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5240 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5241 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5242 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5243 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5244 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5245 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5246 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5247 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5248 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5249 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5250 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5251 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5252 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5253 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5254 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5255 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5256 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5257 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5258 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5259 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5260 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5261 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5262 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5263 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5264 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5265 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5266 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5267 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5268 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5269 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5270 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5271 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5272 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5273 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5274 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5275 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5276 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5277 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5278 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5279 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5280 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5281 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5282 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 5283 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 13970 start_va = 0x9d0000 end_va = 0x9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 13971 start_va = 0x9d0000 end_va = 0x9effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 13972 start_va = 0x9f0000 end_va = 0x9f5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 13973 start_va = 0x9d0000 end_va = 0x9d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Thread: id = 150 os_tid = 0xd5c [0094.822] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0094.822] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0094.822] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0094.822] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0094.823] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0094.823] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0094.823] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0094.824] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0094.824] GetProcessHeap () returned 0xbc0000 [0094.824] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0094.824] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0094.824] GetLastError () returned 0x7e [0094.825] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0094.825] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0094.825] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x364) returned 0xbd0a28 [0094.825] SetLastError (dwErrCode=0x7e) [0094.825] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0xe00) returned 0xbd0d98 [0094.827] GetStartupInfoW (in: lpStartupInfo=0x18fcf0 | out: lpStartupInfo=0x18fcf0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0094.827] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0094.827] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0094.827] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0094.827] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getVersion" [0094.827] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getVersion" [0094.827] GetACP () returned 0x4e4 [0094.827] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x220) returned 0xbd1ba0 [0094.827] IsValidCodePage (CodePage=0x4e4) returned 1 [0094.827] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fd10 | out: lpCPInfo=0x18fd10) returned 1 [0094.828] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f5d8 | out: lpCPInfo=0x18f5d8) returned 1 [0094.828] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fbec, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0094.828] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fbec, cbMultiByte=256, lpWideCharStr=0x18f378, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0094.828] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f5ec | out: lpCharType=0x18f5ec) returned 1 [0094.828] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fbec, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0094.828] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fbec, cbMultiByte=256, lpWideCharStr=0x18f328, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0094.828] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0094.828] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0094.828] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0094.828] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f118, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0094.828] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18faec, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿFý\x0bg(ý\x18", lpUsedDefaultChar=0x0) returned 256 [0094.828] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fbec, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0094.828] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fbec, cbMultiByte=256, lpWideCharStr=0x18f348, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0094.828] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0094.828] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f138, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0094.829] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f9ec, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿFý\x0bg(ý\x18", lpUsedDefaultChar=0x0) returned 256 [0094.829] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x80) returned 0xbc3830 [0094.829] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0094.829] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x15e) returned 0xbc9c70 [0094.829] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0094.829] GetLastError () returned 0x0 [0094.829] SetLastError (dwErrCode=0x0) [0094.829] GetEnvironmentStringsW () returned 0xbd1dc8* [0094.829] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xa8c) returned 0xbd2860 [0094.830] FreeEnvironmentStringsW (penv=0xbd1dc8) returned 1 [0094.830] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x90) returned 0xbc4520 [0094.830] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x3e) returned 0xbca978 [0094.830] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x5c) returned 0xbc87f8 [0094.830] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x6e) returned 0xbc45e8 [0094.830] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x78) returned 0xbd35a0 [0094.830] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x62) returned 0xbc49b8 [0094.830] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x28) returned 0xbc3d50 [0094.830] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x48) returned 0xbc3fa0 [0094.830] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x1a) returned 0xbc0570 [0094.830] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x3a) returned 0xbcacd8 [0094.830] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x62) returned 0xbc3bb0 [0094.830] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x2a) returned 0xbc8408 [0094.830] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x2e) returned 0xbc85c8 [0094.830] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x1c) returned 0xbc3d80 [0094.830] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x144) returned 0xbd1dc8 [0094.830] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x7c) returned 0xbc8058 [0094.830] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x36) returned 0xbce4b8 [0094.830] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x3a) returned 0xbca9c0 [0094.830] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x90) returned 0xbc4358 [0094.830] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x24) returned 0xbc38d0 [0094.830] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x30) returned 0xbc8638 [0094.831] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x36) returned 0xbce438 [0094.831] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x48) returned 0xbc28d8 [0094.831] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x52) returned 0xbc04b8 [0094.831] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x3c) returned 0xbcadb0 [0094.831] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0xd6) returned 0xbc9e30 [0094.831] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x2e) returned 0xbc8718 [0094.831] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x1e) returned 0xbc2928 [0094.831] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x2c) returned 0xbc8590 [0094.831] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x54) returned 0xbc3dc8 [0094.831] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x52) returned 0xbc4028 [0094.831] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x24) returned 0xbc3e28 [0094.831] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x42) returned 0xbc4088 [0094.831] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x2c) returned 0xbc8600 [0094.831] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x44) returned 0xbc9f60 [0094.831] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x24) returned 0xbc3900 [0094.832] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbd2860 | out: hHeap=0xbc0000) returned 1 [0094.832] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x8, Size=0x800) returned 0xbd1f18 [0094.833] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0094.833] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0094.833] GetStartupInfoW (in: lpStartupInfo=0x18fd54 | out: lpStartupInfo=0x18fd54*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0094.833] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getVersion" [0094.833] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getVersion", pNumArgs=0x18fd40 | out: pNumArgs=0x18fd40) returned 0xbd2b68*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0094.833] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0095.075] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1000) returned 0xbd4300 [0095.075] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x26) returned 0xbca6a8 [0095.075] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_getVersion", cchWideChar=-1, lpMultiByteStr=0xbca6a8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_getVersion", lpUsedDefaultChar=0x0) returned 19 [0095.075] GetLastError () returned 0x0 [0095.076] SetLastError (dwErrCode=0x0) [0095.076] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_getVersionW") returned 0x0 [0095.076] GetLastError () returned 0x7f [0095.076] SetLastError (dwErrCode=0x7f) [0095.076] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_getVersionA") returned 0x0 [0095.076] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_getVersion") returned 0x647caab6 [0095.076] GetActiveWindow () returned 0x0 [0095.077] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbd4300 | out: hHeap=0xbc0000) returned 1 [0095.078] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbca6a8 | out: hHeap=0xbc0000) returned 1 [0095.078] GetCurrentProcessId () returned 0xd48 [0095.078] GetCurrentThreadId () returned 0xd5c [0095.078] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0095.088] Thread32First (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.089] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.089] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.090] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.090] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.091] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.091] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.092] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.093] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.093] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.094] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.095] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.095] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.096] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.096] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.097] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.097] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.098] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.099] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.099] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.100] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.100] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.101] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.102] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.102] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.104] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.105] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.105] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.106] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.107] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.107] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.108] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.108] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.109] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.110] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.110] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.111] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.111] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.112] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.113] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.113] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.114] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.114] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.115] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.116] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.116] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.117] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.117] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.118] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.292] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.303] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.304] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.305] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.305] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.306] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.308] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.308] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.309] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.309] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.310] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.311] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.311] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.312] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.312] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.313] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.314] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.314] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.315] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.315] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.316] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.317] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.317] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.318] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.319] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.319] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.320] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.320] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.321] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.321] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.322] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.323] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.324] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.324] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.325] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.325] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.326] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.326] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.327] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.328] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.328] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.329] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.329] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.330] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.330] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.331] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.332] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.332] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.333] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.333] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.334] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.335] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.335] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.336] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.336] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.337] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.469] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.496] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.498] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.499] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.499] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.500] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.501] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.501] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.502] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.502] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.503] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.504] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.504] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.505] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.505] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.506] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.507] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.507] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.508] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.508] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.509] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.510] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.510] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.511] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.512] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.512] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.513] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.513] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.514] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.515] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.515] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.516] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.516] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.517] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.518] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.518] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.519] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.519] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.520] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.521] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.521] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.522] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.522] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.523] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.524] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.524] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.525] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.525] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.526] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.526] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.617] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.673] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.675] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.676] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.677] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.678] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.679] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.681] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.681] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.683] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.684] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.685] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.686] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.687] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.688] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.689] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.689] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.690] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.691] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.691] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.692] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.694] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.694] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.695] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.696] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.696] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.697] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.697] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.698] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.699] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.699] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.700] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.700] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.701] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.702] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.702] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.703] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.703] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.704] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.704] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.705] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.706] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.706] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.707] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.708] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.708] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.709] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.821] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.848] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.851] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.852] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.853] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.853] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.854] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.854] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.855] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.856] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.856] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.857] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.858] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.858] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.859] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.860] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.860] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.861] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.861] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.862] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.863] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.863] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.864] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.864] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.865] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.866] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.867] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.867] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.868] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.868] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.869] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.869] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.870] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.871] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.871] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.872] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.872] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.873] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.874] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.874] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.875] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.875] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.876] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.877] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.877] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.878] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.878] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0095.879] Thread32Next (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0097.309] CloseHandle (hObject=0x150) returned 1 [0097.309] OpenThread (dwDesiredAccess=0x100000, bInheritHandle=0, dwThreadId=0xd3c) returned 0x150 [0097.309] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xffffffff) returned 0x0 [0154.322] CloseHandle (hObject=0x150) returned 1 [0154.322] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0154.329] Thread32First (hSnapshot=0x150, lpte=0x18fd24) returned 1 [0156.538] CloseHandle (hObject=0x150) returned 1 [0156.539] FreeLibrary (hLibModule=0x647c0000) returned 1 [0156.760] LocalFree (hMem=0xbd2b68) returned 0x0 [0156.760] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0156.760] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0156.761] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbc3830 | out: hHeap=0xbc0000) returned 1 [0156.763] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbd1f18 | out: hHeap=0xbc0000) returned 1 [0156.763] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-2", hFile=0x0, dwFlags=0x800) returned 0x772e0000 [0156.763] GetProcAddress (hModule=0x772e0000, lpProcName="AppPolicyGetProcessTerminationMethod") returned 0x0 [0156.763] GetModuleHandleExW (in: dwFlags=0x0, lpModuleName="mscoree.dll", phModule=0x18fd4c | out: phModule=0x18fd4c) returned 0 [0156.763] ExitProcess (uExitCode=0x0) [0156.765] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbd0a28 | out: hHeap=0xbc0000) returned 1 Thread: id = 155 os_tid = 0xd3c Process: id = "79" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x5943d000" os_pid = "0xd54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "74" os_parent_pid = "0x116c" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getLogLevel" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "80" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x4716d000" os_pid = "0xd60" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_initialize" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4404 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4405 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4406 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 4407 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 4408 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 4409 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4410 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 4411 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4412 start_va = 0xd50000 end_va = 0xd51fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d50000" filename = "" Region: id = 4413 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 4414 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4415 start_va = 0x7e210000 end_va = 0x7e232fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e210000" filename = "" Region: id = 4416 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4417 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4418 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4419 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 4483 start_va = 0x400000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 4484 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4485 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4486 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4487 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4488 start_va = 0xd60000 end_va = 0xebffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d60000" filename = "" Region: id = 4489 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4490 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4558 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4559 start_va = 0x7e110000 end_va = 0x7e20ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e110000" filename = "" Region: id = 4560 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4561 start_va = 0x4c0000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 4562 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4563 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 4564 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4565 start_va = 0x4d0000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 4566 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 4567 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4568 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 4569 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 4570 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 4571 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4639 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4640 start_va = 0xd50000 end_va = 0xd53fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d50000" filename = "" Region: id = 4641 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4642 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4643 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4644 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 4645 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 4646 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 4647 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 4648 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 4649 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 4650 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 4651 start_va = 0x5d0000 end_va = 0x757fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 4652 start_va = 0xd60000 end_va = 0xd89fff monitored = 0 entry_point = 0xd65680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4653 start_va = 0xdc0000 end_va = 0xebffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dc0000" filename = "" Region: id = 4654 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4663 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4664 start_va = 0x760000 end_va = 0x8e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 4665 start_va = 0x8f0000 end_va = 0x8f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 4666 start_va = 0xec0000 end_va = 0xf2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ec0000" filename = "" Region: id = 4667 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 4668 start_va = 0xf30000 end_va = 0xfc0fff monitored = 0 entry_point = 0xf68cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 4790 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 4791 start_va = 0xd60000 end_va = 0xd60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d60000" filename = "" Region: id = 4792 start_va = 0xd70000 end_va = 0xd70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 4793 start_va = 0xd70000 end_va = 0xd77fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 4911 start_va = 0xd70000 end_va = 0xd70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d70000" filename = "" Region: id = 4912 start_va = 0xd80000 end_va = 0xd81fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d80000" filename = "" Region: id = 4913 start_va = 0xd70000 end_va = 0xd70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d70000" filename = "" Region: id = 4914 start_va = 0xd80000 end_va = 0xd80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d80000" filename = "" Region: id = 4915 start_va = 0xd70000 end_va = 0xd70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 4916 start_va = 0xd80000 end_va = 0xd80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d80000" filename = "" Thread: id = 153 os_tid = 0xd64 [0094.862] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0094.862] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0094.863] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0094.863] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0094.863] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0094.863] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0094.863] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0094.864] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0094.864] GetProcessHeap () returned 0xdc0000 [0094.864] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0094.864] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0094.864] GetLastError () returned 0x7e [0094.864] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0094.864] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0094.864] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x364) returned 0xdd09f0 [0094.865] SetLastError (dwErrCode=0x7e) [0094.865] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0xe00) returned 0xdd0d60 [0094.866] GetStartupInfoW (in: lpStartupInfo=0x18fce4 | out: lpStartupInfo=0x18fce4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0094.866] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0094.866] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0094.866] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0094.867] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_initialize" [0094.867] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_initialize" [0094.867] GetACP () returned 0x4e4 [0094.867] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x0, Size=0x220) returned 0xdd1b68 [0094.867] IsValidCodePage (CodePage=0x4e4) returned 1 [0094.867] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fd04 | out: lpCPInfo=0x18fd04) returned 1 [0094.867] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f5cc | out: lpCPInfo=0x18f5cc) returned 1 [0094.867] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fbe0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0094.867] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fbe0, cbMultiByte=256, lpWideCharStr=0x18f368, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0094.867] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f5e0 | out: lpCharType=0x18f5e0) returned 1 [0094.867] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fbe0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0094.867] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fbe0, cbMultiByte=256, lpWideCharStr=0x18f328, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0094.867] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0094.867] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0094.867] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0094.868] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f118, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0094.868] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fae0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿóA\x817\x1cý\x18", lpUsedDefaultChar=0x0) returned 256 [0094.868] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fbe0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0094.868] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fbe0, cbMultiByte=256, lpWideCharStr=0x18f338, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0094.868] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0094.868] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f128, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0094.868] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f9e0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿóA\x817\x1cý\x18", lpUsedDefaultChar=0x0) returned 256 [0094.868] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x0, Size=0x80) returned 0xdc3830 [0094.868] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0094.868] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x15e) returned 0xdc9c38 [0094.868] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0094.868] GetLastError () returned 0x0 [0094.868] SetLastError (dwErrCode=0x0) [0094.868] GetEnvironmentStringsW () returned 0xdd1d90* [0095.119] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x0, Size=0xa8c) returned 0xdd2828 [0095.119] FreeEnvironmentStringsW (penv=0xdd1d90) returned 1 [0095.119] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x90) returned 0xdc4520 [0095.119] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x3e) returned 0xdcac58 [0095.120] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x5c) returned 0xdc8a20 [0095.120] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x6e) returned 0xdc4818 [0095.120] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x78) returned 0xdd3968 [0095.120] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x62) returned 0xdc3fa0 [0095.120] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x28) returned 0xdc9df8 [0095.120] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x48) returned 0xdc3d50 [0095.120] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x1a) returned 0xdc45e8 [0095.120] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x3a) returned 0xdcace8 [0095.120] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x62) returned 0xdc4788 [0095.120] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x2a) returned 0xdc8668 [0095.120] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x2e) returned 0xdc87b8 [0095.120] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x1c) returned 0xdc4610 [0095.120] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x144) returned 0xdd1d90 [0095.120] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x7c) returned 0xdc8280 [0095.120] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x36) returned 0xdce140 [0095.120] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x3a) returned 0xdcaf28 [0095.120] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x90) returned 0xdca248 [0095.120] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x24) returned 0xdc3bb0 [0095.120] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x30) returned 0xdc8860 [0095.120] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x36) returned 0xdce300 [0095.120] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x48) returned 0xdc38d0 [0095.120] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x52) returned 0xdc28d8 [0095.120] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x3c) returned 0xdcaaa8 [0095.120] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0xd6) returned 0xdc04a0 [0095.120] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x2e) returned 0xdc8898 [0095.120] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x1e) returned 0xdc0580 [0095.120] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x2c) returned 0xdc8908 [0095.121] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x54) returned 0xdc4358 [0095.121] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x52) returned 0xdc3dc8 [0095.121] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x24) returned 0xdc43b8 [0095.121] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x42) returned 0xdc4028 [0095.121] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x2c) returned 0xdc86a0 [0095.121] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x44) returned 0xdc4078 [0095.121] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x24) returned 0xdc3e28 [0095.122] HeapFree (in: hHeap=0xdc0000, dwFlags=0x0, lpMem=0xdd2828 | out: hHeap=0xdc0000) returned 1 [0095.122] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x8, Size=0x800) returned 0xdd1ee0 [0095.122] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0095.122] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0095.122] GetStartupInfoW (in: lpStartupInfo=0x18fd48 | out: lpStartupInfo=0x18fd48*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0095.122] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_initialize" [0095.123] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_initialize", pNumArgs=0x18fd34 | out: pNumArgs=0x18fd34) returned 0xdd2b30*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0095.123] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0095.125] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x0, Size=0x1000) returned 0xdd42c8 [0095.125] RtlAllocateHeap (HeapHandle=0xdc0000, Flags=0x0, Size=0x26) returned 0xdca360 [0095.125] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_initialize", cchWideChar=-1, lpMultiByteStr=0xdca360, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_initialize", lpUsedDefaultChar=0x0) returned 19 [0095.126] GetLastError () returned 0x0 [0095.126] SetLastError (dwErrCode=0x0) [0095.126] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_initializeW") returned 0x0 [0095.126] GetLastError () returned 0x7f [0095.126] SetLastError (dwErrCode=0x7f) [0095.126] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_initializeA") returned 0x0 [0095.126] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_initialize") returned 0x647caad2 [0095.126] GetActiveWindow () returned 0x0 [0095.127] GetLastError () returned 0x7f [0095.127] SetLastError (dwErrCode=0x7f) Thread: id = 156 os_tid = 0xd34 Process: id = "81" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x468df000" os_pid = "0xcd4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_logout" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4669 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4670 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4671 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 4672 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 4673 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 4674 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4675 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 4676 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4677 start_va = 0xfb0000 end_va = 0xfb1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 4678 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 4679 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4680 start_va = 0x7e440000 end_va = 0x7e462fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e440000" filename = "" Region: id = 4681 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4682 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4683 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4684 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 4794 start_va = 0x1c0000 end_va = 0x1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4795 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4796 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4797 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4798 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4799 start_va = 0xfc0000 end_va = 0x11cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fc0000" filename = "" Region: id = 4800 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4801 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4917 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4918 start_va = 0x7e340000 end_va = 0x7e43ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e340000" filename = "" Region: id = 4919 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4920 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4921 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 4922 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 4923 start_va = 0x500000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 4924 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 4925 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4926 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 4927 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 4928 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 4929 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4930 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4931 start_va = 0xfb0000 end_va = 0xfb3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 4932 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4933 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4934 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5047 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5048 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5049 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5050 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 5051 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 5052 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5053 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5054 start_va = 0x600000 end_va = 0x787fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 5055 start_va = 0xfc0000 end_va = 0xfe9fff monitored = 0 entry_point = 0xfc5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5056 start_va = 0x10d0000 end_va = 0x11cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010d0000" filename = "" Region: id = 5057 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5166 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5167 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 5168 start_va = 0x790000 end_va = 0x910fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 5169 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 5170 start_va = 0x2740000 end_va = 0x290ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002740000" filename = "" Region: id = 5171 start_va = 0xfc0000 end_va = 0x1050fff monitored = 0 entry_point = 0xff8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 5284 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 5285 start_va = 0xfc0000 end_va = 0xfcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fc0000" filename = "" Region: id = 5286 start_va = 0x920000 end_va = 0xa1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000920000" filename = "" Region: id = 5287 start_va = 0xfc0000 end_va = 0xfdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fc0000" filename = "" Region: id = 5288 start_va = 0xfe0000 end_va = 0xfe5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fe0000" filename = "" Region: id = 5289 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5290 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5291 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5292 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5293 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5294 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5295 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5296 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5297 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5298 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5299 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5300 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5301 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5302 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5303 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5304 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5305 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5306 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5307 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5308 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5309 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5310 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5311 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5312 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5313 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5314 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5315 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5316 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5317 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5318 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5319 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5320 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5321 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5322 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5323 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5334 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5335 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5336 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5337 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5338 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5339 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5340 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5341 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5342 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5343 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5344 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5345 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5346 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5347 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5348 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5349 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5350 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5351 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5352 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5353 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5354 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5355 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5356 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5357 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5358 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5359 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5360 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5361 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5362 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5363 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5364 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5365 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5366 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5367 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5368 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5369 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5370 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5371 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5372 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5373 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5374 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5375 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5376 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5377 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5378 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5379 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5380 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5381 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5382 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5383 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5384 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5385 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5386 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5387 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5388 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5389 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5390 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5409 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5410 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5411 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5412 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5413 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5414 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5415 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5416 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5417 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5418 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5419 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5420 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5421 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5422 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5423 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5424 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5425 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5426 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5427 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5428 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5429 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5430 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5431 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5432 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5433 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5434 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5435 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5436 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5437 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5438 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5439 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5440 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5441 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5442 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5443 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5444 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5445 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5446 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5447 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5448 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5449 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5450 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5451 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5452 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5453 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5454 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5455 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5456 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5457 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5458 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5459 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5460 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5461 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5462 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5463 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5464 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5465 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5466 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5467 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5468 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5469 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5470 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5471 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5472 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5473 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5474 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5475 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5476 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5477 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5478 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5479 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5480 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5481 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5489 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5490 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5491 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5492 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5493 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5494 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5495 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5496 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5497 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5498 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5499 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5500 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5501 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5502 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5503 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5504 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5505 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5506 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5507 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5508 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5509 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5510 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5511 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5512 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5513 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5514 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5515 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5516 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5517 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5518 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5519 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5520 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5521 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5522 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5523 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5524 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5525 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5526 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5527 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5528 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5529 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5530 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5531 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5532 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5533 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5534 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5535 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5536 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5537 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5538 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5539 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5540 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5541 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5542 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5543 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5544 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5545 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5546 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5547 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5548 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5549 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5550 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5551 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5552 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5553 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5554 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5555 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5556 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5557 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5558 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5559 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5560 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5561 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5562 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5581 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5582 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5583 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5584 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5585 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5586 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5587 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5588 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5589 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5590 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 5591 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 14079 start_va = 0xfc0000 end_va = 0xfcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fc0000" filename = "" Region: id = 14080 start_va = 0xfc0000 end_va = 0xfdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fc0000" filename = "" Region: id = 14081 start_va = 0xfe0000 end_va = 0xfe5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fe0000" filename = "" Region: id = 14082 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Thread: id = 157 os_tid = 0xd40 [0095.899] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0095.899] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0095.900] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0095.900] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0095.900] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0095.900] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0095.901] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0095.901] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0095.901] GetProcessHeap () returned 0x10d0000 [0095.901] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0095.901] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0095.901] GetLastError () returned 0x7e [0095.901] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0095.902] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0095.902] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x364) returned 0x10e0a18 [0095.902] SetLastError (dwErrCode=0x7e) [0095.902] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0xe00) returned 0x10e0d88 [0095.904] GetStartupInfoW (in: lpStartupInfo=0x18f774 | out: lpStartupInfo=0x18f774*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0095.904] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0095.904] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0095.904] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0095.904] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_logout" [0095.904] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_logout" [0095.904] GetACP () returned 0x4e4 [0095.904] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x0, Size=0x220) returned 0x10e1b90 [0095.904] IsValidCodePage (CodePage=0x4e4) returned 1 [0095.904] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f794 | out: lpCPInfo=0x18f794) returned 1 [0095.904] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f05c | out: lpCPInfo=0x18f05c) returned 1 [0095.904] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f670, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0095.904] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f670, cbMultiByte=256, lpWideCharStr=0x18edf8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0095.904] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f070 | out: lpCharType=0x18f070) returned 1 [0095.904] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f670, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0095.904] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f670, cbMultiByte=256, lpWideCharStr=0x18edb8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0095.904] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0095.904] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0095.905] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0095.905] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18eba8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0095.905] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f570, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ,Ò=\x8b¬÷\x18", lpUsedDefaultChar=0x0) returned 256 [0095.905] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f670, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0095.905] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f670, cbMultiByte=256, lpWideCharStr=0x18edc8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0095.905] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0095.905] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ebb8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0095.905] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f470, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ,Ò=\x8b¬÷\x18", lpUsedDefaultChar=0x0) returned 256 [0095.905] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x0, Size=0x80) returned 0x10d3820 [0095.905] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0095.905] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x156) returned 0x10d9c60 [0095.905] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0095.905] GetLastError () returned 0x0 [0095.905] SetLastError (dwErrCode=0x0) [0095.905] GetEnvironmentStringsW () returned 0x10e1db8* [0095.905] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x0, Size=0xa8c) returned 0x10e2850 [0095.906] FreeEnvironmentStringsW (penv=0x10e1db8) returned 1 [0095.906] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x90) returned 0x10d4510 [0095.906] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x3e) returned 0x10daf50 [0095.906] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x5c) returned 0x10d87e8 [0095.906] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x6e) returned 0x10d45d8 [0095.906] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x78) returned 0x10e3790 [0095.906] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x62) returned 0x10d49a8 [0095.906] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x28) returned 0x10d3d40 [0095.906] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x48) returned 0x10d3f90 [0095.906] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x1a) returned 0x10d0570 [0095.906] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x3a) returned 0x10dada0 [0095.906] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x62) returned 0x10d3ba0 [0095.906] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x2a) returned 0x10d8708 [0095.906] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x2e) returned 0x10d8740 [0095.906] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x1c) returned 0x10d3d70 [0095.906] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x144) returned 0x10e1db8 [0095.906] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x7c) returned 0x10d8048 [0095.906] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x36) returned 0x10de268 [0095.906] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x3a) returned 0x10db0b8 [0095.906] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x90) returned 0x10d4348 [0095.906] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x24) returned 0x10d38c0 [0095.907] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x30) returned 0x10d85f0 [0095.907] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x36) returned 0x10de5a8 [0095.907] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x48) returned 0x10d28d0 [0095.907] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x52) returned 0x10d04b8 [0095.907] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x3c) returned 0x10dac80 [0095.907] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0xd6) returned 0x10d9e20 [0095.907] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x2e) returned 0x10d8430 [0095.907] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x1e) returned 0x10d2920 [0095.907] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x2c) returned 0x10d8468 [0095.907] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x54) returned 0x10d3db8 [0095.907] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x52) returned 0x10d4018 [0095.907] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x24) returned 0x10d3e18 [0095.907] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x42) returned 0x10d4078 [0095.907] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x2c) returned 0x10d8628 [0095.907] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x44) returned 0x10d9f50 [0095.907] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x24) returned 0x10d38f0 [0095.908] HeapFree (in: hHeap=0x10d0000, dwFlags=0x0, lpMem=0x10e2850 | out: hHeap=0x10d0000) returned 1 [0095.908] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x8, Size=0x800) returned 0x10e1f08 [0095.908] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0095.908] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0095.909] GetStartupInfoW (in: lpStartupInfo=0x18f7d8 | out: lpStartupInfo=0x18f7d8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0095.909] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_logout" [0095.909] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_logout", pNumArgs=0x18f7c4 | out: pNumArgs=0x18f7c4) returned 0x10e2b58*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0095.909] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0095.912] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x0, Size=0x1000) returned 0x10e42f0 [0095.912] RtlAllocateHeap (HeapHandle=0x10d0000, Flags=0x0, Size=0x1e) returned 0x10da698 [0095.912] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_logout", cchWideChar=-1, lpMultiByteStr=0x10da698, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_logout", lpUsedDefaultChar=0x0) returned 15 [0095.912] GetLastError () returned 0x0 [0095.912] SetLastError (dwErrCode=0x0) [0095.912] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_logoutW") returned 0x0 [0095.912] GetLastError () returned 0x7f [0095.912] SetLastError (dwErrCode=0x7f) [0095.912] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_logoutA") returned 0x0 [0095.913] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_logout") returned 0x647cbcee [0095.913] GetActiveWindow () returned 0x0 [0095.914] HeapFree (in: hHeap=0x10d0000, dwFlags=0x0, lpMem=0x10e42f0 | out: hHeap=0x10d0000) returned 1 [0095.914] HeapFree (in: hHeap=0x10d0000, dwFlags=0x0, lpMem=0x10da698 | out: hHeap=0x10d0000) returned 1 [0095.914] GetCurrentProcessId () returned 0xcd4 [0095.914] GetCurrentThreadId () returned 0xd40 [0095.914] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0095.922] Thread32First (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0095.923] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0095.923] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0095.924] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0095.925] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0095.925] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0095.926] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0095.927] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0095.927] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0095.928] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0095.928] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0095.929] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0095.930] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0095.930] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0095.931] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0095.931] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0095.932] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0095.933] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0095.933] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0095.934] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0095.934] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0095.935] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0095.936] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0095.936] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0095.937] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0095.938] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0095.938] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0095.939] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0095.939] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0095.940] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0095.941] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0095.941] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0095.942] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0095.942] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0095.943] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.166] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.167] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.167] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.168] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.169] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.170] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.171] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.171] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.172] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.173] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.174] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.174] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.175] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.176] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.177] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.178] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.179] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.180] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.180] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.181] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.182] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.183] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.184] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.184] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.185] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.186] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.187] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.187] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.188] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.189] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.190] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.190] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.191] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.192] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.193] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.194] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.195] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.195] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.196] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.197] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.198] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.198] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.199] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.199] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.200] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.201] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.201] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.202] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.203] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.204] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.205] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.205] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.206] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.207] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.208] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.208] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.209] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.364] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.365] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.366] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.366] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.367] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.367] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.368] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.369] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.369] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.370] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.371] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.371] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.372] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.372] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.373] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.374] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.374] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.375] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.375] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.376] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.377] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.377] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.378] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.378] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.381] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.381] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.382] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.382] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.383] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.384] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.384] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.385] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.385] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.386] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.387] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.387] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.388] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.388] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.389] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.390] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.390] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.391] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.391] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.392] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.393] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.393] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.394] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.394] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.395] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.396] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.397] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.397] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.398] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.399] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.399] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.400] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.400] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.401] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.402] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.402] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.403] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.403] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.404] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.405] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.405] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.406] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.406] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.407] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.408] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.408] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.409] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.409] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.410] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.574] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.575] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.576] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.576] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.577] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.577] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.578] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.579] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.579] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.580] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.580] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.581] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.582] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.582] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.583] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.583] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.584] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.585] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.585] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.586] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.586] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.587] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.588] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.588] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.589] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.590] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.590] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.591] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.591] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.592] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.593] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.593] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.594] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.595] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.595] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.596] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.596] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.597] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.598] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.598] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.599] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.599] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.600] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.601] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.601] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.602] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.602] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.603] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.604] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.604] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.606] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.607] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.607] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.608] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.608] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.609] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.610] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.610] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.611] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.611] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.612] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.613] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.613] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.614] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.614] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.615] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.616] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.616] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.617] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.617] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.618] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.619] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.619] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.620] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.825] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.826] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.826] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.827] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.828] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.828] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.829] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.830] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.830] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.831] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0096.831] Thread32Next (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0097.550] CloseHandle (hObject=0x150) returned 1 [0097.551] OpenThread (dwDesiredAccess=0x100000, bInheritHandle=0, dwThreadId=0x118c) returned 0x150 [0097.551] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xffffffff) returned 0x0 [0155.962] CloseHandle (hObject=0x150) returned 1 [0155.962] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0155.970] Thread32First (hSnapshot=0x150, lpte=0x18f7a8) returned 1 [0157.730] CloseHandle (hObject=0x150) returned 1 [0157.730] FreeLibrary (hLibModule=0x647c0000) returned 1 [0157.732] LocalFree (hMem=0x10e2b58) returned 0x0 [0157.732] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0157.733] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0157.733] HeapFree (in: hHeap=0x10d0000, dwFlags=0x0, lpMem=0x10d3820 | out: hHeap=0x10d0000) returned 1 [0157.734] HeapFree (in: hHeap=0x10d0000, dwFlags=0x0, lpMem=0x10e1f08 | out: hHeap=0x10d0000) returned 1 [0157.734] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-2", hFile=0x0, dwFlags=0x800) returned 0x772e0000 [0157.735] GetProcAddress (hModule=0x772e0000, lpProcName="AppPolicyGetProcessTerminationMethod") returned 0x0 [0157.735] GetModuleHandleExW (in: dwFlags=0x0, lpModuleName="mscoree.dll", phModule=0x18f7d0 | out: phModule=0x18f7d0) returned 0 [0157.735] ExitProcess (uExitCode=0x0) [0157.736] HeapFree (in: hHeap=0x10d0000, dwFlags=0x0, lpMem=0x10e0a18 | out: hHeap=0x10d0000) returned 1 Thread: id = 159 os_tid = 0x118c Process: id = "82" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x46472000" os_pid = "0xdc4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "80" os_parent_pid = "0xd60" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_initialize" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "83" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x464de000" os_pid = "0xd08" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_createSession" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5393 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5394 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5395 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 5396 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 5397 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 5398 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 5399 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 5400 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 5401 start_va = 0x8a0000 end_va = 0x8a1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 5402 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 5403 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5404 start_va = 0x7f120000 end_va = 0x7f142fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f120000" filename = "" Region: id = 5405 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5406 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5407 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5408 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 5482 start_va = 0x400000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 5483 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5484 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5485 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5486 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5487 start_va = 0x8b0000 end_va = 0xb4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 5488 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5563 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5564 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5565 start_va = 0x7f020000 end_va = 0x7f11ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f020000" filename = "" Region: id = 5566 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5567 start_va = 0x4c0000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 5568 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5569 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5570 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 5571 start_va = 0x4d0000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 5572 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 5573 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5574 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 5575 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 5576 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5577 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5578 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5579 start_va = 0x8a0000 end_va = 0x8a3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 5580 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5592 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5593 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5594 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5595 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5596 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5597 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 5598 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 5599 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5600 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5601 start_va = 0x5d0000 end_va = 0x757fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 5602 start_va = 0x8b0000 end_va = 0x8d9fff monitored = 0 entry_point = 0x8b5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5603 start_va = 0xa50000 end_va = 0xb4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 5604 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5605 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5606 start_va = 0x760000 end_va = 0x760fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 5607 start_va = 0x8b0000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 5608 start_va = 0xa40000 end_va = 0xa4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 5609 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 5610 start_va = 0xb50000 end_va = 0xbe0fff monitored = 0 entry_point = 0xb88cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 5611 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 5612 start_va = 0xb50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b50000" filename = "" Region: id = 5613 start_va = 0xb60000 end_va = 0xb60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b60000" filename = "" Region: id = 5614 start_va = 0xb60000 end_va = 0xb67fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b60000" filename = "" Region: id = 5615 start_va = 0xb60000 end_va = 0xb60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 5616 start_va = 0xb70000 end_va = 0xb71fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b70000" filename = "" Region: id = 5617 start_va = 0xb60000 end_va = 0xb60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 5618 start_va = 0xb70000 end_va = 0xb70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b70000" filename = "" Region: id = 5621 start_va = 0xb60000 end_va = 0xb60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b60000" filename = "" Region: id = 5622 start_va = 0xb70000 end_va = 0xb70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Thread: id = 160 os_tid = 0x11e0 [0097.065] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0097.065] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0097.065] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0097.065] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0097.065] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0097.066] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0097.066] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0097.066] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0097.067] GetProcessHeap () returned 0xa50000 [0097.067] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0097.067] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0097.067] GetLastError () returned 0x7e [0097.067] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0097.067] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0097.067] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x364) returned 0xa60a48 [0097.068] SetLastError (dwErrCode=0x7e) [0097.068] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0xe00) returned 0xa60db8 [0097.069] GetStartupInfoW (in: lpStartupInfo=0x18fe84 | out: lpStartupInfo=0x18fe84*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0097.069] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0097.069] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0097.069] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0097.070] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_createSession" [0097.070] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_createSession" [0097.070] GetACP () returned 0x4e4 [0097.070] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x0, Size=0x220) returned 0xa61bc0 [0097.070] IsValidCodePage (CodePage=0x4e4) returned 1 [0097.070] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fea4 | out: lpCPInfo=0x18fea4) returned 1 [0097.070] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f76c | out: lpCPInfo=0x18f76c) returned 1 [0097.070] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd80, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0097.070] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd80, cbMultiByte=256, lpWideCharStr=0x18f508, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0097.070] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f780 | out: lpCharType=0x18f780) returned 1 [0097.070] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd80, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0097.070] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd80, cbMultiByte=256, lpWideCharStr=0x18f4c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0097.070] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0097.070] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0097.070] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0097.070] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f2b8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0097.070] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fc80, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ<|\x04żþ\x18", lpUsedDefaultChar=0x0) returned 256 [0097.070] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd80, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0097.071] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd80, cbMultiByte=256, lpWideCharStr=0x18f4d8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0097.071] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0097.071] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f2c8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0097.071] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fb80, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ<|\x04żþ\x18", lpUsedDefaultChar=0x0) returned 256 [0097.071] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x0, Size=0x80) returned 0xa53850 [0097.071] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0097.071] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x174) returned 0xa61de8 [0097.071] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0097.071] GetLastError () returned 0x0 [0097.071] SetLastError (dwErrCode=0x0) [0097.071] GetEnvironmentStringsW () returned 0xa61f68* [0097.071] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x0, Size=0xa8c) returned 0xa62a00 [0097.072] FreeEnvironmentStringsW (penv=0xa61f68) returned 1 [0097.072] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x90) returned 0xa54540 [0097.072] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x3e) returned 0xa5a998 [0097.072] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x5c) returned 0xa58a78 [0097.072] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x6e) returned 0xa54608 [0097.072] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x78) returned 0xa63640 [0097.072] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x62) returned 0xa549d8 [0097.072] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x28) returned 0xa53d70 [0097.072] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x48) returned 0xa53fc0 [0097.072] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x1a) returned 0xa50570 [0097.072] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x3a) returned 0xa5aab8 [0097.072] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x62) returned 0xa53bd0 [0097.072] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x2a) returned 0xa588b8 [0097.072] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x2e) returned 0xa58928 [0097.072] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x1c) returned 0xa53da0 [0097.072] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x144) returned 0xa59c90 [0097.072] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x7c) returned 0xa58078 [0097.072] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x36) returned 0xa5e518 [0097.072] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x3a) returned 0xa5acf8 [0097.072] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x90) returned 0xa54378 [0097.072] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x24) returned 0xa538f0 [0097.072] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x30) returned 0xa587d8 [0097.073] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x36) returned 0xa5e198 [0097.073] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x48) returned 0xa528f0 [0097.073] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x52) returned 0xa504b8 [0097.073] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x3c) returned 0xa5add0 [0097.073] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0xd6) returned 0xa59e50 [0097.073] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x2e) returned 0xa58960 [0097.073] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x1e) returned 0xa52940 [0097.073] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x2c) returned 0xa58998 [0097.073] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x54) returned 0xa53de8 [0097.073] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x52) returned 0xa54048 [0097.073] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x24) returned 0xa53e48 [0097.073] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x42) returned 0xa540a8 [0097.073] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x2c) returned 0xa589d0 [0097.073] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x44) returned 0xa59f80 [0097.073] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x24) returned 0xa53920 [0097.074] HeapFree (in: hHeap=0xa50000, dwFlags=0x0, lpMem=0xa62a00 | out: hHeap=0xa50000) returned 1 [0097.219] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x8, Size=0x800) returned 0xa61f68 [0097.219] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0097.219] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0097.219] GetStartupInfoW (in: lpStartupInfo=0x18fee8 | out: lpStartupInfo=0x18fee8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0097.219] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_createSession" [0097.219] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_createSession", pNumArgs=0x18fed4 | out: pNumArgs=0x18fed4) returned 0xa62bb8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0097.220] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0097.222] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x0, Size=0x1000) returned 0xa644a0 [0097.222] RtlAllocateHeap (HeapHandle=0xa50000, Flags=0x0, Size=0x3c) returned 0xa5aea8 [0097.222] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_openssl_createSession", cchWideChar=-1, lpMultiByteStr=0xa5aea8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_openssl_createSession", lpUsedDefaultChar=0x0) returned 30 [0097.222] GetLastError () returned 0x0 [0097.222] SetLastError (dwErrCode=0x0) [0097.223] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_createSessionW") returned 0x0 [0097.223] GetLastError () returned 0x7f [0097.223] SetLastError (dwErrCode=0x7f) [0097.223] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_createSessionA") returned 0x0 [0097.223] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_createSession") returned 0x647cef31 [0097.223] GetActiveWindow () returned 0x0 [0097.224] GetLastError () returned 0x7f [0097.224] SetLastError (dwErrCode=0x7f) Thread: id = 162 os_tid = 0x1398 Process: id = "84" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x15e80000" os_pid = "0x1394" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "83" os_parent_pid = "0xd08" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_createSession" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "85" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x56eb7000" os_pid = "0xd14" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_freeSession" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5630 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5631 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5632 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 5633 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 5634 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 5635 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 5636 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 5637 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 5638 start_va = 0xf30000 end_va = 0xf31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 5639 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 5640 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5641 start_va = 0x7e890000 end_va = 0x7e8b2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e890000" filename = "" Region: id = 5642 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5643 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5644 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5645 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 5646 start_va = 0x400000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 5647 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5648 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5649 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5650 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5651 start_va = 0xf40000 end_va = 0x11dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 5652 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5653 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5654 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5655 start_va = 0x7e790000 end_va = 0x7e88ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e790000" filename = "" Region: id = 5656 start_va = 0x490000 end_va = 0x54dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5657 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5658 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5659 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 5660 start_va = 0x550000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 5661 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 5662 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5663 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 5664 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 5665 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5666 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5667 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5668 start_va = 0xf30000 end_va = 0xf33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 5669 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5670 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5671 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5672 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5673 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5674 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5675 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 5676 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 5677 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5678 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5679 start_va = 0x650000 end_va = 0x7d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 5680 start_va = 0xf40000 end_va = 0xf69fff monitored = 0 entry_point = 0xf45680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5681 start_va = 0x10e0000 end_va = 0x11dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010e0000" filename = "" Region: id = 5682 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5686 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5687 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 5688 start_va = 0x480000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 5689 start_va = 0x7e0000 end_va = 0x960fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 5690 start_va = 0xf40000 end_va = 0xf8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 5691 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 5692 start_va = 0xf90000 end_va = 0x1020fff monitored = 0 entry_point = 0xfc8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 5693 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 5694 start_va = 0xf40000 end_va = 0xf40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 5695 start_va = 0xf80000 end_va = 0xf8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f80000" filename = "" Region: id = 5696 start_va = 0xf50000 end_va = 0xf50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f50000" filename = "" Region: id = 5697 start_va = 0xf50000 end_va = 0xf57fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f50000" filename = "" Region: id = 5700 start_va = 0xf50000 end_va = 0xf50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f50000" filename = "" Region: id = 5701 start_va = 0xf60000 end_va = 0xf61fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f60000" filename = "" Region: id = 5702 start_va = 0xf50000 end_va = 0xf50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f50000" filename = "" Region: id = 5703 start_va = 0xf60000 end_va = 0xf60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f60000" filename = "" Region: id = 5704 start_va = 0xf50000 end_va = 0xf50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f50000" filename = "" Region: id = 5705 start_va = 0xf60000 end_va = 0xf60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f60000" filename = "" Thread: id = 163 os_tid = 0x11d8 [0098.372] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0098.372] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0098.372] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0098.372] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0098.372] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0098.373] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0098.373] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0098.373] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0098.374] GetProcessHeap () returned 0x10e0000 [0098.374] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0098.374] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0098.375] GetLastError () returned 0x7e [0098.375] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0098.375] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0098.375] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x364) returned 0x10f0a48 [0098.375] SetLastError (dwErrCode=0x7e) [0098.375] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0xe00) returned 0x10f0db8 [0098.377] GetStartupInfoW (in: lpStartupInfo=0x18fbec | out: lpStartupInfo=0x18fbec*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0098.377] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0098.378] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0098.378] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0098.378] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_freeSession" [0098.378] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_freeSession" [0098.378] GetACP () returned 0x4e4 [0098.378] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x0, Size=0x220) returned 0x10f1bc0 [0098.378] IsValidCodePage (CodePage=0x4e4) returned 1 [0098.378] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fc0c | out: lpCPInfo=0x18fc0c) returned 1 [0098.378] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f4d4 | out: lpCPInfo=0x18f4d4) returned 1 [0098.378] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fae8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0098.378] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fae8, cbMultiByte=256, lpWideCharStr=0x18f278, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0098.378] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f4e8 | out: lpCharType=0x18f4e8) returned 1 [0098.378] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fae8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0098.378] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fae8, cbMultiByte=256, lpWideCharStr=0x18f228, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0098.378] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0098.379] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0098.379] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0098.379] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f018, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0098.379] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f9e8, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿIâ&¬$ü\x18", lpUsedDefaultChar=0x0) returned 256 [0098.379] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fae8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0098.379] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fae8, cbMultiByte=256, lpWideCharStr=0x18f248, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0098.379] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0098.379] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f038, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0098.379] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f8e8, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿIâ&¬$ü\x18", lpUsedDefaultChar=0x0) returned 256 [0098.379] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x0, Size=0x80) returned 0x10e3848 [0098.379] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0098.379] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x170) returned 0x10f1de8 [0098.379] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0098.379] GetLastError () returned 0x0 [0098.379] SetLastError (dwErrCode=0x0) [0098.379] GetEnvironmentStringsW () returned 0x10f1f60* [0098.380] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x0, Size=0xa8c) returned 0x10f29f8 [0098.380] FreeEnvironmentStringsW (penv=0x10f1f60) returned 1 [0098.380] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x90) returned 0x10e4538 [0098.380] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x3e) returned 0x10eab90 [0098.380] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x5c) returned 0x10e8a78 [0098.380] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x6e) returned 0x10e4830 [0098.380] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x78) returned 0x10f4238 [0098.380] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x62) returned 0x10e49d0 [0098.381] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x28) returned 0x10e3d68 [0098.381] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x48) returned 0x10e3fb8 [0098.381] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x1a) returned 0x10e3d98 [0098.381] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x3a) returned 0x10eabd8 [0098.381] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x62) returned 0x10e4600 [0098.381] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x2a) returned 0x10e8848 [0098.381] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x2e) returned 0x10e86c0 [0098.381] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x1c) returned 0x10e47a0 [0098.381] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x144) returned 0x10e9c90 [0098.381] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x7c) returned 0x10e4370 [0098.381] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x36) returned 0x10ee1d8 [0098.381] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x3a) returned 0x10ead40 [0098.381] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x90) returned 0x10e3de0 [0098.381] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x24) returned 0x10e47c8 [0098.381] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x30) returned 0x10e8880 [0098.381] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x36) returned 0x10ee058 [0098.381] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x48) returned 0x10e3bc8 [0098.381] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x52) returned 0x10e38e8 [0098.381] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x3c) returned 0x10ead88 [0098.381] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0xd6) returned 0x10e9e50 [0098.381] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x2e) returned 0x10e86f8 [0098.381] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x1e) returned 0x10e3c18 [0098.381] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x2c) returned 0x10e8768 [0098.381] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x54) returned 0x10e28e8 [0098.381] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x52) returned 0x10e04b8 [0098.381] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x24) returned 0x10e4040 [0098.381] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x42) returned 0x10e4070 [0098.382] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x2c) returned 0x10e8998 [0098.382] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x44) returned 0x10e9f80 [0098.382] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x24) returned 0x10e40c0 [0098.382] HeapFree (in: hHeap=0x10e0000, dwFlags=0x0, lpMem=0x10f29f8 | out: hHeap=0x10e0000) returned 1 [0098.382] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x800) returned 0x10f1f60 [0098.383] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0098.383] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0098.383] GetStartupInfoW (in: lpStartupInfo=0x18fc50 | out: lpStartupInfo=0x18fc50*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0098.383] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_freeSession" [0098.383] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_freeSession", pNumArgs=0x18fc3c | out: pNumArgs=0x18fc3c) returned 0x10f2bb0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0098.384] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0098.387] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x0, Size=0x1000) returned 0x10f4498 [0098.387] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x0, Size=0x38) returned 0x10edf98 [0098.387] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_openssl_freeSession", cchWideChar=-1, lpMultiByteStr=0x10edf98, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_openssl_freeSession", lpUsedDefaultChar=0x0) returned 28 [0098.387] GetLastError () returned 0x0 [0098.387] SetLastError (dwErrCode=0x0) [0098.388] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_freeSessionW") returned 0x0 [0098.388] GetLastError () returned 0x7f [0098.388] SetLastError (dwErrCode=0x7f) [0098.388] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_freeSessionA") returned 0x0 [0098.388] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_freeSession") returned 0x647cf0be [0098.388] GetActiveWindow () returned 0x0 [0098.389] GetLastError () returned 0x7f [0098.389] SetLastError (dwErrCode=0x7f) Thread: id = 165 os_tid = 0x1228 Process: id = "86" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x7cb59000" os_pid = "0xd28" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "85" os_parent_pid = "0xd14" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_freeSession" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "87" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x575d0000" os_pid = "0xd18" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getCleanupHook" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5706 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5707 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5708 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 5709 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 5710 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 5711 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 5712 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 5713 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 5714 start_va = 0xad0000 end_va = 0xad1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 5715 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 5716 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5717 start_va = 0x7e8e0000 end_va = 0x7e902fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e8e0000" filename = "" Region: id = 5718 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5719 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5720 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5721 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 5722 start_va = 0x400000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 5723 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5724 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5725 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5726 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5727 start_va = 0xae0000 end_va = 0xc3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 5728 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5730 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5731 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5732 start_va = 0x7e7e0000 end_va = 0x7e8dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e7e0000" filename = "" Region: id = 5733 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5734 start_va = 0x530000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 5735 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5736 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5737 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 5738 start_va = 0x540000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 5739 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 5740 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5741 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 5742 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 5743 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5744 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5745 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5746 start_va = 0xad0000 end_va = 0xad3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 5748 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5749 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5750 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5751 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5752 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5753 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5754 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 5755 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 5756 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5757 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5758 start_va = 0x640000 end_va = 0x7c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 5759 start_va = 0xae0000 end_va = 0xb09fff monitored = 0 entry_point = 0xae5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5760 start_va = 0xb40000 end_va = 0xc3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b40000" filename = "" Region: id = 5761 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5762 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5763 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 5764 start_va = 0x7d0000 end_va = 0x950fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 5765 start_va = 0xc40000 end_va = 0xd6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 5766 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 5767 start_va = 0xc40000 end_va = 0xcd0fff monitored = 0 entry_point = 0xc78cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 5768 start_va = 0xd60000 end_va = 0xd6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d60000" filename = "" Region: id = 5770 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 5771 start_va = 0xae0000 end_va = 0xae0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 5772 start_va = 0xaf0000 end_va = 0xaf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000af0000" filename = "" Region: id = 5773 start_va = 0xaf0000 end_va = 0xaf7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000af0000" filename = "" Region: id = 5774 start_va = 0xaf0000 end_va = 0xaf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 5775 start_va = 0xb00000 end_va = 0xb01fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b00000" filename = "" Region: id = 5776 start_va = 0xaf0000 end_va = 0xaf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 5777 start_va = 0xb00000 end_va = 0xb00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b00000" filename = "" Region: id = 5780 start_va = 0xaf0000 end_va = 0xaf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000af0000" filename = "" Region: id = 5781 start_va = 0xb00000 end_va = 0xb00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Thread: id = 166 os_tid = 0x1298 [0099.222] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0099.223] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0099.223] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0099.223] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0099.224] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0099.224] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0099.226] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0099.226] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0099.227] GetProcessHeap () returned 0xb40000 [0099.227] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0099.228] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0099.228] GetLastError () returned 0x7e [0099.228] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0099.228] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0099.228] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x364) returned 0xb50a50 [0099.229] SetLastError (dwErrCode=0x7e) [0099.284] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0xe00) returned 0xb50dc0 [0099.285] GetStartupInfoW (in: lpStartupInfo=0x18fc64 | out: lpStartupInfo=0x18fc64*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0099.285] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0099.285] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0099.285] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0099.285] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getCleanupHook" [0099.285] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getCleanupHook" [0099.285] GetACP () returned 0x4e4 [0099.285] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x0, Size=0x220) returned 0xb51bc8 [0099.285] IsValidCodePage (CodePage=0x4e4) returned 1 [0099.285] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fc84 | out: lpCPInfo=0x18fc84) returned 1 [0099.285] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f54c | out: lpCPInfo=0x18f54c) returned 1 [0099.286] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb60, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0099.286] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb60, cbMultiByte=256, lpWideCharStr=0x18f2e8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0099.286] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f560 | out: lpCharType=0x18f560) returned 1 [0099.286] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb60, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0099.286] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb60, cbMultiByte=256, lpWideCharStr=0x18f2a8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0099.286] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0099.286] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0099.286] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0099.286] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f098, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0099.286] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fa60, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿk\rîj\x9cü\x18", lpUsedDefaultChar=0x0) returned 256 [0099.286] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb60, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0099.286] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb60, cbMultiByte=256, lpWideCharStr=0x18f2b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0099.286] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0099.286] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f0a8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0099.286] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f960, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿk\rîj\x9cü\x18", lpUsedDefaultChar=0x0) returned 256 [0099.287] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x0, Size=0x80) returned 0xb43850 [0099.287] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0099.287] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x176) returned 0xb51df0 [0099.287] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0099.287] GetLastError () returned 0x0 [0099.287] SetLastError (dwErrCode=0x0) [0099.287] GetEnvironmentStringsW () returned 0xb51f70* [0099.287] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x0, Size=0xa8c) returned 0xb52a08 [0099.287] FreeEnvironmentStringsW (penv=0xb51f70) returned 1 [0099.287] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x90) returned 0xb44540 [0099.287] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x3e) returned 0xb4aa78 [0099.287] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x5c) returned 0xb48a80 [0099.287] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x6e) returned 0xb44838 [0099.287] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x78) returned 0xb54348 [0099.288] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x62) returned 0xb449d8 [0099.288] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x28) returned 0xb43d70 [0099.288] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x48) returned 0xb43fc0 [0099.288] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x1a) returned 0xb43da0 [0099.288] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x3a) returned 0xb4b0f0 [0099.288] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x62) returned 0xb44608 [0099.288] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x2a) returned 0xb486c8 [0099.288] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x2e) returned 0xb489d8 [0099.288] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x1c) returned 0xb447a8 [0099.288] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x144) returned 0xb49c98 [0099.288] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x7c) returned 0xb44378 [0099.288] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x36) returned 0xb4e660 [0099.288] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x3a) returned 0xb4ae68 [0099.288] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x90) returned 0xb43de8 [0099.288] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x24) returned 0xb447d0 [0099.288] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x30) returned 0xb48850 [0099.288] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x36) returned 0xb4e620 [0099.288] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x48) returned 0xb43bd0 [0099.288] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x52) returned 0xb438f0 [0099.288] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x3c) returned 0xb4ad00 [0099.288] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0xd6) returned 0xb49e58 [0099.288] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x2e) returned 0xb487e0 [0099.288] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x1e) returned 0xb43c20 [0099.288] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x2c) returned 0xb48770 [0099.288] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x54) returned 0xb428f0 [0099.288] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x52) returned 0xb404b8 [0099.288] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x24) returned 0xb44048 [0099.288] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x42) returned 0xb44078 [0099.288] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x2c) returned 0xb48888 [0099.288] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x44) returned 0xb49f88 [0099.288] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x24) returned 0xb440c8 [0099.289] HeapFree (in: hHeap=0xb40000, dwFlags=0x0, lpMem=0xb52a08 | out: hHeap=0xb40000) returned 1 [0099.289] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x8, Size=0x800) returned 0xb51f70 [0099.289] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0099.289] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0099.289] GetStartupInfoW (in: lpStartupInfo=0x18fcc8 | out: lpStartupInfo=0x18fcc8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0099.289] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getCleanupHook" [0099.290] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getCleanupHook", pNumArgs=0x18fcb4 | out: pNumArgs=0x18fcb4) returned 0xb52bc0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0099.290] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0099.292] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x0, Size=0x1000) returned 0xb544a8 [0099.292] RtlAllocateHeap (HeapHandle=0xb40000, Flags=0x0, Size=0x3e) returned 0xb4b018 [0099.292] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_openssl_getCleanupHook", cchWideChar=-1, lpMultiByteStr=0xb4b018, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_openssl_getCleanupHook", lpUsedDefaultChar=0x0) returned 31 [0099.293] GetLastError () returned 0x0 [0099.293] SetLastError (dwErrCode=0x0) [0099.293] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_getCleanupHookW") returned 0x0 [0099.293] GetLastError () returned 0x7f [0099.293] SetLastError (dwErrCode=0x7f) [0099.293] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_getCleanupHookA") returned 0x0 [0099.293] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_getCleanupHook") returned 0x647cf05a [0099.293] GetActiveWindow () returned 0x0 [0099.294] GetLastError () returned 0x7f [0099.294] SetLastError (dwErrCode=0x7f) Thread: id = 168 os_tid = 0x11bc Process: id = "88" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x13708000" os_pid = "0x340" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "87" os_parent_pid = "0xd18" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getCleanupHook" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "89" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x137e9000" os_pid = "0xd24" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getX509" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5783 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5784 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5785 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 5786 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 5787 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 5788 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 5789 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 5790 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 5791 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 5792 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 5793 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5794 start_va = 0x7f2b0000 end_va = 0x7f2d2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f2b0000" filename = "" Region: id = 5795 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5796 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5797 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5798 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 5801 start_va = 0x410000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 5802 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5803 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5804 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5805 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5806 start_va = 0x590000 end_va = 0x7dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 5807 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5808 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5809 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5810 start_va = 0x7f1b0000 end_va = 0x7f2affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f1b0000" filename = "" Region: id = 5811 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5812 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5813 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5814 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 5815 start_va = 0x590000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 5816 start_va = 0x6e0000 end_va = 0x7dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 5817 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 5818 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5819 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 5820 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 5821 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5822 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5823 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5824 start_va = 0x4c0000 end_va = 0x4c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 5825 start_va = 0x580000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 5826 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5827 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5828 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5829 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5830 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5831 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5832 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 5833 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 5834 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5835 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5836 start_va = 0x4d0000 end_va = 0x4f9fff monitored = 0 entry_point = 0x4d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5837 start_va = 0x7e0000 end_va = 0x967fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 5838 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5839 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5840 start_va = 0x4d0000 end_va = 0x4d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 5841 start_va = 0x970000 end_va = 0xaf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000970000" filename = "" Region: id = 5842 start_va = 0xb00000 end_va = 0xc8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 5843 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 5844 start_va = 0x4e0000 end_va = 0x570fff monitored = 0 entry_point = 0x518cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 5845 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 5846 start_va = 0x4e0000 end_va = 0x4e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 5847 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 5848 start_va = 0x4f0000 end_va = 0x4f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 5852 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 5853 start_va = 0x500000 end_va = 0x501fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 5854 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 5855 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 5856 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 5857 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Thread: id = 169 os_tid = 0x8e4 [0100.172] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0100.172] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0100.173] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0100.173] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0100.173] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0100.173] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0100.173] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0100.174] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0100.174] GetProcessHeap () returned 0x6e0000 [0100.174] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0100.174] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0100.174] GetLastError () returned 0x7e [0100.174] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0100.174] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0100.174] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x364) returned 0x6f0a30 [0100.175] SetLastError (dwErrCode=0x7e) [0100.175] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0xe00) returned 0x6f0da0 [0100.176] GetStartupInfoW (in: lpStartupInfo=0x18f72c | out: lpStartupInfo=0x18f72c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0100.176] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0100.176] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0100.176] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0100.176] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getX509" [0100.176] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getX509" [0100.177] GetACP () returned 0x4e4 [0100.177] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x0, Size=0x220) returned 0x6f1ba8 [0100.177] IsValidCodePage (CodePage=0x4e4) returned 1 [0100.177] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f74c | out: lpCPInfo=0x18f74c) returned 1 [0100.177] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f014 | out: lpCPInfo=0x18f014) returned 1 [0100.177] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f628, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0100.177] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f628, cbMultiByte=256, lpWideCharStr=0x18edb8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0100.177] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f028 | out: lpCharType=0x18f028) returned 1 [0100.177] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f628, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0100.177] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f628, cbMultiByte=256, lpWideCharStr=0x18ed68, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0100.177] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0100.177] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0100.177] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0100.177] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18eb58, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0100.177] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f528, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ{c\x81©d÷\x18", lpUsedDefaultChar=0x0) returned 256 [0100.177] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f628, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0100.177] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f628, cbMultiByte=256, lpWideCharStr=0x18ed88, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0100.177] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0100.177] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18eb78, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0100.178] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f428, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ{c\x81©d÷\x18", lpUsedDefaultChar=0x0) returned 256 [0100.178] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x0, Size=0x80) returned 0x6e3838 [0100.178] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0100.178] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x168) returned 0x6f1dd0 [0100.178] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0100.178] GetLastError () returned 0x0 [0100.178] SetLastError (dwErrCode=0x0) [0100.178] GetEnvironmentStringsW () returned 0x6f1f40* [0100.178] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x0, Size=0xa8c) returned 0x6f29d8 [0100.178] FreeEnvironmentStringsW (penv=0x6f1f40) returned 1 [0100.178] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x90) returned 0x6e4788 [0100.178] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x3e) returned 0x6eaff8 [0100.178] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x5c) returned 0x6e8a60 [0100.178] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x6e) returned 0x6e4850 [0100.178] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x78) returned 0x6f4198 [0100.179] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x62) returned 0x6e4c20 [0100.179] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x28) returned 0x6e3d58 [0100.179] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x48) returned 0x6e3fa8 [0100.179] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x1a) returned 0x6e0570 [0100.179] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x3a) returned 0x6eae90 [0100.179] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x62) returned 0x6e3bb8 [0100.179] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x2a) returned 0x6e89b8 [0100.179] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x2e) returned 0x6e88a0 [0100.179] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x1c) returned 0x6e3d88 [0100.179] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x144) returned 0x6e9c78 [0100.179] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x7c) returned 0x6e82c0 [0100.179] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x36) returned 0x6edf80 [0100.179] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x3a) returned 0x6eace0 [0100.179] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x90) returned 0x6e4360 [0100.179] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x24) returned 0x6e38d8 [0100.179] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x30) returned 0x6e8948 [0100.179] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x36) returned 0x6ee280 [0100.179] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x48) returned 0x6e28e0 [0100.179] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x52) returned 0x6e04b8 [0100.179] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x3c) returned 0x6eae48 [0100.179] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0xd6) returned 0x6e9e38 [0100.179] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x2e) returned 0x6e88d8 [0100.179] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x1e) returned 0x6e2930 [0100.179] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x2c) returned 0x6e8638 [0100.179] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x54) returned 0x6e3dd0 [0100.179] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x52) returned 0x6e4030 [0100.179] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x24) returned 0x6e3e30 [0100.180] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x42) returned 0x6e4090 [0100.180] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x2c) returned 0x6e8980 [0100.180] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x44) returned 0x6e9f68 [0100.180] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x24) returned 0x6e3908 [0100.180] HeapFree (in: hHeap=0x6e0000, dwFlags=0x0, lpMem=0x6f29d8 | out: hHeap=0x6e0000) returned 1 [0100.180] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x800) returned 0x6f1f40 [0100.181] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0100.181] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0100.181] GetStartupInfoW (in: lpStartupInfo=0x18f790 | out: lpStartupInfo=0x18f790*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0100.181] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getX509" [0100.181] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getX509", pNumArgs=0x18f77c | out: pNumArgs=0x18f77c) returned 0x6f2b90*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0100.181] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0100.184] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x0, Size=0x1000) returned 0x6f4478 [0100.184] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x0, Size=0x30) returned 0x6e8718 [0100.184] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_openssl_getX509", cchWideChar=-1, lpMultiByteStr=0x6e8718, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_openssl_getX509", lpUsedDefaultChar=0x0) returned 24 [0100.184] GetLastError () returned 0x0 [0100.184] SetLastError (dwErrCode=0x0) [0100.185] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_getX509W") returned 0x0 [0100.185] GetLastError () returned 0x7f [0100.185] SetLastError (dwErrCode=0x7f) [0100.185] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_getX509A") returned 0x0 [0100.185] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_getX509") returned 0x647ced54 [0100.185] GetActiveWindow () returned 0x0 [0100.186] GetLastError () returned 0x7f [0100.186] SetLastError (dwErrCode=0x7f) Thread: id = 171 os_tid = 0xa88 Process: id = "90" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x132ff000" os_pid = "0x864" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getEVP" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5858 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5859 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5860 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 5861 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 5862 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 5863 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 5864 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 5865 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 5866 start_va = 0xc10000 end_va = 0xc11fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 5867 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 5868 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5869 start_va = 0x7f470000 end_va = 0x7f492fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f470000" filename = "" Region: id = 5870 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5871 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5872 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5873 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 5874 start_va = 0x400000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 5875 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5876 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5877 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5878 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5879 start_va = 0xc20000 end_va = 0xdaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 5880 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5881 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5882 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5883 start_va = 0x7f370000 end_va = 0x7f46ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f370000" filename = "" Region: id = 5884 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5885 start_va = 0x5a0000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 5886 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5887 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5888 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 5889 start_va = 0x5b0000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 5890 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 5891 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5892 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 5893 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 5894 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5895 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5896 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5897 start_va = 0xc10000 end_va = 0xc13fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 5898 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5899 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5900 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5901 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5902 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5903 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5904 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 5905 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 5906 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5907 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5908 start_va = 0x6b0000 end_va = 0x837fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006b0000" filename = "" Region: id = 5909 start_va = 0xc20000 end_va = 0xc49fff monitored = 0 entry_point = 0xc25680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5910 start_va = 0xcb0000 end_va = 0xdaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 5911 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5912 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5913 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 5914 start_va = 0x840000 end_va = 0x9c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 5915 start_va = 0xdb0000 end_va = 0xf2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 5916 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 5917 start_va = 0xdb0000 end_va = 0xe40fff monitored = 0 entry_point = 0xde8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 5918 start_va = 0xf20000 end_va = 0xf2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f20000" filename = "" Region: id = 5919 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 5920 start_va = 0xc20000 end_va = 0xc20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 5921 start_va = 0xc30000 end_va = 0xc30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 5922 start_va = 0xc30000 end_va = 0xc37fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 5925 start_va = 0xc30000 end_va = 0xc30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 5926 start_va = 0xc40000 end_va = 0xc41fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c40000" filename = "" Region: id = 5927 start_va = 0xc30000 end_va = 0xc30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 5928 start_va = 0xc40000 end_va = 0xc40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c40000" filename = "" Region: id = 5929 start_va = 0xc30000 end_va = 0xc30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 5930 start_va = 0xc40000 end_va = 0xc40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Thread: id = 172 os_tid = 0x11f4 [0100.850] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0100.850] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0100.851] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0100.851] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0100.851] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0100.851] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0100.852] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0100.852] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0100.852] GetProcessHeap () returned 0xcb0000 [0100.852] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0100.852] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0100.852] GetLastError () returned 0x7e [0100.852] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0100.853] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0100.853] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x364) returned 0xcc0a48 [0100.853] SetLastError (dwErrCode=0x7e) [0100.853] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0xe00) returned 0xcc0db8 [0100.909] GetStartupInfoW (in: lpStartupInfo=0x18fe74 | out: lpStartupInfo=0x18fe74*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0100.909] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0100.909] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0100.909] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0100.909] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getEVP" [0100.909] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getEVP" [0100.909] GetACP () returned 0x4e4 [0100.909] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x0, Size=0x220) returned 0xcc1bc0 [0100.909] IsValidCodePage (CodePage=0x4e4) returned 1 [0100.910] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fe94 | out: lpCPInfo=0x18fe94) returned 1 [0100.910] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f75c | out: lpCPInfo=0x18f75c) returned 1 [0100.910] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd70, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0100.910] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd70, cbMultiByte=256, lpWideCharStr=0x18f4f8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0100.910] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f770 | out: lpCharType=0x18f770) returned 1 [0100.910] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd70, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0100.910] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd70, cbMultiByte=256, lpWideCharStr=0x18f4b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0100.910] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0100.910] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0100.910] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0100.910] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f2a8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0100.910] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fc70, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿuÓõB¬þ\x18", lpUsedDefaultChar=0x0) returned 256 [0100.910] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd70, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0100.910] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd70, cbMultiByte=256, lpWideCharStr=0x18f4c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0100.910] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0100.910] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f2b8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0100.911] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fb70, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿuÓõB¬þ\x18", lpUsedDefaultChar=0x0) returned 256 [0100.911] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x0, Size=0x80) returned 0xcb3850 [0100.911] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0100.911] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x176) returned 0xcc1de8 [0100.911] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0100.911] GetLastError () returned 0x0 [0100.911] SetLastError (dwErrCode=0x0) [0100.911] GetEnvironmentStringsW () returned 0xcc1f68* [0100.911] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x0, Size=0xa8c) returned 0xcc2a00 [0100.911] FreeEnvironmentStringsW (penv=0xcc1f68) returned 1 [0100.911] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x90) returned 0xcb4540 [0100.911] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x3e) returned 0xcbadd0 [0100.911] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x5c) returned 0xcb8818 [0100.911] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x6e) returned 0xcb4608 [0100.912] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x78) returned 0xcc4340 [0100.912] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x62) returned 0xcb49d8 [0100.912] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x28) returned 0xcb3d70 [0100.912] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x48) returned 0xcb3fc0 [0100.912] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x1a) returned 0xcb0570 [0100.912] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x3a) returned 0xcbad88 [0100.912] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x62) returned 0xcb3bd0 [0100.912] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x2a) returned 0xcb8770 [0100.912] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x2e) returned 0xcb83f0 [0100.912] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x1c) returned 0xcb3da0 [0100.912] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x144) returned 0xcb9c90 [0100.912] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x7c) returned 0xcb8078 [0100.912] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x36) returned 0xcbe018 [0100.912] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x3a) returned 0xcbb058 [0100.912] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x90) returned 0xcb4378 [0100.912] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x24) returned 0xcb38f0 [0100.912] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x30) returned 0xcb8540 [0100.912] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x36) returned 0xcbdfd8 [0100.912] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x48) returned 0xcb28f0 [0100.912] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x52) returned 0xcb04b8 [0100.912] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x3c) returned 0xcbab48 [0100.912] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0xd6) returned 0xcb9e50 [0100.912] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x2e) returned 0xcb8428 [0100.913] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x1e) returned 0xcb2940 [0100.913] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x2c) returned 0xcb8460 [0100.913] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x54) returned 0xcb3de8 [0100.913] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x52) returned 0xcb4048 [0100.913] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x24) returned 0xcb3e48 [0100.913] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x42) returned 0xcb40a8 [0100.913] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x2c) returned 0xcb8578 [0100.913] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x44) returned 0xcb9f80 [0100.913] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x24) returned 0xcb3920 [0100.914] HeapFree (in: hHeap=0xcb0000, dwFlags=0x0, lpMem=0xcc2a00 | out: hHeap=0xcb0000) returned 1 [0100.914] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x8, Size=0x800) returned 0xcc1f68 [0100.914] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0100.914] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0100.914] GetStartupInfoW (in: lpStartupInfo=0x18fed8 | out: lpStartupInfo=0x18fed8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0100.914] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getEVP" [0100.914] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getEVP", pNumArgs=0x18fec4 | out: pNumArgs=0x18fec4) returned 0xcc2bb8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0100.915] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0100.920] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x0, Size=0x1000) returned 0xcc44a0 [0100.920] RtlAllocateHeap (HeapHandle=0xcb0000, Flags=0x0, Size=0x3e) returned 0xcbb0a0 [0100.920] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_openssl_session_getEVP", cchWideChar=-1, lpMultiByteStr=0xcbb0a0, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_openssl_session_getEVP", lpUsedDefaultChar=0x0) returned 31 [0100.920] GetLastError () returned 0x0 [0100.920] SetLastError (dwErrCode=0x0) [0100.920] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_session_getEVPW") returned 0x0 [0100.921] GetLastError () returned 0x7f [0100.921] SetLastError (dwErrCode=0x7f) [0100.921] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_session_getEVPA") returned 0x0 [0100.921] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_session_getEVP") returned 0x647cf371 [0100.921] GetActiveWindow () returned 0x0 [0100.922] GetLastError () returned 0x7f [0100.922] SetLastError (dwErrCode=0x7f) Thread: id = 174 os_tid = 0x12c4 Process: id = "91" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x46819000" os_pid = "0x11e8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "89" os_parent_pid = "0xd24" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getX509" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "92" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x29256000" os_pid = "0x12c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "90" os_parent_pid = "0x864" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getEVP" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "93" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x64918000" os_pid = "0x768" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getRSA" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5938 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5939 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5940 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 5941 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 5942 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 5943 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 5944 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 5945 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 5946 start_va = 0x850000 end_va = 0x851fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 5947 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 5948 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5949 start_va = 0x7f5f0000 end_va = 0x7f612fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f5f0000" filename = "" Region: id = 5950 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5951 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5952 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5953 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 5956 start_va = 0x400000 end_va = 0x45ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 5957 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5960 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5961 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5962 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5963 start_va = 0x860000 end_va = 0x99ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 5964 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5965 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5967 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5968 start_va = 0x7f4f0000 end_va = 0x7f5effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f4f0000" filename = "" Region: id = 5969 start_va = 0x460000 end_va = 0x51dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5970 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5971 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5972 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 5973 start_va = 0x520000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 5974 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 5975 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5976 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 5977 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 5978 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 5979 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5980 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5981 start_va = 0x850000 end_va = 0x853fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 5982 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5983 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 5984 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5985 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5986 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 5987 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 5988 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 5989 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 5990 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5991 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 5992 start_va = 0x620000 end_va = 0x7a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 5993 start_va = 0x860000 end_va = 0x889fff monitored = 0 entry_point = 0x865680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5994 start_va = 0x8a0000 end_va = 0x99ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 5995 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5996 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5997 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 5998 start_va = 0x450000 end_va = 0x45ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 5999 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 6000 start_va = 0x9a0000 end_va = 0xb20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009a0000" filename = "" Region: id = 6001 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 6002 start_va = 0xb30000 end_va = 0xbc0fff monitored = 0 entry_point = 0xb68cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 6003 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 6004 start_va = 0x860000 end_va = 0x860fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 6005 start_va = 0x870000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 6006 start_va = 0x880000 end_va = 0x880fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 6007 start_va = 0x880000 end_va = 0x887fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 6008 start_va = 0x880000 end_va = 0x880fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 6009 start_va = 0x890000 end_va = 0x891fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000890000" filename = "" Region: id = 6010 start_va = 0x880000 end_va = 0x880fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 6011 start_va = 0x890000 end_va = 0x890fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000890000" filename = "" Region: id = 6012 start_va = 0x880000 end_va = 0x880fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 6013 start_va = 0x890000 end_va = 0x890fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Thread: id = 176 os_tid = 0x1334 [0102.250] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0102.250] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0102.251] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0102.251] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0102.251] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0102.251] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0102.252] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0102.252] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0102.252] GetProcessHeap () returned 0x8a0000 [0102.252] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0102.252] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0102.252] GetLastError () returned 0x7e [0102.253] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0102.253] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0102.253] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x364) returned 0x8b0a48 [0102.253] SetLastError (dwErrCode=0x7e) [0102.253] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0xe00) returned 0x8b0db8 [0102.255] GetStartupInfoW (in: lpStartupInfo=0x18f7e8 | out: lpStartupInfo=0x18f7e8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0102.255] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0102.255] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0102.255] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0102.255] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getRSA" [0102.255] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getRSA" [0102.255] GetACP () returned 0x4e4 [0102.255] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x0, Size=0x220) returned 0x8b1bc0 [0102.255] IsValidCodePage (CodePage=0x4e4) returned 1 [0102.255] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f808 | out: lpCPInfo=0x18f808) returned 1 [0102.255] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f0d0 | out: lpCPInfo=0x18f0d0) returned 1 [0102.255] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6e4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0102.256] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6e4, cbMultiByte=256, lpWideCharStr=0x18ee78, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0102.256] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f0e4 | out: lpCharType=0x18f0e4) returned 1 [0102.256] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6e4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0102.256] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6e4, cbMultiByte=256, lpWideCharStr=0x18ee28, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0102.256] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0102.256] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0102.256] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0102.256] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ec18, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0102.256] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f5e4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x87Ûð\x1a ø\x18", lpUsedDefaultChar=0x0) returned 256 [0102.256] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6e4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0102.256] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6e4, cbMultiByte=256, lpWideCharStr=0x18ee48, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0102.256] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0102.256] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ec38, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0102.256] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f4e4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x87Ûð\x1a ø\x18", lpUsedDefaultChar=0x0) returned 256 [0102.257] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x0, Size=0x80) returned 0x8a3850 [0102.257] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0102.257] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x176) returned 0x8b1de8 [0102.257] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0102.257] GetLastError () returned 0x0 [0102.257] SetLastError (dwErrCode=0x0) [0102.257] GetEnvironmentStringsW () returned 0x8b1f68* [0102.257] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x0, Size=0xa8c) returned 0x8b2a00 [0102.257] FreeEnvironmentStringsW (penv=0x8b1f68) returned 1 [0102.257] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x90) returned 0x8a4540 [0102.257] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x3e) returned 0x8aacb0 [0102.257] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x5c) returned 0x8a8818 [0102.257] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x6e) returned 0x8a4608 [0102.257] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x78) returned 0x8b3cc0 [0102.258] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x62) returned 0x8a49d8 [0102.258] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x28) returned 0x8a3d70 [0102.258] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x48) returned 0x8a3fc0 [0102.258] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x1a) returned 0x8a0570 [0102.258] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x3a) returned 0x8aaf80 [0102.258] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x62) returned 0x8a3bd0 [0102.258] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x2a) returned 0x8a86c8 [0102.258] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x2e) returned 0x8a8700 [0102.258] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x1c) returned 0x8a3da0 [0102.258] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x144) returned 0x8a9a30 [0102.258] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x7c) returned 0x8a8078 [0102.258] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x36) returned 0x8ae158 [0102.258] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x3a) returned 0x8ab130 [0102.258] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x90) returned 0x8a4378 [0102.258] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x24) returned 0x8a38f0 [0102.258] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x30) returned 0x8a8738 [0102.258] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x36) returned 0x8ae1d8 [0102.258] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x48) returned 0x8a28f0 [0102.258] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x52) returned 0x8a04b8 [0102.258] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x3c) returned 0x8aaa70 [0102.258] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0xd6) returned 0x8a9bf0 [0102.258] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x2e) returned 0x8a8770 [0102.258] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x1e) returned 0x8a2940 [0102.258] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x2c) returned 0x8a8428 [0102.258] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x54) returned 0x8a3de8 [0102.258] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x52) returned 0x8a4048 [0102.258] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x24) returned 0x8a3e48 [0102.258] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x42) returned 0x8a40a8 [0102.259] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x2c) returned 0x8a8540 [0102.259] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x44) returned 0x8a9d20 [0102.259] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x24) returned 0x8a3920 [0102.259] HeapFree (in: hHeap=0x8a0000, dwFlags=0x0, lpMem=0x8b2a00 | out: hHeap=0x8a0000) returned 1 [0102.259] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x8, Size=0x800) returned 0x8b1f68 [0102.259] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0102.259] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0102.259] GetStartupInfoW (in: lpStartupInfo=0x18f84c | out: lpStartupInfo=0x18f84c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0102.259] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getRSA" [0102.259] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getRSA", pNumArgs=0x18f838 | out: pNumArgs=0x18f838) returned 0x8b2bb8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0102.260] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0102.263] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x0, Size=0x1000) returned 0x8b44a0 [0102.263] RtlAllocateHeap (HeapHandle=0x8a0000, Flags=0x0, Size=0x3e) returned 0x8ab058 [0102.263] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_openssl_session_getRSA", cchWideChar=-1, lpMultiByteStr=0x8ab058, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_openssl_session_getRSA", lpUsedDefaultChar=0x0) returned 31 [0102.264] GetLastError () returned 0x0 [0102.264] SetLastError (dwErrCode=0x0) [0102.264] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_session_getRSAW") returned 0x0 [0102.264] GetLastError () returned 0x7f [0102.264] SetLastError (dwErrCode=0x7f) [0102.264] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_session_getRSAA") returned 0x0 [0102.264] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_session_getRSA") returned 0x647cf249 [0102.265] GetActiveWindow () returned 0x0 [0102.266] GetLastError () returned 0x7f [0102.266] SetLastError (dwErrCode=0x7f) Thread: id = 179 os_tid = 0x12e8 Process: id = "94" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x79cda000" os_pid = "0x1348" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "93" os_parent_pid = "0x768" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getRSA" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "95" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x13031000" os_pid = "0x81c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getX509" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6016 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6017 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6018 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 6019 start_va = 0x90000 end_va = 0x93fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 6020 start_va = 0xa0000 end_va = 0xa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 6021 start_va = 0xb0000 end_va = 0xb1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 6022 start_va = 0xd0000 end_va = 0xd1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 6023 start_va = 0xe0000 end_va = 0x1dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 6024 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6025 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 6026 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6027 start_va = 0x7eac0000 end_va = 0x7eae2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eac0000" filename = "" Region: id = 6028 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6029 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6030 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6031 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 6033 start_va = 0x400000 end_va = 0x4affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 6034 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6035 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6036 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6037 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6038 start_va = 0x4b0000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 6039 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6040 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6041 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6042 start_va = 0x7e9c0000 end_va = 0x7eabffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e9c0000" filename = "" Region: id = 6043 start_va = 0x4b0000 end_va = 0x56dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6044 start_va = 0x610000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 6045 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 6046 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 6047 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 6048 start_va = 0x4a0000 end_va = 0x4affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 6049 start_va = 0x710000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 6050 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 6051 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6052 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 6053 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 6054 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 6055 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6056 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6057 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 6058 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6059 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 6060 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 6061 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 6062 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 6063 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 6064 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 6065 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 6066 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 6067 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 6068 start_va = 0x440000 end_va = 0x469fff monitored = 0 entry_point = 0x445680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6069 start_va = 0x810000 end_va = 0x997fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 6070 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6072 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 6073 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 6074 start_va = 0x570000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 6075 start_va = 0x9a0000 end_va = 0xb20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009a0000" filename = "" Region: id = 6076 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 6077 start_va = 0xb30000 end_va = 0xbc0fff monitored = 0 entry_point = 0xb68cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 6078 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 6079 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 6080 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 6081 start_va = 0x1f0000 end_va = 0x1f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 6082 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 6083 start_va = 0x440000 end_va = 0x441fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 6084 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 6085 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 6088 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 6089 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Thread: id = 180 os_tid = 0x1148 [0102.927] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0102.927] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0102.927] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0102.927] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0102.927] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0102.928] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0102.928] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0102.928] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0102.929] GetProcessHeap () returned 0x610000 [0102.929] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0102.929] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0102.929] GetLastError () returned 0x7e [0102.929] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0102.929] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0102.929] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x364) returned 0x620a50 [0102.929] SetLastError (dwErrCode=0x7e) [0102.930] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xe00) returned 0x620dc0 [0102.931] GetStartupInfoW (in: lpStartupInfo=0x1dfb6c | out: lpStartupInfo=0x1dfb6c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0102.931] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0102.932] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0102.933] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0102.933] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getX509" [0102.933] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getX509" [0102.933] GetACP () returned 0x4e4 [0102.933] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x220) returned 0x621bc8 [0102.933] IsValidCodePage (CodePage=0x4e4) returned 1 [0102.933] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1dfb8c | out: lpCPInfo=0x1dfb8c) returned 1 [0102.933] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1df454 | out: lpCPInfo=0x1df454) returned 1 [0102.933] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1dfa68, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0102.933] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1dfa68, cbMultiByte=256, lpWideCharStr=0x1df1f8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0102.933] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x1df468 | out: lpCharType=0x1df468) returned 1 [0102.933] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1dfa68, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0102.933] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1dfa68, cbMultiByte=256, lpWideCharStr=0x1df1a8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0102.933] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0102.933] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0102.933] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0102.933] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x1def98, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0102.934] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x1df968, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿãúñJ¤û\x1d", lpUsedDefaultChar=0x0) returned 256 [0102.934] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1dfa68, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0102.934] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1dfa68, cbMultiByte=256, lpWideCharStr=0x1df1c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0102.934] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0102.934] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x1defb8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0102.934] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x1df868, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿãúñJ¤û\x1d", lpUsedDefaultChar=0x0) returned 256 [0102.934] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x80) returned 0x613850 [0102.934] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0102.934] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x178) returned 0x621df0 [0102.934] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0102.934] GetLastError () returned 0x0 [0102.934] SetLastError (dwErrCode=0x0) [0102.934] GetEnvironmentStringsW () returned 0x621f70* [0102.934] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0xa8c) returned 0x622a08 [0102.935] FreeEnvironmentStringsW (penv=0x621f70) returned 1 [0102.935] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x90) returned 0x614540 [0102.935] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x3e) returned 0x61ac70 [0102.935] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x5c) returned 0x618a80 [0102.935] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x6e) returned 0x614838 [0102.935] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x78) returned 0x623d48 [0102.935] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x62) returned 0x6149d8 [0102.935] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x28) returned 0x613d70 [0102.935] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x48) returned 0x613fc0 [0102.935] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x1a) returned 0x613da0 [0102.935] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x3a) returned 0x61aef8 [0102.935] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x62) returned 0x614608 [0102.935] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x2a) returned 0x6188f8 [0102.935] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x2e) returned 0x618700 [0102.935] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x1c) returned 0x6147a8 [0102.935] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x144) returned 0x619c98 [0102.935] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x7c) returned 0x614378 [0102.935] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x36) returned 0x61e6e0 [0102.935] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x3a) returned 0x61ab08 [0102.935] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x90) returned 0x613de8 [0102.935] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x24) returned 0x6147d0 [0102.935] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x30) returned 0x618690 [0102.935] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x36) returned 0x61dfa0 [0102.935] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x48) returned 0x613bd0 [0102.936] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x52) returned 0x6138f0 [0102.936] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x3c) returned 0x61ae68 [0102.936] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xd6) returned 0x619e58 [0102.936] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x2e) returned 0x618770 [0102.936] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x1e) returned 0x613c20 [0102.936] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x2c) returned 0x6188c0 [0102.936] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x54) returned 0x6128f0 [0102.936] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x52) returned 0x6104b8 [0102.936] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x24) returned 0x614048 [0102.936] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x42) returned 0x614078 [0102.936] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x2c) returned 0x618930 [0102.936] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x44) returned 0x619f88 [0102.936] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x24) returned 0x6140c8 [0102.937] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x622a08 | out: hHeap=0x610000) returned 1 [0102.937] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x800) returned 0x621f70 [0102.937] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0102.937] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0102.937] GetStartupInfoW (in: lpStartupInfo=0x1dfbd0 | out: lpStartupInfo=0x1dfbd0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0102.937] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getX509" [0102.937] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getX509", pNumArgs=0x1dfbbc | out: pNumArgs=0x1dfbbc) returned 0x622bc0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0102.937] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0102.940] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x1000) returned 0x6244a8 [0102.940] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x40) returned 0x61aeb0 [0102.940] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_openssl_session_getX509", cchWideChar=-1, lpMultiByteStr=0x61aeb0, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_openssl_session_getX509", lpUsedDefaultChar=0x0) returned 32 [0102.940] GetLastError () returned 0x0 [0102.940] SetLastError (dwErrCode=0x0) [0102.941] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_session_getX509W") returned 0x0 [0102.941] GetLastError () returned 0x7f [0102.941] SetLastError (dwErrCode=0x7f) [0102.941] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_session_getX509A") returned 0x0 [0102.941] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_session_getX509") returned 0x647cf5b2 [0102.941] GetActiveWindow () returned 0x0 [0102.942] GetLastError () returned 0x7f [0102.942] SetLastError (dwErrCode=0x7f) Thread: id = 182 os_tid = 0x1214 Process: id = "96" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x44daa000" os_pid = "0x1364" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "95" os_parent_pid = "0x81c" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getX509" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "97" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6af4b000" os_pid = "0x131c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_setCleanupHook" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6093 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6094 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6095 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 6096 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 6097 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 6098 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6099 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 6100 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6101 start_va = 0x890000 end_va = 0x891fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 6102 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 6103 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6104 start_va = 0x7f060000 end_va = 0x7f082fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f060000" filename = "" Region: id = 6105 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6106 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6107 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6108 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 6111 start_va = 0x400000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 6112 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6113 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6114 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6115 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6116 start_va = 0x8a0000 end_va = 0xa4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 6117 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6118 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6119 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6120 start_va = 0x7ef60000 end_va = 0x7f05ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ef60000" filename = "" Region: id = 6121 start_va = 0x4a0000 end_va = 0x55dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6122 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 6123 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 6124 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6125 start_va = 0x560000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 6126 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 6127 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6128 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 6129 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 6130 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 6131 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6132 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6133 start_va = 0x890000 end_va = 0x893fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 6134 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6135 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 6136 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 6137 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 6138 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 6139 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 6140 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 6141 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 6142 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 6143 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 6144 start_va = 0x660000 end_va = 0x7e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 6145 start_va = 0x8a0000 end_va = 0x8c9fff monitored = 0 entry_point = 0x8a5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6146 start_va = 0x950000 end_va = 0xa4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 6147 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6148 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 6149 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 6150 start_va = 0x490000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 6151 start_va = 0xa50000 end_va = 0xbd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a50000" filename = "" Region: id = 6152 start_va = 0xbe0000 end_va = 0xc9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000be0000" filename = "" Region: id = 6153 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 6154 start_va = 0x8a0000 end_va = 0x930fff monitored = 0 entry_point = 0x8d8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 6157 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 6158 start_va = 0x8a0000 end_va = 0x8a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 6159 start_va = 0x8b0000 end_va = 0x8b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 6160 start_va = 0x8b0000 end_va = 0x8b7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 6161 start_va = 0x8b0000 end_va = 0x8b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 6162 start_va = 0x8c0000 end_va = 0x8c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 6163 start_va = 0x8b0000 end_va = 0x8b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 6164 start_va = 0x8c0000 end_va = 0x8c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 6165 start_va = 0x8b0000 end_va = 0x8b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 6166 start_va = 0x8c0000 end_va = 0x8c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Thread: id = 184 os_tid = 0x1108 [0103.366] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0103.367] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0103.367] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0103.367] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0103.367] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0103.367] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0103.368] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0103.368] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0103.368] GetProcessHeap () returned 0x950000 [0103.368] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0103.368] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0103.368] GetLastError () returned 0x7e [0103.369] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0103.377] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0103.377] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x364) returned 0x960a48 [0103.377] SetLastError (dwErrCode=0x7e) [0103.377] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0xe00) returned 0x960db8 [0103.379] GetStartupInfoW (in: lpStartupInfo=0x18f8d4 | out: lpStartupInfo=0x18f8d4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0103.379] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0103.379] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0103.379] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0103.379] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_setCleanupHook" [0103.379] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_setCleanupHook" [0103.379] GetACP () returned 0x4e4 [0103.379] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x0, Size=0x220) returned 0x961bc0 [0103.379] IsValidCodePage (CodePage=0x4e4) returned 1 [0103.379] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f8f4 | out: lpCPInfo=0x18f8f4) returned 1 [0103.379] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f1bc | out: lpCPInfo=0x18f1bc) returned 1 [0103.379] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7d0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0103.379] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7d0, cbMultiByte=256, lpWideCharStr=0x18ef58, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0103.380] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f1d0 | out: lpCharType=0x18f1d0) returned 1 [0103.380] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7d0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0103.380] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7d0, cbMultiByte=256, lpWideCharStr=0x18ef18, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0103.380] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0103.380] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0103.380] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0103.380] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ed08, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0103.380] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f6d0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿN´Ø1\x0cù\x18", lpUsedDefaultChar=0x0) returned 256 [0103.380] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7d0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0103.380] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7d0, cbMultiByte=256, lpWideCharStr=0x18ef28, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0103.380] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0103.380] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ed18, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0103.380] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f5d0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿN´Ø1\x0cù\x18", lpUsedDefaultChar=0x0) returned 256 [0103.380] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x0, Size=0x80) returned 0x953850 [0103.380] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0103.381] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x176) returned 0x961de8 [0103.381] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0103.381] GetLastError () returned 0x0 [0103.381] SetLastError (dwErrCode=0x0) [0103.381] GetEnvironmentStringsW () returned 0x961f68* [0103.381] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x0, Size=0xa8c) returned 0x962a00 [0103.381] FreeEnvironmentStringsW (penv=0x961f68) returned 1 [0103.381] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x90) returned 0x954540 [0103.381] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x3e) returned 0x95ad88 [0103.381] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x5c) returned 0x958818 [0103.381] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x6e) returned 0x954608 [0103.381] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x78) returned 0x964340 [0103.382] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x62) returned 0x9549d8 [0103.382] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x28) returned 0x953d70 [0103.382] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x48) returned 0x953fc0 [0103.382] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x1a) returned 0x950570 [0103.382] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x3a) returned 0x95a9e0 [0103.382] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x62) returned 0x953bd0 [0103.382] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x2a) returned 0x958700 [0103.382] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x2e) returned 0x958738 [0103.382] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x1c) returned 0x953da0 [0103.382] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x144) returned 0x959c90 [0103.382] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x7c) returned 0x958078 [0103.382] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x36) returned 0x95e5d8 [0103.382] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x3a) returned 0x95b130 [0103.382] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x90) returned 0x954378 [0103.382] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x24) returned 0x9538f0 [0103.382] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x30) returned 0x958540 [0103.382] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x36) returned 0x95e518 [0103.382] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x48) returned 0x9528f0 [0103.382] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x52) returned 0x9504b8 [0103.382] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x3c) returned 0x95b010 [0103.382] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0xd6) returned 0x959e50 [0103.382] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x2e) returned 0x9585b0 [0103.382] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x1e) returned 0x952940 [0103.382] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x2c) returned 0x958428 [0103.382] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x54) returned 0x953de8 [0103.382] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x52) returned 0x954048 [0103.382] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x24) returned 0x953e48 [0103.382] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x42) returned 0x9540a8 [0103.382] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x2c) returned 0x9585e8 [0103.382] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x44) returned 0x959f80 [0103.382] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x24) returned 0x953920 [0103.383] HeapFree (in: hHeap=0x950000, dwFlags=0x0, lpMem=0x962a00 | out: hHeap=0x950000) returned 1 [0103.383] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x8, Size=0x800) returned 0x961f68 [0103.383] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0103.383] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0103.383] GetStartupInfoW (in: lpStartupInfo=0x18f938 | out: lpStartupInfo=0x18f938*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0103.383] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_setCleanupHook" [0103.384] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_setCleanupHook", pNumArgs=0x18f924 | out: pNumArgs=0x18f924) returned 0x962bb8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0103.384] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0103.387] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x0, Size=0x1000) returned 0x9644a0 [0103.387] RtlAllocateHeap (HeapHandle=0x950000, Flags=0x0, Size=0x3e) returned 0x95ac20 [0103.387] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_openssl_setCleanupHook", cchWideChar=-1, lpMultiByteStr=0x95ac20, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_openssl_setCleanupHook", lpUsedDefaultChar=0x0) returned 31 [0103.387] GetLastError () returned 0x0 [0103.387] SetLastError (dwErrCode=0x0) [0103.387] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_setCleanupHookW") returned 0x0 [0103.387] GetLastError () returned 0x7f [0103.387] SetLastError (dwErrCode=0x7f) [0103.387] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_setCleanupHookA") returned 0x0 [0103.388] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_setCleanupHook") returned 0x647cf08a [0103.388] GetActiveWindow () returned 0x0 [0103.388] GetLastError () returned 0x7f [0103.389] SetLastError (dwErrCode=0x7f) Thread: id = 186 os_tid = 0x12d8 Process: id = "98" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x45be7000" os_pid = "0x1300" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "97" os_parent_pid = "0x131c" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_setCleanupHook" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "99" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x62164000" os_pid = "0x1318" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_plugAndPlay" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6178 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6179 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6180 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 6181 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 6182 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6183 start_va = 0xd40000 end_va = 0xd41fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d40000" filename = "" Region: id = 6184 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 6185 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6186 start_va = 0x7e720000 end_va = 0x7e742fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e720000" filename = "" Region: id = 6187 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6188 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6189 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6190 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 6191 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 6192 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6193 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 6213 start_va = 0x400000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 6214 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6215 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6216 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6217 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6218 start_va = 0xd50000 end_va = 0xfbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d50000" filename = "" Region: id = 6219 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6221 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6222 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6223 start_va = 0x7e620000 end_va = 0x7e71ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e620000" filename = "" Region: id = 6224 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6225 start_va = 0x530000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 6226 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 6227 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 6228 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6229 start_va = 0x540000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 6230 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 6231 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6232 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 6233 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 6234 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 6250 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6251 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6252 start_va = 0xd40000 end_va = 0xd43fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d40000" filename = "" Region: id = 6253 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6254 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 6255 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 6256 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 6257 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 6258 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 6259 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 6260 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 6261 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 6262 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 6263 start_va = 0x640000 end_va = 0x7c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 6264 start_va = 0xd50000 end_va = 0xd79fff monitored = 0 entry_point = 0xd55680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6265 start_va = 0xec0000 end_va = 0xfbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ec0000" filename = "" Region: id = 6266 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6269 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 6270 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 6271 start_va = 0x7d0000 end_va = 0x950fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 6272 start_va = 0xd50000 end_va = 0xe8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d50000" filename = "" Region: id = 6273 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 6274 start_va = 0xd50000 end_va = 0xde0fff monitored = 0 entry_point = 0xd88cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 6275 start_va = 0xe80000 end_va = 0xe8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e80000" filename = "" Region: id = 6281 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 6282 start_va = 0xd50000 end_va = 0xd5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d50000" filename = "" Region: id = 6283 start_va = 0x960000 end_va = 0xa5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Region: id = 6284 start_va = 0xd50000 end_va = 0xd6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d50000" filename = "" Region: id = 6285 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 6286 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6287 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6288 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6289 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6290 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6291 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6292 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6293 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6294 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6295 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6296 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6297 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6298 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6299 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6300 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6301 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6302 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6303 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6304 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6321 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6322 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6323 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6324 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6325 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6326 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6327 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6328 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6329 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6330 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6331 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6332 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6333 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6334 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6335 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6336 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6337 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6338 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6339 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6340 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6341 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6342 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6343 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6344 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6345 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6346 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6347 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6348 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6349 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6350 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6351 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6352 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6353 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6354 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6355 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6356 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6357 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6358 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6359 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6360 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6361 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6362 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6363 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6370 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6371 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6372 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6373 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6374 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6375 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6376 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6377 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6378 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6379 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6380 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6381 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6382 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6383 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6384 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6385 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6386 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6387 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6388 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6389 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6390 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6391 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6392 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6393 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6394 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6395 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6396 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6397 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6398 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6399 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6400 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6401 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6402 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6403 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6404 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6405 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6406 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6407 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6408 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6409 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6410 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6411 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6412 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6413 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6414 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6415 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6416 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6417 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6418 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6429 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6430 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6431 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6432 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6433 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6434 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6435 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6436 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6437 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6438 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6439 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6440 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6441 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6442 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6443 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6444 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6445 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6446 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6447 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6448 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6449 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6450 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6451 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6452 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6453 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6454 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6455 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6456 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6457 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6458 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6459 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6460 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6461 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6462 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6463 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6464 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6465 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6466 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6467 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6468 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6469 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6470 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6471 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6472 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6473 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6474 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6475 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6476 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6477 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6494 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6495 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6496 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6497 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6498 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6499 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6500 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6501 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6502 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6503 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6504 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6505 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6506 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6507 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6508 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6509 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6510 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6511 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6512 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6513 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6514 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6515 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6516 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6517 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6518 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6519 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6520 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6521 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6522 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6523 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6524 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6525 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6526 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6527 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6528 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6529 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6530 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6531 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6532 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6533 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6534 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6535 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6536 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6537 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6538 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6539 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6540 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6541 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6542 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6543 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6544 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6545 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6546 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6547 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6548 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6549 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6550 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6556 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6557 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6558 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6559 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6560 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6561 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6562 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6563 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6564 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6565 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6566 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6567 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6568 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6569 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6570 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6571 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6572 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6573 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6574 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6575 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6576 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6577 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6578 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6579 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6580 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6581 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6582 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6583 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6584 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6585 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6586 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6587 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 6588 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 15727 start_va = 0xd50000 end_va = 0xd5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d50000" filename = "" Region: id = 15728 start_va = 0xd50000 end_va = 0xd6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d50000" filename = "" Region: id = 15729 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15730 start_va = 0xd50000 end_va = 0xd55fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Thread: id = 188 os_tid = 0x10fc [0105.019] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0105.019] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0105.019] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0105.019] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0105.019] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0105.020] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0105.020] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0105.020] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0105.021] GetProcessHeap () returned 0xec0000 [0105.021] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0105.021] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0105.021] GetLastError () returned 0x7e [0105.021] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0105.022] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0105.022] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x364) returned 0xed0a28 [0105.022] SetLastError (dwErrCode=0x7e) [0105.022] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0xe00) returned 0xed0d98 [0105.024] GetStartupInfoW (in: lpStartupInfo=0x18fdf4 | out: lpStartupInfo=0x18fdf4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0105.024] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0105.024] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0105.024] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0105.024] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_plugAndPlay" [0105.024] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_plugAndPlay" [0105.024] GetACP () returned 0x4e4 [0105.024] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x0, Size=0x220) returned 0xed1ba0 [0105.024] IsValidCodePage (CodePage=0x4e4) returned 1 [0105.024] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fe14 | out: lpCPInfo=0x18fe14) returned 1 [0105.024] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f6dc | out: lpCPInfo=0x18f6dc) returned 1 [0105.024] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcf0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0105.025] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcf0, cbMultiByte=256, lpWideCharStr=0x18f478, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0105.025] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f6f0 | out: lpCharType=0x18f6f0) returned 1 [0105.025] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcf0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0105.025] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcf0, cbMultiByte=256, lpWideCharStr=0x18f438, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0105.030] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0105.030] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0105.031] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0105.031] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f228, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0105.031] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fbf0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿuß\nÿ,þ\x18", lpUsedDefaultChar=0x0) returned 256 [0105.031] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcf0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0105.031] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcf0, cbMultiByte=256, lpWideCharStr=0x18f448, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0105.031] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0105.031] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f238, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0105.031] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18faf0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿuß\nÿ,þ\x18", lpUsedDefaultChar=0x0) returned 256 [0105.031] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x0, Size=0x80) returned 0xec3830 [0105.031] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0105.031] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x160) returned 0xec9c70 [0105.031] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0105.031] GetLastError () returned 0x0 [0105.031] SetLastError (dwErrCode=0x0) [0105.031] GetEnvironmentStringsW () returned 0xed1dc8* [0105.032] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x0, Size=0xa8c) returned 0xed2860 [0105.032] FreeEnvironmentStringsW (penv=0xed1dc8) returned 1 [0105.032] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x90) returned 0xec4520 [0105.032] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x3e) returned 0xecb038 [0105.032] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x5c) returned 0xec8a58 [0105.032] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x6e) returned 0xec45e8 [0105.032] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x78) returned 0xed3ea0 [0105.032] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x62) returned 0xec4c18 [0105.032] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x28) returned 0xec3d50 [0105.032] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x48) returned 0xec3fa0 [0105.032] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x1a) returned 0xec0570 [0105.032] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x3a) returned 0xecb080 [0105.032] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x62) returned 0xec3bb0 [0105.033] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x2a) returned 0xec86d8 [0105.033] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x2e) returned 0xec8908 [0105.033] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x1c) returned 0xec3d80 [0105.033] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x144) returned 0xed1dc8 [0105.033] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x7c) returned 0xec82b8 [0105.033] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x36) returned 0xece478 [0105.033] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x3a) returned 0xecb0c8 [0105.033] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x90) returned 0xec4358 [0105.033] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x24) returned 0xec38d0 [0105.033] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x30) returned 0xec8710 [0105.033] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x36) returned 0xece1f8 [0105.033] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x48) returned 0xec28d8 [0105.033] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x52) returned 0xec04b8 [0105.033] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x3c) returned 0xecb110 [0105.033] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0xd6) returned 0xec9e30 [0105.033] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x2e) returned 0xec8978 [0105.033] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x1e) returned 0xec2928 [0105.033] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x2c) returned 0xec8780 [0105.033] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x54) returned 0xec3dc8 [0105.033] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x52) returned 0xec4028 [0105.033] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x24) returned 0xec3e28 [0105.033] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x42) returned 0xec4088 [0105.033] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x2c) returned 0xec88d0 [0105.033] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x44) returned 0xec9f60 [0105.033] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x24) returned 0xec3900 [0105.034] HeapFree (in: hHeap=0xec0000, dwFlags=0x0, lpMem=0xed2860 | out: hHeap=0xec0000) returned 1 [0105.034] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x8, Size=0x800) returned 0xed1f18 [0105.034] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0105.034] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0105.034] GetStartupInfoW (in: lpStartupInfo=0x18fe58 | out: lpStartupInfo=0x18fe58*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0105.034] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_plugAndPlay" [0105.034] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_plugAndPlay", pNumArgs=0x18fe44 | out: pNumArgs=0x18fe44) returned 0xed2b68*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0105.035] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0105.038] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x0, Size=0x1000) returned 0xed4300 [0105.038] RtlAllocateHeap (HeapHandle=0xec0000, Flags=0x0, Size=0x28) returned 0xeca6a8 [0105.038] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_plugAndPlay", cchWideChar=-1, lpMultiByteStr=0xeca6a8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_plugAndPlay", lpUsedDefaultChar=0x0) returned 20 [0105.038] GetLastError () returned 0x0 [0105.038] SetLastError (dwErrCode=0x0) [0105.038] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_plugAndPlayW") returned 0x0 [0105.038] GetLastError () returned 0x7f [0105.038] SetLastError (dwErrCode=0x7f) [0105.038] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_plugAndPlayA") returned 0x0 [0105.039] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_plugAndPlay") returned 0x647cbbbd [0105.039] GetActiveWindow () returned 0x0 [0105.042] HeapFree (in: hHeap=0xec0000, dwFlags=0x0, lpMem=0xed4300 | out: hHeap=0xec0000) returned 1 [0105.043] HeapFree (in: hHeap=0xec0000, dwFlags=0x0, lpMem=0xeca6a8 | out: hHeap=0xec0000) returned 1 [0105.043] GetCurrentProcessId () returned 0x1318 [0105.043] GetCurrentThreadId () returned 0x10fc [0105.043] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0105.054] Thread32First (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.055] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.059] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.060] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.061] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.062] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.063] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.063] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.064] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.065] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.065] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.066] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.067] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.068] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.068] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.069] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.070] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.070] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.071] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.157] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.158] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.159] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.160] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.160] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.161] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.162] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.163] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.164] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.164] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.165] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.167] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.171] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.171] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.172] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.173] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.174] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.174] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.175] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.176] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.176] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.177] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.178] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.179] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.179] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.180] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.181] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.185] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.186] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.187] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.188] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.188] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.189] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.190] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.191] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.191] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.192] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.193] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.194] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.194] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.195] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.196] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.196] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.267] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.268] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.269] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.270] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.270] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.271] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.272] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.273] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.274] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.274] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.276] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.277] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.278] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.279] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.280] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.280] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.281] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.282] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.283] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.283] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.284] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.285] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.286] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.286] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.287] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.288] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.288] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.289] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.290] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.291] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.292] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.293] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.294] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.294] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.295] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.296] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.296] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.297] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.298] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.299] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.299] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.300] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.301] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.302] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.302] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.303] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.304] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.305] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.305] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.346] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.347] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.348] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.349] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.349] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.350] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.351] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.352] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.352] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.355] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.355] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.356] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.357] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.357] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.358] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.359] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.360] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.361] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.361] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.362] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.363] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.364] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.364] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.365] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.366] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.367] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.367] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.368] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.369] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.370] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.371] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.371] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.372] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.373] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.374] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.374] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.375] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.376] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.377] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.377] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.378] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.379] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.379] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.380] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.381] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.382] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.382] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.383] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.384] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.434] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.435] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.436] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.436] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.437] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.438] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.439] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.439] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.440] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.441] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.442] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.442] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.443] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.444] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.445] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.445] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.446] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.448] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.449] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.449] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.450] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.451] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.452] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.452] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.453] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.454] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.455] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.455] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.456] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.457] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.458] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.458] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.459] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.460] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.461] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.461] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.462] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.464] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.464] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.465] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.466] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.467] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.467] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.468] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.469] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.470] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.470] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.471] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.472] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.472] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.473] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.474] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.475] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.475] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.476] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.477] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.478] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.514] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.514] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.515] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.516] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.517] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.517] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.518] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.519] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.520] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.520] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.521] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.522] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.523] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.523] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.524] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.525] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.527] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.528] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.529] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.530] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.530] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.531] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.532] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.533] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.533] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.534] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.535] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.536] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.536] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.537] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.538] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.539] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0105.539] Thread32Next (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0106.084] CloseHandle (hObject=0x150) returned 1 [0106.151] OpenThread (dwDesiredAccess=0x100000, bInheritHandle=0, dwThreadId=0xa7c) returned 0x150 [0106.151] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xffffffff) returned 0x0 [0164.282] CloseHandle (hObject=0x150) returned 1 [0164.282] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0164.294] Thread32First (hSnapshot=0x150, lpte=0x18fe28) returned 1 [0164.974] CloseHandle (hObject=0x150) returned 1 [0164.974] FreeLibrary (hLibModule=0x647c0000) returned 1 [0164.975] LocalFree (hMem=0xed2b68) returned 0x0 [0164.976] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0164.976] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0164.977] HeapFree (in: hHeap=0xec0000, dwFlags=0x0, lpMem=0xec3830 | out: hHeap=0xec0000) returned 1 [0164.979] HeapFree (in: hHeap=0xec0000, dwFlags=0x0, lpMem=0xed1f18 | out: hHeap=0xec0000) returned 1 [0164.979] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-2", hFile=0x0, dwFlags=0x800) returned 0x772e0000 [0164.979] GetProcAddress (hModule=0x772e0000, lpProcName="AppPolicyGetProcessTerminationMethod") returned 0x0 [0164.980] GetModuleHandleExW (in: dwFlags=0x0, lpModuleName="mscoree.dll", phModule=0x18fe50 | out: phModule=0x18fe50) returned 0 [0164.980] ExitProcess (uExitCode=0x0) [0164.980] HeapFree (in: hHeap=0xec0000, dwFlags=0x0, lpMem=0xed0a28 | out: hHeap=0xec0000) returned 1 Thread: id = 192 os_tid = 0xa7c Process: id = "100" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x1a27e000" os_pid = "0x12ac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_removeProvider" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6305 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6306 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6307 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 6308 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 6309 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 6310 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6311 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 6312 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6313 start_va = 0x5a0000 end_va = 0x5a1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 6314 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 6315 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6316 start_va = 0x7fa70000 end_va = 0x7fa92fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fa70000" filename = "" Region: id = 6317 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6318 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6319 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6320 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 6364 start_va = 0x5b0000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 6365 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6366 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6367 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6368 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6369 start_va = 0x760000 end_va = 0x96ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 6419 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6420 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6421 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6422 start_va = 0x7f970000 end_va = 0x7fa6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f970000" filename = "" Region: id = 6423 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6424 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 6425 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 6426 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6427 start_va = 0x4c0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 6428 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 6478 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6479 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 6480 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 6481 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 6482 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6483 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6484 start_va = 0x5c0000 end_va = 0x5c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 6485 start_va = 0x750000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 6486 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6487 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 6488 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 6489 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 6490 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 6491 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 6492 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 6493 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 6551 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 6552 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 6553 start_va = 0x5d0000 end_va = 0x5f9fff monitored = 0 entry_point = 0x5d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6554 start_va = 0x970000 end_va = 0xaf7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000970000" filename = "" Region: id = 6555 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6589 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 6590 start_va = 0x5d0000 end_va = 0x5d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 6591 start_va = 0x5e0000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 6592 start_va = 0xb00000 end_va = 0xc80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b00000" filename = "" Region: id = 6593 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 6594 start_va = 0x5e0000 end_va = 0x670fff monitored = 0 entry_point = 0x618cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 6595 start_va = 0x740000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 6596 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 6597 start_va = 0x5e0000 end_va = 0x5e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 6598 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 6599 start_va = 0x5f0000 end_va = 0x5f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 6601 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 6602 start_va = 0x600000 end_va = 0x601fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 6603 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 6604 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 6605 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 6606 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Thread: id = 193 os_tid = 0x1210 [0105.649] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0105.649] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0105.649] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0105.649] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0105.649] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0105.649] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0105.651] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0105.651] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0105.652] GetProcessHeap () returned 0x870000 [0105.652] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0105.652] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0105.652] GetLastError () returned 0x7e [0105.652] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0105.652] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0105.652] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x364) returned 0x880a30 [0105.653] SetLastError (dwErrCode=0x7e) [0105.653] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0xe00) returned 0x880da0 [0105.655] GetStartupInfoW (in: lpStartupInfo=0x18f8a4 | out: lpStartupInfo=0x18f8a4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0105.655] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0105.655] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0105.655] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0105.655] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_removeProvider" [0105.655] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_removeProvider" [0105.655] GetACP () returned 0x4e4 [0105.655] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x0, Size=0x220) returned 0x881ba8 [0105.655] IsValidCodePage (CodePage=0x4e4) returned 1 [0105.655] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f8c4 | out: lpCPInfo=0x18f8c4) returned 1 [0105.655] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f18c | out: lpCPInfo=0x18f18c) returned 1 [0105.655] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7a0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0105.655] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7a0, cbMultiByte=256, lpWideCharStr=0x18ef28, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0105.655] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f1a0 | out: lpCharType=0x18f1a0) returned 1 [0105.655] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7a0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0105.655] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7a0, cbMultiByte=256, lpWideCharStr=0x18eee8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0105.655] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0105.656] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0105.656] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0105.656] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ecd8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0105.656] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f6a0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿË\x18è\x04Üø\x18", lpUsedDefaultChar=0x0) returned 256 [0105.656] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7a0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0105.656] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7a0, cbMultiByte=256, lpWideCharStr=0x18eef8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0105.656] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0105.656] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ece8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0105.656] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f5a0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿË\x18è\x04Üø\x18", lpUsedDefaultChar=0x0) returned 256 [0105.656] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x0, Size=0x80) returned 0x873838 [0105.656] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0105.656] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x166) returned 0x881dd0 [0105.656] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0105.657] GetLastError () returned 0x0 [0105.657] SetLastError (dwErrCode=0x0) [0105.657] GetEnvironmentStringsW () returned 0x881f40* [0105.657] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x0, Size=0xa8c) returned 0x8829d8 [0105.657] FreeEnvironmentStringsW (penv=0x881f40) returned 1 [0105.657] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x90) returned 0x874788 [0105.657] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x3e) returned 0x87ac08 [0105.657] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x5c) returned 0x878a60 [0105.657] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x6e) returned 0x874850 [0105.657] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x78) returned 0x884198 [0105.658] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x62) returned 0x874c20 [0105.658] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x28) returned 0x873fb8 [0105.658] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x48) returned 0x874208 [0105.658] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x1a) returned 0x870570 [0105.658] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x3a) returned 0x87ad70 [0105.658] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x62) returned 0x873bb8 [0105.658] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x2a) returned 0x878910 [0105.658] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x2e) returned 0x878670 [0105.658] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x1c) returned 0x873fe8 [0105.658] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x144) returned 0x879c78 [0105.658] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x7c) returned 0x8782c0 [0105.658] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x36) returned 0x87e1c0 [0105.658] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x3a) returned 0x87af20 [0105.658] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x90) returned 0x8745c0 [0105.658] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x24) returned 0x8738d8 [0105.658] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x30) returned 0x8786a8 [0105.658] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x36) returned 0x87e640 [0105.658] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x48) returned 0x8728e0 [0105.658] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x52) returned 0x8704b8 [0105.658] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x3c) returned 0x87adb8 [0105.658] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0xd6) returned 0x879e38 [0105.658] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x2e) returned 0x878638 [0105.659] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x1e) returned 0x872930 [0105.659] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x2c) returned 0x8788a0 [0105.659] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x54) returned 0x874030 [0105.659] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x52) returned 0x874290 [0105.659] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x24) returned 0x874090 [0105.659] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x42) returned 0x8742f0 [0105.659] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x2c) returned 0x8787f8 [0105.659] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x44) returned 0x879f68 [0105.659] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x24) returned 0x873908 [0105.659] HeapFree (in: hHeap=0x870000, dwFlags=0x0, lpMem=0x8829d8 | out: hHeap=0x870000) returned 1 [0105.659] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x8, Size=0x800) returned 0x881f40 [0105.660] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0105.660] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0105.660] GetStartupInfoW (in: lpStartupInfo=0x18f908 | out: lpStartupInfo=0x18f908*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0105.660] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_removeProvider" [0105.660] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_removeProvider", pNumArgs=0x18f8f4 | out: pNumArgs=0x18f8f4) returned 0x882b90*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0105.661] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0105.663] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x0, Size=0x1000) returned 0x884478 [0105.663] RtlAllocateHeap (HeapHandle=0x870000, Flags=0x0, Size=0x2e) returned 0x878718 [0105.663] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_removeProvider", cchWideChar=-1, lpMultiByteStr=0x878718, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_removeProvider", lpUsedDefaultChar=0x0) returned 23 [0105.664] GetLastError () returned 0x0 [0105.664] SetLastError (dwErrCode=0x0) [0105.664] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_removeProviderW") returned 0x0 [0105.664] GetLastError () returned 0x7f [0105.664] SetLastError (dwErrCode=0x7f) [0105.664] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_removeProviderA") returned 0x0 [0105.664] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_removeProvider") returned 0x647cb8c9 [0105.665] GetActiveWindow () returned 0x0 [0105.665] GetLastError () returned 0x7f [0105.666] SetLastError (dwErrCode=0x7f) Thread: id = 195 os_tid = 0x1378 Process: id = "101" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6a1cc000" os_pid = "0x1324" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "100" os_parent_pid = "0x12ac" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_removeProvider" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "102" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x28896000" os_pid = "0x130c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setForkMode" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6609 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6610 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6611 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 6612 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 6613 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 6614 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6615 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 6616 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6617 start_va = 0xfb0000 end_va = 0xfb1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 6618 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 6619 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6620 start_va = 0x7eb90000 end_va = 0x7ebb2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eb90000" filename = "" Region: id = 6621 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6622 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6623 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6624 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 6625 start_va = 0x400000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 6626 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6627 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6628 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6629 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6630 start_va = 0xfc0000 end_va = 0x12affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fc0000" filename = "" Region: id = 6631 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6632 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6633 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6634 start_va = 0x7ea90000 end_va = 0x7eb8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ea90000" filename = "" Region: id = 6635 start_va = 0x490000 end_va = 0x54dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6636 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 6637 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 6638 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6639 start_va = 0x550000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 6640 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 6641 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6642 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 6643 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 6644 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 6645 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6646 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6647 start_va = 0xfb0000 end_va = 0xfb3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 6648 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6649 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 6650 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 6651 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 6652 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 6653 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 6654 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 6655 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 6656 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 6657 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 6658 start_va = 0x650000 end_va = 0x7d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 6659 start_va = 0xfc0000 end_va = 0xfe9fff monitored = 0 entry_point = 0xfc5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6660 start_va = 0x11b0000 end_va = 0x12affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011b0000" filename = "" Region: id = 6661 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6664 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 6665 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 6666 start_va = 0x480000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 6667 start_va = 0x7e0000 end_va = 0x960fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 6668 start_va = 0xfc0000 end_va = 0x101ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fc0000" filename = "" Region: id = 6669 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 6670 start_va = 0x1020000 end_va = 0x10b0fff monitored = 0 entry_point = 0x1058cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 6690 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 6691 start_va = 0xfc0000 end_va = 0xfcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fc0000" filename = "" Region: id = 6692 start_va = 0x1010000 end_va = 0x101ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001010000" filename = "" Region: id = 6693 start_va = 0x970000 end_va = 0xa6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Region: id = 6694 start_va = 0xfc0000 end_va = 0xfdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fc0000" filename = "" Region: id = 6695 start_va = 0xfe0000 end_va = 0xfe5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fe0000" filename = "" Region: id = 6696 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6697 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6698 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6699 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6700 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6701 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6702 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6703 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6704 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6707 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6708 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6709 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6710 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6711 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6712 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6713 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6714 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6715 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6716 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6717 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6718 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6719 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6720 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6721 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6722 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6723 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6724 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6725 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6726 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6727 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6728 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6729 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6730 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6731 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6732 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6733 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6734 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6735 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6736 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6737 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6738 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6739 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6740 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6741 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6742 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6743 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6744 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6745 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6746 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6747 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6748 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6749 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6750 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6751 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6752 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6753 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6754 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6755 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6756 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6757 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6759 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6760 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6761 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6762 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6763 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6764 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6765 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6766 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6767 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6768 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6769 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6770 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6771 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6772 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6773 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6774 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6775 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6776 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6777 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6778 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6779 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6780 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6781 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6782 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6783 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6784 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6785 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6786 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6787 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6788 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6789 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6790 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6791 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6792 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6793 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6794 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6795 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6796 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6797 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6798 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6799 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6800 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6801 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6802 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6803 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6804 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6805 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6806 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6807 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6808 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6809 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6810 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6811 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6812 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6813 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6814 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6815 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6816 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6817 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6818 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6819 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6820 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6821 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6822 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6823 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6824 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6825 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6826 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6827 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6828 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6829 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6830 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6831 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6832 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6833 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6834 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6835 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6836 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6837 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6838 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6839 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6840 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6841 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6842 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6843 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6844 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6845 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6846 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6847 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6848 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6849 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6850 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6851 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6852 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6853 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6854 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6855 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6856 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6857 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6858 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6859 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6860 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6861 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6862 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6863 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6864 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6865 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6866 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6867 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6868 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6869 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6870 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6871 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6872 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6873 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6874 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6875 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6876 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6877 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6878 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6879 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6880 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6881 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6882 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6883 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6884 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6885 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6886 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6887 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6888 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6889 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6890 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6891 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6892 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6893 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6894 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6895 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6896 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6917 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6918 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6919 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6920 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6921 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6922 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6923 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6924 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6925 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6926 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6927 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6928 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6929 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6930 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6931 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6932 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6933 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6934 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6935 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6936 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6937 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6938 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6939 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6940 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6941 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6942 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6943 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6944 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6945 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6946 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6947 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6948 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6949 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6950 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6951 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6952 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6953 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6954 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6955 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6956 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6957 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6958 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6959 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6960 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6961 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6962 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6963 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6964 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6965 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6966 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6967 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 6968 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 16227 start_va = 0xfc0000 end_va = 0xfcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fc0000" filename = "" Region: id = 16228 start_va = 0xfc0000 end_va = 0xfdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fc0000" filename = "" Region: id = 16229 start_va = 0xfe0000 end_va = 0xfe5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fe0000" filename = "" Region: id = 16230 start_va = 0xfc0000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Thread: id = 196 os_tid = 0x12b0 [0106.423] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0106.423] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0106.423] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0106.424] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0106.424] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0106.424] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0106.425] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0106.425] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0106.426] GetProcessHeap () returned 0x11b0000 [0106.426] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0106.426] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0106.426] GetLastError () returned 0x7e [0106.426] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0106.426] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0106.426] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x364) returned 0x11c0a28 [0106.427] SetLastError (dwErrCode=0x7e) [0106.427] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0xe00) returned 0x11c0d98 [0106.800] GetStartupInfoW (in: lpStartupInfo=0x18fa44 | out: lpStartupInfo=0x18fa44*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0106.800] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0106.800] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0106.800] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0106.800] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setForkMode" [0106.800] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setForkMode" [0106.801] GetACP () returned 0x4e4 [0106.801] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x0, Size=0x220) returned 0x11c1ba0 [0106.801] IsValidCodePage (CodePage=0x4e4) returned 1 [0106.801] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fa64 | out: lpCPInfo=0x18fa64) returned 1 [0106.801] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f32c | out: lpCPInfo=0x18f32c) returned 1 [0106.801] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f940, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0106.801] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f940, cbMultiByte=256, lpWideCharStr=0x18f0c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0106.801] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f340 | out: lpCharType=0x18f340) returned 1 [0106.801] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f940, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0106.801] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f940, cbMultiByte=256, lpWideCharStr=0x18f088, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0106.801] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0106.801] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0106.802] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0106.802] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ee78, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0106.802] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f840, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿcîÆÎ|ú\x18", lpUsedDefaultChar=0x0) returned 256 [0106.802] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f940, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0106.802] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f940, cbMultiByte=256, lpWideCharStr=0x18f098, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0106.802] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0106.802] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ee88, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0106.802] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f740, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿcîÆÎ|ú\x18", lpUsedDefaultChar=0x0) returned 256 [0106.802] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x0, Size=0x80) returned 0x11b3830 [0106.802] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0106.802] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x160) returned 0x11b9c70 [0106.802] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0106.802] GetLastError () returned 0x0 [0106.802] SetLastError (dwErrCode=0x0) [0106.802] GetEnvironmentStringsW () returned 0x11c1dc8* [0106.805] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x0, Size=0xa8c) returned 0x11c2860 [0106.805] FreeEnvironmentStringsW (penv=0x11c1dc8) returned 1 [0106.805] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x90) returned 0x11b4520 [0106.805] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x3e) returned 0x11bab28 [0106.805] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x5c) returned 0x11b87f8 [0106.805] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x6e) returned 0x11b45e8 [0106.806] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x78) returned 0x11c3f20 [0106.806] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x62) returned 0x11b49b8 [0106.806] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x28) returned 0x11b3d50 [0106.806] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x48) returned 0x11b3fa0 [0106.806] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x1a) returned 0x11b0570 [0106.806] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x3a) returned 0x11bac90 [0106.806] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x62) returned 0x11b3bb0 [0106.806] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x2a) returned 0x11b83d0 [0106.806] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x2e) returned 0x11b86a8 [0106.806] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x1c) returned 0x11b3d80 [0106.806] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x144) returned 0x11c1dc8 [0106.806] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x7c) returned 0x11b8058 [0106.806] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x36) returned 0x11be1f8 [0106.806] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x3a) returned 0x11bab70 [0106.806] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x90) returned 0x11b4358 [0106.806] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x24) returned 0x11b38d0 [0106.806] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x30) returned 0x11b86e0 [0106.806] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x36) returned 0x11be6b8 [0106.806] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x48) returned 0x11b28d8 [0106.807] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x52) returned 0x11b04b8 [0106.807] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x3c) returned 0x11bb080 [0106.807] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0xd6) returned 0x11b9e30 [0106.807] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x2e) returned 0x11b8558 [0106.807] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x1e) returned 0x11b2928 [0106.807] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x2c) returned 0x11b8408 [0106.807] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x54) returned 0x11b3dc8 [0106.807] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x52) returned 0x11b4028 [0106.807] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x24) returned 0x11b3e28 [0106.807] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x42) returned 0x11b4088 [0106.807] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x2c) returned 0x11b8590 [0106.807] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x44) returned 0x11b9f60 [0106.807] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x24) returned 0x11b3900 [0106.808] HeapFree (in: hHeap=0x11b0000, dwFlags=0x0, lpMem=0x11c2860 | out: hHeap=0x11b0000) returned 1 [0106.808] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x8, Size=0x800) returned 0x11c1f18 [0106.808] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0106.808] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0106.808] GetStartupInfoW (in: lpStartupInfo=0x18faa8 | out: lpStartupInfo=0x18faa8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0106.808] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setForkMode" [0106.808] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setForkMode", pNumArgs=0x18fa94 | out: pNumArgs=0x18fa94) returned 0x11c2b68*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0106.809] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0106.812] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x0, Size=0x1000) returned 0x11c4300 [0106.812] RtlAllocateHeap (HeapHandle=0x11b0000, Flags=0x0, Size=0x28) returned 0x11ba6a8 [0106.812] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_setForkMode", cchWideChar=-1, lpMultiByteStr=0x11ba6a8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_setForkMode", lpUsedDefaultChar=0x0) returned 20 [0106.812] GetLastError () returned 0x0 [0106.812] SetLastError (dwErrCode=0x0) [0106.812] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setForkModeW") returned 0x0 [0106.813] GetLastError () returned 0x7f [0106.813] SetLastError (dwErrCode=0x7f) [0106.813] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setForkModeA") returned 0x0 [0106.813] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setForkMode") returned 0x647cb012 [0106.813] GetActiveWindow () returned 0x0 [0106.814] HeapFree (in: hHeap=0x11b0000, dwFlags=0x0, lpMem=0x11c4300 | out: hHeap=0x11b0000) returned 1 [0106.815] HeapFree (in: hHeap=0x11b0000, dwFlags=0x0, lpMem=0x11ba6a8 | out: hHeap=0x11b0000) returned 1 [0106.815] GetCurrentProcessId () returned 0x130c [0106.815] GetCurrentThreadId () returned 0x12b0 [0106.815] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0106.827] Thread32First (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.828] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.829] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.830] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.830] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.831] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.832] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.832] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.833] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.935] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.936] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.937] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.938] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.938] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.939] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.940] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.941] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.941] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.942] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.943] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.944] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.945] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.945] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.946] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.947] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.948] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.948] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.949] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.950] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.951] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.952] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.952] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.953] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.954] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.955] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.955] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.956] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.957] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.958] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.958] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.960] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.960] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.961] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.962] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.963] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.963] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.964] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.965] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.966] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.966] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.967] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.968] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.969] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.969] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.970] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.971] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.972] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.972] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.973] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0106.974] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.119] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.119] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.120] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.121] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.121] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.122] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.122] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.123] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.124] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.124] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.125] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.125] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.126] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.126] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.127] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.128] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.128] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.129] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.129] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.130] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.131] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.132] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.133] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.133] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.134] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.134] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.135] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.136] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.136] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.137] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.137] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.138] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.138] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.139] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.140] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.140] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.141] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.141] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.142] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.142] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.143] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.144] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.144] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.145] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.145] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.146] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.148] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.149] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.149] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.150] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.150] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.151] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.152] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.152] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.153] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.153] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.154] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.154] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.155] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.156] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.156] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.157] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.157] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.158] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.158] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.159] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.160] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.160] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.161] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.161] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.162] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.168] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.169] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.170] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.170] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.171] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.171] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.172] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.173] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.173] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.174] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.174] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.175] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.175] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.176] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.177] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.177] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.178] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.179] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.180] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.181] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.181] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.182] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.182] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.183] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.184] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.184] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.185] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.185] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.186] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.186] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.187] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.188] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.188] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.189] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.189] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.190] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.190] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.191] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.192] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.192] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.193] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.194] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.195] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.195] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.196] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.197] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.197] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.198] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.198] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.199] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.199] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.200] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.201] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.201] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.202] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.202] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.203] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.203] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.204] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.205] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.205] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.206] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.206] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.207] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.208] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.208] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.209] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.348] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.349] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.349] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.352] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.353] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.354] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.355] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.355] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.356] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.357] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.358] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.358] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.359] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.360] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.361] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.361] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.362] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.363] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.364] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.364] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.365] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.416] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.416] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.417] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.418] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.419] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.420] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.420] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.421] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.422] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.423] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.423] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.424] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.425] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.426] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.426] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.427] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.428] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.429] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.430] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.431] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.431] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.432] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.433] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.434] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.434] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.435] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.436] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.437] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.437] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.438] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0107.439] Thread32Next (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0108.398] CloseHandle (hObject=0x150) returned 1 [0108.398] OpenThread (dwDesiredAccess=0x100000, bInheritHandle=0, dwThreadId=0xdc8) returned 0x150 [0108.399] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xffffffff) returned 0x0 [0166.325] CloseHandle (hObject=0x150) returned 1 [0166.325] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0166.333] Thread32First (hSnapshot=0x150, lpte=0x18fa78) returned 1 [0168.015] CloseHandle (hObject=0x150) returned 1 [0168.015] FreeLibrary (hLibModule=0x647c0000) returned 1 [0168.016] LocalFree (hMem=0x11c2b68) returned 0x0 [0168.017] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0168.017] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0168.017] HeapFree (in: hHeap=0x11b0000, dwFlags=0x0, lpMem=0x11b3830 | out: hHeap=0x11b0000) returned 1 [0168.018] HeapFree (in: hHeap=0x11b0000, dwFlags=0x0, lpMem=0x11c1f18 | out: hHeap=0x11b0000) returned 1 [0168.018] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-2", hFile=0x0, dwFlags=0x800) returned 0x772e0000 [0168.018] GetProcAddress (hModule=0x772e0000, lpProcName="AppPolicyGetProcessTerminationMethod") returned 0x0 [0168.018] GetModuleHandleExW (in: dwFlags=0x0, lpModuleName="mscoree.dll", phModule=0x18faa0 | out: phModule=0x18faa0) returned 0 [0168.019] ExitProcess (uExitCode=0x0) [0168.019] HeapFree (in: hHeap=0x11b0000, dwFlags=0x0, lpMem=0x11c0a28 | out: hHeap=0x11b0000) returned 1 Thread: id = 198 os_tid = 0xdc8 Process: id = "103" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x19cb0000" os_pid = "0x5f0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogHook" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6899 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6900 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6901 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 6902 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 6903 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 6904 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 6905 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 6906 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 6907 start_va = 0xaf0000 end_va = 0xaf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 6908 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 6909 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6910 start_va = 0x7f0b0000 end_va = 0x7f0d2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f0b0000" filename = "" Region: id = 6911 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6912 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6913 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6914 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 6969 start_va = 0x400000 end_va = 0x45ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 6970 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6971 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6972 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6973 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6974 start_va = 0xb00000 end_va = 0xd6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 6975 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6976 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6977 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6978 start_va = 0x7efb0000 end_va = 0x7f0affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 6979 start_va = 0x460000 end_va = 0x51dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6980 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 6981 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 6982 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 6983 start_va = 0x520000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 6984 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 6985 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6986 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 6987 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 6988 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 6989 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6990 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6991 start_va = 0xaf0000 end_va = 0xaf3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 6992 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6993 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 6994 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 6995 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 6996 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 6997 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 6998 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 6999 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 7000 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 7001 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7002 start_va = 0x620000 end_va = 0x7a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 7003 start_va = 0xb00000 end_va = 0xb29fff monitored = 0 entry_point = 0xb05680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7004 start_va = 0xc70000 end_va = 0xd6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c70000" filename = "" Region: id = 7005 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7006 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7007 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 7008 start_va = 0x450000 end_va = 0x45ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 7009 start_va = 0x7b0000 end_va = 0x930fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007b0000" filename = "" Region: id = 7010 start_va = 0xd70000 end_va = 0xefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d70000" filename = "" Region: id = 7011 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 7012 start_va = 0xb00000 end_va = 0xb90fff monitored = 0 entry_point = 0xb38cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 7015 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 7016 start_va = 0xb00000 end_va = 0xb00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 7017 start_va = 0xb10000 end_va = 0xb10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b10000" filename = "" Region: id = 7018 start_va = 0xb10000 end_va = 0xb17fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b10000" filename = "" Region: id = 7042 start_va = 0xb10000 end_va = 0xb10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 7043 start_va = 0xb20000 end_va = 0xb21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 7044 start_va = 0xb10000 end_va = 0xb10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 7045 start_va = 0xb20000 end_va = 0xb20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 7046 start_va = 0xb10000 end_va = 0xb10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b10000" filename = "" Region: id = 7048 start_va = 0xb20000 end_va = 0xb20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Thread: id = 200 os_tid = 0x1140 [0107.781] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0107.781] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0107.782] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0107.782] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0107.782] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0107.782] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0107.782] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0107.783] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0107.783] GetProcessHeap () returned 0xc70000 [0107.783] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0107.783] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0107.783] GetLastError () returned 0x7e [0107.783] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0107.783] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0107.784] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x364) returned 0xc80a28 [0107.784] SetLastError (dwErrCode=0x7e) [0107.784] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0xe00) returned 0xc80d98 [0107.785] GetStartupInfoW (in: lpStartupInfo=0x18fa1c | out: lpStartupInfo=0x18fa1c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0107.785] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0107.786] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0107.786] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0107.786] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogHook" [0107.786] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogHook" [0107.786] GetACP () returned 0x4e4 [0107.786] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x0, Size=0x220) returned 0xc81ba0 [0107.786] IsValidCodePage (CodePage=0x4e4) returned 1 [0107.786] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fa3c | out: lpCPInfo=0x18fa3c) returned 1 [0107.786] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f304 | out: lpCPInfo=0x18f304) returned 1 [0107.786] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f918, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0107.786] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f918, cbMultiByte=256, lpWideCharStr=0x18f0a8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0107.786] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f318 | out: lpCharType=0x18f318) returned 1 [0107.786] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f918, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0107.786] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f918, cbMultiByte=256, lpWideCharStr=0x18f058, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0107.786] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0107.786] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0107.786] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0107.786] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ee48, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0107.786] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f818, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ¸\x9eÍÖTú\x18", lpUsedDefaultChar=0x0) returned 256 [0107.786] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f918, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0107.787] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f918, cbMultiByte=256, lpWideCharStr=0x18f078, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0107.787] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0107.787] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ee68, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0107.787] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f718, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ¸\x9eÍÖTú\x18", lpUsedDefaultChar=0x0) returned 256 [0107.787] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x0, Size=0x80) returned 0xc73830 [0107.787] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0107.787] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x15e) returned 0xc79c70 [0107.787] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0107.787] GetLastError () returned 0x0 [0107.787] SetLastError (dwErrCode=0x0) [0107.787] GetEnvironmentStringsW () returned 0xc81dc8* [0107.914] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x0, Size=0xa8c) returned 0xc82860 [0107.914] FreeEnvironmentStringsW (penv=0xc81dc8) returned 1 [0107.914] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x90) returned 0xc74520 [0107.914] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x3e) returned 0xc7ae40 [0107.914] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x5c) returned 0xc78a58 [0107.914] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x6e) returned 0xc745e8 [0107.914] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x78) returned 0xc83c20 [0107.915] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x62) returned 0xc749b8 [0107.915] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x28) returned 0xc73d50 [0107.915] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x48) returned 0xc73fa0 [0107.915] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x1a) returned 0xc70570 [0107.915] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x3a) returned 0xc7ac00 [0107.915] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x62) returned 0xc73bb0 [0107.915] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x2a) returned 0xc789b0 [0107.915] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x2e) returned 0xc78748 [0107.915] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x1c) returned 0xc73d80 [0107.915] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x144) returned 0xc81dc8 [0107.915] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x7c) returned 0xc78058 [0107.915] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x36) returned 0xc7e6b8 [0107.915] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x3a) returned 0xc7b038 [0107.915] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x90) returned 0xc74358 [0107.915] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x24) returned 0xc738d0 [0107.915] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x30) returned 0xc78828 [0107.915] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x36) returned 0xc7e2f8 [0107.915] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x48) returned 0xc728d8 [0107.915] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x52) returned 0xc704b8 [0107.915] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x3c) returned 0xc7b080 [0107.915] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0xd6) returned 0xc79e30 [0107.915] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x2e) returned 0xc78908 [0107.915] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x1e) returned 0xc72928 [0107.915] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x2c) returned 0xc788d0 [0107.915] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x54) returned 0xc73dc8 [0107.915] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x52) returned 0xc74028 [0107.915] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x24) returned 0xc73e28 [0107.915] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x42) returned 0xc74088 [0107.915] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x2c) returned 0xc78940 [0107.916] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x44) returned 0xc79f60 [0107.916] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x24) returned 0xc73900 [0107.916] HeapFree (in: hHeap=0xc70000, dwFlags=0x0, lpMem=0xc82860 | out: hHeap=0xc70000) returned 1 [0107.916] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x800) returned 0xc81f18 [0107.916] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0107.916] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0107.916] GetStartupInfoW (in: lpStartupInfo=0x18fa80 | out: lpStartupInfo=0x18fa80*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0107.917] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogHook" [0107.917] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogHook", pNumArgs=0x18fa6c | out: pNumArgs=0x18fa6c) returned 0xc82b68*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0107.917] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0107.919] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x0, Size=0x1000) returned 0xc84300 [0107.919] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x0, Size=0x26) returned 0xc7a6a8 [0107.919] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_setLogHook", cchWideChar=-1, lpMultiByteStr=0xc7a6a8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_setLogHook", lpUsedDefaultChar=0x0) returned 19 [0107.920] GetLastError () returned 0x0 [0107.920] SetLastError (dwErrCode=0x0) [0107.920] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setLogHookW") returned 0x0 [0107.920] GetLastError () returned 0x7f [0107.920] SetLastError (dwErrCode=0x7f) [0107.920] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setLogHookA") returned 0x0 [0107.920] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setLogHook") returned 0x647cb075 [0107.920] GetActiveWindow () returned 0x0 [0107.928] GetLastError () returned 0x7f [0107.928] SetLastError (dwErrCode=0x7f) Thread: id = 202 os_tid = 0xbfc Process: id = "104" image_name = "werfault.exe" filename = "c:\\windows\\syswow64\\werfault.exe" page_root = "0x192a6000" os_pid = "0x138c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "103" os_parent_pid = "0x5f0" cmd_line = "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 1520 -s 364" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7049 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7050 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7051 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 7052 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 7053 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 7054 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 7055 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 7056 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 7057 start_va = 0xd80000 end_va = 0xd80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d80000" filename = "" Region: id = 7058 start_va = 0x10e0000 end_va = 0x1122fff monitored = 0 entry_point = 0x1100f50 region_type = mapped_file name = "werfault.exe" filename = "\\Windows\\SysWOW64\\WerFault.exe" (normalized: "c:\\windows\\syswow64\\werfault.exe") Region: id = 7059 start_va = 0x1130000 end_va = 0x512ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 7060 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 7061 start_va = 0x7f050000 end_va = 0x7f072fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f050000" filename = "" Region: id = 7062 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7063 start_va = 0x7fff0000 end_va = 0x7dfb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 7064 start_va = 0x7dfb201b0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfb201b0000" filename = "" Region: id = 7065 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7066 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 7067 start_va = 0x400000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 7068 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7069 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7072 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7073 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7074 start_va = 0xd90000 end_va = 0xf7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d90000" filename = "" Region: id = 7075 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7076 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7077 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7078 start_va = 0x7ef50000 end_va = 0x7f04ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ef50000" filename = "" Region: id = 7079 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7096 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7097 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 7098 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 7099 start_va = 0x580000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 7100 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 7101 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 7102 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7103 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7104 start_va = 0xd80000 end_va = 0xd83fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d80000" filename = "" Region: id = 7105 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7106 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7107 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7108 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7109 start_va = 0x6fb30000 end_va = 0x6fbb6fff monitored = 0 entry_point = 0x6fb9dbc0 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\SysWOW64\\wer.dll" (normalized: "c:\\windows\\syswow64\\wer.dll") Region: id = 7110 start_va = 0x6fbc0000 end_va = 0x6fcfefff monitored = 0 entry_point = 0x6fbed880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 7119 start_va = 0x6fb00000 end_va = 0x6fb21fff monitored = 0 entry_point = 0x6fb091f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 7120 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 7121 start_va = 0x6faa0000 end_va = 0x6faf3fff monitored = 0 entry_point = 0x6fad10d0 region_type = mapped_file name = "faultrep.dll" filename = "\\Windows\\SysWOW64\\Faultrep.dll" (normalized: "c:\\windows\\syswow64\\faultrep.dll") Region: id = 7122 start_va = 0x6fa70000 end_va = 0x6fa90fff monitored = 0 entry_point = 0x6fa8a910 region_type = mapped_file name = "dbgcore.dll" filename = "\\Windows\\SysWOW64\\dbgcore.dll" (normalized: "c:\\windows\\syswow64\\dbgcore.dll") Region: id = 7123 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 7124 start_va = 0x5130000 end_va = 0x529ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005130000" filename = "" Region: id = 7125 start_va = 0xd90000 end_va = 0xe4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d90000" filename = "" Region: id = 7126 start_va = 0xe80000 end_va = 0xf7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e80000" filename = "" Region: id = 7127 start_va = 0xd90000 end_va = 0xd93fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d90000" filename = "" Region: id = 7128 start_va = 0xe40000 end_va = 0xe4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e40000" filename = "" Region: id = 7129 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 7147 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 7159 start_va = 0x590000 end_va = 0x717fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 7160 start_va = 0xda0000 end_va = 0xdc9fff monitored = 0 entry_point = 0xda5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7161 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7162 start_va = 0x720000 end_va = 0x8a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 7163 start_va = 0x52a0000 end_va = 0x669ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000052a0000" filename = "" Region: id = 7172 start_va = 0xda0000 end_va = 0xda3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werfault.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\WerFault.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werfault.exe.mui") Region: id = 7173 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7174 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 7175 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 7176 start_va = 0xf80000 end_va = 0x10dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f80000" filename = "" Region: id = 7256 start_va = 0xdb0000 end_va = 0xdb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 7257 start_va = 0xdc0000 end_va = 0xdc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dc0000" filename = "" Region: id = 7258 start_va = 0xdd0000 end_va = 0xdd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 7259 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7260 start_va = 0xdd0000 end_va = 0xdd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 7261 start_va = 0x66a0000 end_va = 0x6e9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000066a0000" filename = "" Region: id = 7262 start_va = 0xdd0000 end_va = 0xdd6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 7263 start_va = 0xdd0000 end_va = 0xdd6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 7309 start_va = 0xdd0000 end_va = 0xdd6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 7310 start_va = 0xdd0000 end_va = 0xdd6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 7311 start_va = 0xdd0000 end_va = 0xdd6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 7312 start_va = 0xdd0000 end_va = 0xdd6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 7313 start_va = 0xdd0000 end_va = 0xdd6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 7314 start_va = 0xdd0000 end_va = 0xdd6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 7315 start_va = 0xdd0000 end_va = 0xdd6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 7316 start_va = 0xdd0000 end_va = 0xdd6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 7317 start_va = 0xdd0000 end_va = 0xdd6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 7318 start_va = 0xdd0000 end_va = 0xdd6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 7319 start_va = 0xdd0000 end_va = 0xdd6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 7320 start_va = 0xdd0000 end_va = 0xdd6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 7321 start_va = 0xdd0000 end_va = 0xdd6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 7322 start_va = 0xdd0000 end_va = 0xdd6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 7323 start_va = 0xdd0000 end_va = 0xdd6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 7324 start_va = 0xdd0000 end_va = 0xdd6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 7325 start_va = 0xdd0000 end_va = 0xdd6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 7326 start_va = 0xdd0000 end_va = 0xdd6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 7327 start_va = 0xdd0000 end_va = 0xdd6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 7328 start_va = 0xdd0000 end_va = 0xdd6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 7329 start_va = 0xdd0000 end_va = 0xdd6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 7330 start_va = 0xdd0000 end_va = 0xdd6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 7331 start_va = 0xdd0000 end_va = 0xdd6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 7332 start_va = 0xdd0000 end_va = 0xdd6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 7333 start_va = 0xdd0000 end_va = 0xdd6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 7396 start_va = 0x450000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 7397 start_va = 0x490000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 7398 start_va = 0xf80000 end_va = 0xffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f80000" filename = "" Region: id = 7399 start_va = 0x10d0000 end_va = 0x10dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010d0000" filename = "" Region: id = 7505 start_va = 0xdd0000 end_va = 0xdd1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "faultrep.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\faultrep.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\faultrep.dll.mui") Region: id = 7522 start_va = 0xde0000 end_va = 0xde0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 7528 start_va = 0x6efa0000 end_va = 0x6f3bdfff monitored = 0 entry_point = 0x6f09ee80 region_type = mapped_file name = "dbgeng.dll" filename = "\\Windows\\SysWOW64\\dbgeng.dll" (normalized: "c:\\windows\\syswow64\\dbgeng.dll") Region: id = 7529 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 7530 start_va = 0x6f880000 end_va = 0x6f8effff monitored = 0 entry_point = 0x6f8d4b90 region_type = mapped_file name = "dbgmodel.dll" filename = "\\Windows\\SysWOW64\\DbgModel.dll" (normalized: "c:\\windows\\syswow64\\dbgmodel.dll") Region: id = 7531 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 7532 start_va = 0x5130000 end_va = 0x5219fff monitored = 0 entry_point = 0x516d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7533 start_va = 0x5290000 end_va = 0x529ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005290000" filename = "" Region: id = 7539 start_va = 0x70050000 end_va = 0x70059fff monitored = 0 entry_point = 0x70053200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 7540 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7541 start_va = 0x6f5d0000 end_va = 0x6f5d7fff monitored = 0 entry_point = 0x6f5d17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 7542 start_va = 0x5130000 end_va = 0x522ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005130000" filename = "" Region: id = 7543 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7552 start_va = 0x66a0000 end_va = 0x69d6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 7553 start_va = 0xde0000 end_va = 0xde1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 7554 start_va = 0xde0000 end_va = 0xde3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 7555 start_va = 0xde0000 end_va = 0xde5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 7556 start_va = 0xde0000 end_va = 0xde7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 7557 start_va = 0x450000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 7558 start_va = 0xde0000 end_va = 0xde9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 7559 start_va = 0xde0000 end_va = 0xdebfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 7560 start_va = 0xde0000 end_va = 0xdedfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 7561 start_va = 0xde0000 end_va = 0xdeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 7562 start_va = 0xde0000 end_va = 0xdf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 7563 start_va = 0xde0000 end_va = 0xdf3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 7564 start_va = 0xde0000 end_va = 0xdf5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 7565 start_va = 0xde0000 end_va = 0xdf7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 7566 start_va = 0xde0000 end_va = 0xdf9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 7567 start_va = 0xde0000 end_va = 0xdfbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 7568 start_va = 0xde0000 end_va = 0xdfdfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 7569 start_va = 0xde0000 end_va = 0xdfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 7572 start_va = 0x69e0000 end_va = 0x6abffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 7685 start_va = 0x1000000 end_va = 0x10c9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 7686 start_va = 0x6ac0000 end_va = 0x6b69fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006ac0000" filename = "" Region: id = 7709 start_va = 0x6b70000 end_va = 0x6c14fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006b70000" filename = "" Region: id = 7798 start_va = 0xde0000 end_va = 0xde0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 7799 start_va = 0xdf0000 end_va = 0xdf2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wer.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wer.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wer.dll.mui") Region: id = 7800 start_va = 0xe00000 end_va = 0xe03fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Region: id = 7801 start_va = 0x6ac0000 end_va = 0x72bffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006ac0000" filename = "" Region: id = 7802 start_va = 0xe10000 end_va = 0xe16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 7803 start_va = 0xe10000 end_va = 0xe16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 7804 start_va = 0xe10000 end_va = 0xe16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 7805 start_va = 0xe10000 end_va = 0xe16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 7806 start_va = 0xe10000 end_va = 0xe16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 7807 start_va = 0xe10000 end_va = 0xe16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 7808 start_va = 0xe10000 end_va = 0xe16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 7809 start_va = 0xe10000 end_va = 0xe16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 7810 start_va = 0xe10000 end_va = 0xe16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 7811 start_va = 0xe10000 end_va = 0xe16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 7812 start_va = 0xe10000 end_va = 0xe16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 7813 start_va = 0xe10000 end_va = 0xe16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 7814 start_va = 0xe10000 end_va = 0xe16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 7838 start_va = 0xe10000 end_va = 0xe16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 7839 start_va = 0xe10000 end_va = 0xe16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 7840 start_va = 0xe10000 end_va = 0xe16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 7841 start_va = 0xe10000 end_va = 0xe16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 7842 start_va = 0xe10000 end_va = 0xe16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 7843 start_va = 0xe10000 end_va = 0xe16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 7844 start_va = 0xe10000 end_va = 0xe16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 7845 start_va = 0xe10000 end_va = 0xe16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 7846 start_va = 0xe10000 end_va = 0xe16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 7847 start_va = 0x6ac0000 end_va = 0x6bbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006ac0000" filename = "" Region: id = 7848 start_va = 0xe10000 end_va = 0xe16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 7849 start_va = 0xe10000 end_va = 0xe16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 7850 start_va = 0xe10000 end_va = 0xe16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 7851 start_va = 0xe10000 end_va = 0xe16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 7852 start_va = 0xe10000 end_va = 0xe16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 7898 start_va = 0x6fa00000 end_va = 0x6fa63fff monitored = 0 entry_point = 0x6fa3e270 region_type = mapped_file name = "werui.dll" filename = "\\Windows\\SysWOW64\\werui.dll" (normalized: "c:\\windows\\syswow64\\werui.dll") Region: id = 7899 start_va = 0x550000 end_va = 0x551fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 7900 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 7901 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 7902 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 7903 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 7904 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 7920 start_va = 0x731b0000 end_va = 0x733befff monitored = 0 entry_point = 0x7325b0a0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 7921 start_va = 0x6f460000 end_va = 0x6f5c6fff monitored = 0 entry_point = 0x6f4db9d0 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\SysWOW64\\dui70.dll" (normalized: "c:\\windows\\syswow64\\dui70.dll") Region: id = 7922 start_va = 0x6f430000 end_va = 0x6f457fff monitored = 0 entry_point = 0x6f437820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 7930 start_va = 0x8b0000 end_va = 0x8effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 7931 start_va = 0x8f0000 end_va = 0x92ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 7932 start_va = 0x560000 end_va = 0x561fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 7933 start_va = 0xe10000 end_va = 0xe10fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 7934 start_va = 0x570000 end_va = 0x571fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 7935 start_va = 0xe10000 end_va = 0xe10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 7936 start_va = 0x759b0000 end_va = 0x75a33fff monitored = 0 entry_point = 0x759d6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 7937 start_va = 0xe20000 end_va = 0xe20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 7938 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 8837 start_va = 0x930000 end_va = 0x96ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 8838 start_va = 0x970000 end_va = 0x9affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Region: id = 8839 start_va = 0x9b0000 end_va = 0x9effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 8840 start_va = 0x9f0000 end_va = 0xa2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 8841 start_va = 0xa30000 end_va = 0xa6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 8842 start_va = 0xa70000 end_va = 0xaaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 8843 start_va = 0x6f370000 end_va = 0x6f378fff monitored = 0 entry_point = 0x6f373830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 9020 start_va = 0xe10000 end_va = 0xe10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 9021 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 9154 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 9258 start_va = 0xe10000 end_va = 0xe14fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werui.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\werui.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werui.dll.mui") Region: id = 9259 start_va = 0xe30000 end_va = 0xe30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e30000" filename = "" Region: id = 9260 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 9367 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 9498 start_va = 0xab0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 9499 start_va = 0xaf0000 end_va = 0xb2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 9500 start_va = 0xe30000 end_va = 0xe30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e30000" filename = "" Region: id = 9501 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 9641 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 9756 start_va = 0xb30000 end_va = 0xb31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 9757 start_va = 0x6f8b0000 end_va = 0x6f92afff monitored = 0 entry_point = 0x6f8d4d80 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\SysWOW64\\duser.dll" (normalized: "c:\\windows\\syswow64\\duser.dll") Region: id = 9758 start_va = 0xb40000 end_va = 0xb7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b40000" filename = "" Region: id = 9759 start_va = 0xb80000 end_va = 0xbbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 9760 start_va = 0x6f820000 end_va = 0x6f8a0fff monitored = 0 entry_point = 0x6f826310 region_type = mapped_file name = "riched20.dll" filename = "\\Windows\\SysWOW64\\riched20.dll" (normalized: "c:\\windows\\syswow64\\riched20.dll") Region: id = 9761 start_va = 0x6f800000 end_va = 0x6f815fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 9762 start_va = 0x6f7c0000 end_va = 0x6f7f0fff monitored = 0 entry_point = 0x6f7d22d0 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\SysWOW64\\msls31.dll" (normalized: "c:\\windows\\syswow64\\msls31.dll") Region: id = 9764 start_va = 0xe30000 end_va = 0xe30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e30000" filename = "" Region: id = 9765 start_va = 0x1000000 end_va = 0x10bbfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001000000" filename = "" Region: id = 9766 start_va = 0xe30000 end_va = 0xe33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e30000" filename = "" Region: id = 9767 start_va = 0x74230000 end_va = 0x7424cfff monitored = 0 entry_point = 0x74233b10 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 9768 start_va = 0xe50000 end_va = 0xe53fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e50000" filename = "" Region: id = 9769 start_va = 0xe60000 end_va = 0xe60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e60000" filename = "" Region: id = 9770 start_va = 0xe70000 end_va = 0xe70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 9787 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 9788 start_va = 0x10c0000 end_va = 0x10c0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "duser.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\duser.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\duser.dll.mui") Region: id = 9795 start_va = 0x6f9f0000 end_va = 0x6f9fcfff monitored = 0 entry_point = 0x6f9f7d80 region_type = mapped_file name = "atlthunk.dll" filename = "\\Windows\\SysWOW64\\atlthunk.dll" (normalized: "c:\\windows\\syswow64\\atlthunk.dll") Region: id = 9796 start_va = 0x5230000 end_va = 0x5232fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui") Region: id = 9797 start_va = 0xbd0000 end_va = 0xbd2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bd0000" filename = "" Region: id = 9798 start_va = 0x6bc0000 end_va = 0x70b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006bc0000" filename = "" Region: id = 9799 start_va = 0x70c0000 end_va = 0x80fffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 9802 start_va = 0xbe0000 end_va = 0xc21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000be0000" filename = "" Region: id = 9905 start_va = 0xbc0000 end_va = 0xbc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bc0000" filename = "" Region: id = 9906 start_va = 0x77500000 end_va = 0x7761efff monitored = 0 entry_point = 0x77545980 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Thread: id = 204 os_tid = 0x1320 Thread: id = 207 os_tid = 0x13ac Thread: id = 209 os_tid = 0x1390 Thread: id = 224 os_tid = 0xb90 Thread: id = 236 os_tid = 0xc0c Thread: id = 240 os_tid = 0xc1c Thread: id = 241 os_tid = 0xc18 Thread: id = 277 os_tid = 0xc68 Thread: id = 289 os_tid = 0x17c Process: id = "105" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x19d0d000" os_pid = "0x1360" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "103" os_parent_pid = "0x5f0" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogHook" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "106" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x18ac8000" os_pid = "0x11fc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogLevel" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7080 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7081 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7082 start_va = 0x40000 end_va = 0x41fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000040000" filename = "" Region: id = 7083 start_va = 0x50000 end_va = 0x64fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 7084 start_va = 0x70000 end_va = 0xaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 7085 start_va = 0xb0000 end_va = 0x1affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 7086 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 7087 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 7088 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 7089 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 7090 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 7091 start_va = 0x7f0e0000 end_va = 0x7f102fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f0e0000" filename = "" Region: id = 7092 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7093 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 7094 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7095 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 7111 start_va = 0x400000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 7112 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7113 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7114 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7115 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7116 start_va = 0x4d0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 7117 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7118 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7130 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7131 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 7132 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7133 start_va = 0x4c0000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 7134 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 7135 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 7136 start_va = 0x5f0000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 7137 start_va = 0x630000 end_va = 0x72ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 7138 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 7139 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7140 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 7141 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 7142 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 7143 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7144 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7145 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000040000" filename = "" Region: id = 7146 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7148 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7149 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7150 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7151 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7152 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7153 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 7154 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 7155 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 7156 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7157 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7158 start_va = 0x730000 end_va = 0x8b7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000730000" filename = "" Region: id = 7164 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7165 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7166 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 7167 start_va = 0x8c0000 end_va = 0xa40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 7168 start_va = 0xa50000 end_va = 0xb7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 7169 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 7170 start_va = 0xa50000 end_va = 0xae0fff monitored = 0 entry_point = 0xa88cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 7171 start_va = 0xb70000 end_va = 0xb7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 7177 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 7178 start_va = 0x1e0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 7179 start_va = 0xa50000 end_va = 0xb4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 7180 start_va = 0x1e0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 7181 start_va = 0x4d0000 end_va = 0x4d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 7182 start_va = 0x4f0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 7183 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7184 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7185 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7186 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7187 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7188 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7189 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7190 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7191 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7192 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7193 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7194 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7195 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7196 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7197 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7198 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7199 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7200 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7201 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7202 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7203 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7204 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7205 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7206 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7207 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7208 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7209 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7210 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7211 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7212 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7213 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7214 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7215 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7216 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7217 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7218 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7219 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7220 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7221 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7222 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7223 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7224 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7225 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7226 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7227 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7228 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7229 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7230 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7231 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7232 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7233 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7234 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7235 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7236 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7237 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7238 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7239 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7240 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7241 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7242 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7243 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7244 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7245 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7246 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7247 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7248 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7249 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7250 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7251 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7252 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7253 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7254 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7255 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7264 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7265 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7266 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7267 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7268 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7269 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7270 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7271 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7272 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7273 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7274 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7275 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7276 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7277 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7278 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7279 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7280 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7281 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7282 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7283 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7284 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7285 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7286 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7287 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7288 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7289 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7290 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7291 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7292 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7293 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7294 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7295 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7296 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7297 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7298 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7299 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7300 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7301 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7302 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7303 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7304 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7305 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7306 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7334 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7335 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7336 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7337 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7338 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7339 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7340 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7341 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7342 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7343 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7344 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7345 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7346 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7347 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7348 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7349 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7350 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7351 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7352 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7353 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7354 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7355 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7356 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7357 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7358 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7359 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7360 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7361 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7362 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7363 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7364 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7365 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7366 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7367 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7368 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7369 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7370 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7371 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7372 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7373 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7374 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7375 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7376 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7377 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7378 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7379 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7400 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7401 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7402 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7403 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7404 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7405 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7406 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7407 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7408 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7409 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7410 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7411 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7412 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7413 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7414 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7415 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7416 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7417 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7418 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7419 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7420 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7421 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7422 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7423 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7424 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7425 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7426 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7427 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7428 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7429 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7430 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7431 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7432 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7433 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7434 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7435 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7436 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7437 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7438 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7439 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7440 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7441 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7442 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7443 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7444 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7445 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7446 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7447 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7448 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7454 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7455 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7456 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7457 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7458 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7459 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7460 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7461 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7462 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7463 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7464 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7465 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7466 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7467 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7468 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7469 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7470 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7471 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7472 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7473 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7474 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7475 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7476 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7477 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7478 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7479 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7480 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7481 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7482 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7483 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7484 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7485 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7486 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7487 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7488 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7489 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7490 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7491 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 7492 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 16578 start_va = 0x1e0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 16579 start_va = 0x1e0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 16580 start_va = 0x4d0000 end_va = 0x4d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 16581 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Thread: id = 205 os_tid = 0x1144 [0109.496] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0109.497] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0109.497] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0109.497] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0109.497] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0109.497] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0109.498] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0109.498] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0109.499] GetProcessHeap () returned 0x4f0000 [0109.499] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0109.499] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0109.499] GetLastError () returned 0x7e [0109.499] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0109.499] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0109.499] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x364) returned 0x500a28 [0109.499] SetLastError (dwErrCode=0x7e) [0109.500] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xe00) returned 0x500d98 [0109.502] GetStartupInfoW (in: lpStartupInfo=0x1af970 | out: lpStartupInfo=0x1af970*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0109.502] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0109.502] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0109.502] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0109.502] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogLevel" [0109.502] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogLevel" [0109.502] GetACP () returned 0x4e4 [0109.502] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x220) returned 0x501ba0 [0109.502] IsValidCodePage (CodePage=0x4e4) returned 1 [0109.502] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1af990 | out: lpCPInfo=0x1af990) returned 1 [0109.502] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1af258 | out: lpCPInfo=0x1af258) returned 1 [0109.502] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1af86c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0109.502] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1af86c, cbMultiByte=256, lpWideCharStr=0x1aeff8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0109.502] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x1af26c | out: lpCharType=0x1af26c) returned 1 [0109.502] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1af86c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0109.503] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1af86c, cbMultiByte=256, lpWideCharStr=0x1aefa8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0109.503] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0109.503] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0109.503] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0109.503] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x1aed98, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0109.503] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x1af76c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x93©Í1¨ù\x1a", lpUsedDefaultChar=0x0) returned 256 [0109.503] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1af86c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0109.503] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1af86c, cbMultiByte=256, lpWideCharStr=0x1aefc8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0109.503] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0109.503] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x1aedb8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0109.503] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x1af66c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x93©Í1¨ù\x1a", lpUsedDefaultChar=0x0) returned 256 [0109.503] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x80) returned 0x4f3830 [0109.503] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0109.504] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x160) returned 0x4f9c70 [0109.504] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0109.504] GetLastError () returned 0x0 [0109.504] SetLastError (dwErrCode=0x0) [0109.504] GetEnvironmentStringsW () returned 0x501dc8* [0109.504] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0xa8c) returned 0x502860 [0109.504] FreeEnvironmentStringsW (penv=0x501dc8) returned 1 [0109.505] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x90) returned 0x4f4520 [0109.505] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x3e) returned 0x4facd8 [0109.505] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x5c) returned 0x4f8a58 [0109.505] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x6e) returned 0x4f45e8 [0109.505] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x78) returned 0x504020 [0109.505] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x62) returned 0x4f49b8 [0109.505] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x28) returned 0x4f3d50 [0109.505] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x48) returned 0x4f3fa0 [0109.505] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x1a) returned 0x4f0570 [0109.505] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x3a) returned 0x4fadb0 [0109.505] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x62) returned 0x4f3bb0 [0109.505] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x2a) returned 0x4f8978 [0109.505] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x2e) returned 0x4f87b8 [0109.505] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x1c) returned 0x4f3d80 [0109.506] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x144) returned 0x501dc8 [0109.506] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x7c) returned 0x4f8058 [0109.506] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x36) returned 0x4fdff8 [0109.506] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x3a) returned 0x4faf60 [0109.506] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x90) returned 0x4f4358 [0109.506] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x24) returned 0x4f38d0 [0109.506] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x30) returned 0x4f8828 [0109.506] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x36) returned 0x4fe338 [0109.506] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x48) returned 0x4f28d8 [0109.506] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x52) returned 0x4f04b8 [0109.506] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x3c) returned 0x4fa978 [0109.506] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xd6) returned 0x4f9e30 [0109.506] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x2e) returned 0x4f88d0 [0109.506] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x1e) returned 0x4f2928 [0109.506] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x2c) returned 0x4f8898 [0109.506] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x54) returned 0x4f3dc8 [0109.506] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x52) returned 0x4f4028 [0109.506] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x24) returned 0x4f3e28 [0109.506] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x42) returned 0x4f4088 [0109.506] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x2c) returned 0x4f8908 [0109.506] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x44) returned 0x4f9f60 [0109.506] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x24) returned 0x4f3900 [0109.507] HeapFree (in: hHeap=0x4f0000, dwFlags=0x0, lpMem=0x502860 | out: hHeap=0x4f0000) returned 1 [0109.561] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x800) returned 0x501f18 [0109.561] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0109.561] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0109.562] GetStartupInfoW (in: lpStartupInfo=0x1af9d4 | out: lpStartupInfo=0x1af9d4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0109.562] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogLevel" [0109.562] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogLevel", pNumArgs=0x1af9c0 | out: pNumArgs=0x1af9c0) returned 0x502b68*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0109.563] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0109.566] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x1000) returned 0x504300 [0109.566] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x28) returned 0x4fa6a8 [0109.566] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_setLogLevel", cchWideChar=-1, lpMultiByteStr=0x4fa6a8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_setLogLevel", lpUsedDefaultChar=0x0) returned 20 [0109.566] GetLastError () returned 0x0 [0109.566] SetLastError (dwErrCode=0x0) [0109.567] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setLogLevelW") returned 0x0 [0109.567] GetLastError () returned 0x7f [0109.567] SetLastError (dwErrCode=0x7f) [0109.567] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setLogLevelA") returned 0x0 [0109.567] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setLogLevel") returned 0x647cb004 [0109.567] GetActiveWindow () returned 0x0 [0109.568] HeapFree (in: hHeap=0x4f0000, dwFlags=0x0, lpMem=0x504300 | out: hHeap=0x4f0000) returned 1 [0109.568] HeapFree (in: hHeap=0x4f0000, dwFlags=0x0, lpMem=0x4fa6a8 | out: hHeap=0x4f0000) returned 1 [0109.568] GetCurrentProcessId () returned 0x11fc [0109.568] GetCurrentThreadId () returned 0x1144 [0109.568] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0109.582] Thread32First (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.583] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.584] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.588] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.589] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.589] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.590] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.591] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.592] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.592] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.593] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.594] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.595] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.595] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.596] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.597] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.598] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.598] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.599] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.600] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.605] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.606] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.607] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.608] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.608] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.609] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.610] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.611] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.611] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.612] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.613] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.613] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.614] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.615] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.616] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.617] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.618] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.618] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.619] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.620] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.621] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.621] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.622] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.623] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.624] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.624] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.625] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.626] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.627] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.627] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.628] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.629] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.630] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.630] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.631] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.633] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.634] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.635] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.636] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.636] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.637] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.638] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.639] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.640] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.640] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.641] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.642] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.643] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.643] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.644] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.645] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.646] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.646] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.684] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.685] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.686] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.686] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.687] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.688] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.688] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.689] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.690] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.691] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.691] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.692] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.693] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.694] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.695] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.696] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.696] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.697] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.698] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.699] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.699] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.700] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.701] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.702] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.702] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.703] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.704] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.704] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.705] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.706] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.707] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.707] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.708] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.709] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.812] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.813] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.814] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.815] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.816] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.816] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.817] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.818] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.819] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.865] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.867] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.867] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.868] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.869] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.870] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.870] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.871] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.872] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.873] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.873] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.874] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.875] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.876] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.876] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.877] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.878] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.878] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.879] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.880] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.881] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.882] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.882] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.883] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.884] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.885] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.885] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.886] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.887] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.887] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.888] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.889] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.890] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.890] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.891] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.892] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.892] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.893] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.894] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.895] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.895] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.896] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.897] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.898] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.898] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.899] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.933] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.934] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.935] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.936] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.936] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.937] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.938] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.939] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.940] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.940] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.941] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.942] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.943] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.943] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.944] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.945] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.946] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.947] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.947] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.948] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.951] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.952] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.953] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.954] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.954] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.955] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.956] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.957] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.957] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.958] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.959] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.962] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.963] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.964] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.964] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.965] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.966] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.967] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.968] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.968] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.969] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.970] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.971] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.971] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.972] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.973] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.973] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.974] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0109.975] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.219] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.220] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.220] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.221] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.221] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.222] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.223] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.223] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.224] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.224] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.225] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.228] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.228] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.229] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.229] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.230] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.231] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.231] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.232] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.232] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.233] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.234] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.234] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.235] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.235] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.236] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.237] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.237] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.238] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.238] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.239] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.240] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.240] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.242] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.243] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.243] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.244] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.244] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0110.245] Thread32Next (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0111.101] CloseHandle (hObject=0x150) returned 1 [0111.101] OpenThread (dwDesiredAccess=0x100000, bInheritHandle=0, dwThreadId=0x1388) returned 0x150 [0111.101] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xffffffff) returned 0x0 [0169.424] CloseHandle (hObject=0x150) returned 1 [0169.424] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0169.434] Thread32First (hSnapshot=0x150, lpte=0x1af9a4) returned 1 [0170.678] CloseHandle (hObject=0x150) returned 1 [0170.679] FreeLibrary (hLibModule=0x647c0000) returned 1 [0170.717] LocalFree (hMem=0x502b68) returned 0x0 [0170.717] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0170.717] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0170.718] HeapFree (in: hHeap=0x4f0000, dwFlags=0x0, lpMem=0x4f3830 | out: hHeap=0x4f0000) returned 1 [0170.719] HeapFree (in: hHeap=0x4f0000, dwFlags=0x0, lpMem=0x501f18 | out: hHeap=0x4f0000) returned 1 [0170.719] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-2", hFile=0x0, dwFlags=0x800) returned 0x772e0000 [0170.719] GetProcAddress (hModule=0x772e0000, lpProcName="AppPolicyGetProcessTerminationMethod") returned 0x0 [0170.719] GetModuleHandleExW (in: dwFlags=0x0, lpModuleName="mscoree.dll", phModule=0x1af9cc | out: phModule=0x1af9cc) returned 0 [0170.719] ExitProcess (uExitCode=0x0) [0170.720] HeapFree (in: hHeap=0x4f0000, dwFlags=0x0, lpMem=0x500a28 | out: hHeap=0x4f0000) returned 1 Thread: id = 208 os_tid = 0x1388 Process: id = "107" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x68ce2000" os_pid = "0x1368" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setMaxLoginRetries" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7380 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7381 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7382 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 7383 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 7384 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 7385 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 7386 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 7387 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 7388 start_va = 0x840000 end_va = 0x841fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 7389 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 7390 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 7391 start_va = 0x7f330000 end_va = 0x7f352fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f330000" filename = "" Region: id = 7392 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7393 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 7394 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7395 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 7449 start_va = 0x400000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 7450 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7451 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7452 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7453 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7493 start_va = 0x850000 end_va = 0xa9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 7494 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7495 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7496 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7497 start_va = 0x7f230000 end_va = 0x7f32ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f230000" filename = "" Region: id = 7498 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7499 start_va = 0x4c0000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 7500 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 7501 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 7502 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 7503 start_va = 0x4d0000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 7504 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 7506 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7507 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 7508 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 7509 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 7510 start_va = 0x840000 end_va = 0x843fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 7511 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7512 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7513 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7514 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7515 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7516 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7517 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7518 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7519 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 7520 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 7521 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 7523 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7524 start_va = 0x5d0000 end_va = 0x757fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 7525 start_va = 0x850000 end_va = 0x879fff monitored = 0 entry_point = 0x855680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7526 start_va = 0x9a0000 end_va = 0xa9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 7527 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7534 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7535 start_va = 0x760000 end_va = 0x760fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 7536 start_va = 0x850000 end_va = 0x98ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 7537 start_va = 0xaa0000 end_va = 0xc20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000aa0000" filename = "" Region: id = 7538 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 7546 start_va = 0x850000 end_va = 0x8e0fff monitored = 0 entry_point = 0x888cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 7547 start_va = 0x980000 end_va = 0x98ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 7548 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 7549 start_va = 0x850000 end_va = 0x850fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 7550 start_va = 0x860000 end_va = 0x860fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000860000" filename = "" Region: id = 7551 start_va = 0x860000 end_va = 0x867fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000860000" filename = "" Region: id = 7570 start_va = 0x860000 end_va = 0x860fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 7571 start_va = 0x870000 end_va = 0x871fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 7573 start_va = 0x860000 end_va = 0x860fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 7574 start_va = 0x870000 end_va = 0x870fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 7575 start_va = 0x860000 end_va = 0x860fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000860000" filename = "" Region: id = 7576 start_va = 0x870000 end_va = 0x870fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Thread: id = 210 os_tid = 0x13b8 [0110.831] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0110.831] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0110.831] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0110.831] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0110.832] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0110.832] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0110.832] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0110.832] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0110.833] GetProcessHeap () returned 0x9a0000 [0110.833] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0110.833] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0110.833] GetLastError () returned 0x7e [0110.833] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0110.833] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0110.833] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x364) returned 0x9b09f0 [0110.834] SetLastError (dwErrCode=0x7e) [0110.834] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0xe00) returned 0x9b0d60 [0110.835] GetStartupInfoW (in: lpStartupInfo=0x18fa00 | out: lpStartupInfo=0x18fa00*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0110.836] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0110.836] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0110.836] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0110.836] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setMaxLoginRetries" [0110.836] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setMaxLoginRetries" [0110.836] GetACP () returned 0x4e4 [0110.836] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x220) returned 0x9b1b68 [0110.836] IsValidCodePage (CodePage=0x4e4) returned 1 [0110.836] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fa20 | out: lpCPInfo=0x18fa20) returned 1 [0110.836] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f2e8 | out: lpCPInfo=0x18f2e8) returned 1 [0110.836] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8fc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0110.836] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8fc, cbMultiByte=256, lpWideCharStr=0x18f088, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0110.836] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f2fc | out: lpCharType=0x18f2fc) returned 1 [0110.836] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8fc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0110.836] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8fc, cbMultiByte=256, lpWideCharStr=0x18f038, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0110.836] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0110.836] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0110.836] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0110.837] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ee28, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0110.837] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f7fc, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ{d", lpUsedDefaultChar=0x0) returned 256 [0110.837] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8fc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0110.837] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8fc, cbMultiByte=256, lpWideCharStr=0x18f058, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0110.837] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0110.837] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ee48, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0110.837] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f6fc, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ{d", lpUsedDefaultChar=0x0) returned 256 [0110.837] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x80) returned 0x9a3848 [0110.837] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0110.837] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x16e) returned 0x9b1d90 [0110.837] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0110.837] GetLastError () returned 0x0 [0110.837] SetLastError (dwErrCode=0x0) [0110.837] GetEnvironmentStringsW () returned 0x9b1f08* [0110.837] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0xa8c) returned 0x9b29a0 [0110.838] FreeEnvironmentStringsW (penv=0x9b1f08) returned 1 [0110.838] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x90) returned 0x9a4798 [0110.838] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x3e) returned 0x9ab000 [0110.838] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x5c) returned 0x9a8a20 [0110.838] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x6e) returned 0x9a7ee8 [0110.838] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x78) returned 0x9b3ae0 [0110.838] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x62) returned 0x9a4218 [0110.838] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x28) returned 0x9a9df8 [0110.838] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x48) returned 0x9a3fc8 [0110.838] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x1a) returned 0x9a04b8 [0110.838] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x3a) returned 0x9aaaa8 [0110.838] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x62) returned 0x9a7868 [0110.838] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x2a) returned 0x9a86a0 [0110.838] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x2e) returned 0x9a86d8 [0110.838] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x1c) returned 0x9a04e0 [0110.838] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x144) returned 0x9a9c38 [0110.838] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x7c) returned 0x9a35f8 [0110.838] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x36) returned 0x9ae500 [0110.838] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x3a) returned 0x9aab38 [0110.838] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x90) returned 0x9aa248 [0110.838] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x24) returned 0x9a3bc8 [0110.838] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x30) returned 0x9a8710 [0110.838] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x36) returned 0x9ae100 [0110.839] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x48) returned 0x9a38e8 [0110.839] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x52) returned 0x9a36a8 [0110.839] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x3c) returned 0x9aaa18 [0110.839] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0xd6) returned 0x9a9ae0 [0110.839] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x2e) returned 0x9a8748 [0110.839] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x1e) returned 0x9a3938 [0110.839] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x2c) returned 0x9a8780 [0110.839] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x54) returned 0x9a28e8 [0110.839] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x52) returned 0x9a45d0 [0110.839] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x24) returned 0x9a9bc0 [0110.839] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x42) returned 0x9a4040 [0110.839] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x2c) returned 0x9a8828 [0110.839] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x44) returned 0x9a4090 [0110.839] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x24) returned 0x9a4630 [0110.840] HeapFree (in: hHeap=0x9a0000, dwFlags=0x0, lpMem=0x9b29a0 | out: hHeap=0x9a0000) returned 1 [0110.840] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x800) returned 0x9b1f08 [0110.840] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0110.840] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0110.840] GetStartupInfoW (in: lpStartupInfo=0x18fa64 | out: lpStartupInfo=0x18fa64*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0110.840] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setMaxLoginRetries" [0110.841] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setMaxLoginRetries", pNumArgs=0x18fa50 | out: pNumArgs=0x18fa50) returned 0x9b2b58*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0110.841] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0110.843] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x1000) returned 0x9b4440 [0110.843] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x36) returned 0x9ae080 [0110.844] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_setMaxLoginRetries", cchWideChar=-1, lpMultiByteStr=0x9ae080, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_setMaxLoginRetries", lpUsedDefaultChar=0x0) returned 27 [0110.844] GetLastError () returned 0x0 [0110.844] SetLastError (dwErrCode=0x0) [0110.844] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setMaxLoginRetriesW") returned 0x0 [0110.844] GetLastError () returned 0x7f [0110.844] SetLastError (dwErrCode=0x7f) [0110.844] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setMaxLoginRetriesA") returned 0x0 [0110.844] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setMaxLoginRetries") returned 0x647cb31d [0110.844] GetActiveWindow () returned 0x0 [0110.845] GetLastError () returned 0x7f [0110.845] SetLastError (dwErrCode=0x7f) Thread: id = 212 os_tid = 0x13b0 Process: id = "108" image_name = "werfault.exe" filename = "c:\\windows\\syswow64\\werfault.exe" page_root = "0x459ab000" os_pid = "0x5d0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "107" os_parent_pid = "0x1368" cmd_line = "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 4968 -s 364" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7593 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7594 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7595 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 7596 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 7597 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 7598 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 7599 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 7600 start_va = 0x110000 end_va = 0x110fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 7601 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 7602 start_va = 0x10e0000 end_va = 0x1122fff monitored = 0 entry_point = 0x1100f50 region_type = mapped_file name = "werfault.exe" filename = "\\Windows\\SysWOW64\\WerFault.exe" (normalized: "c:\\windows\\syswow64\\werfault.exe") Region: id = 7603 start_va = 0x1130000 end_va = 0x512ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 7604 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 7605 start_va = 0x7eed0000 end_va = 0x7eef2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eed0000" filename = "" Region: id = 7606 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7607 start_va = 0x7fff0000 end_va = 0x7dfb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 7608 start_va = 0x7dfb201b0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfb201b0000" filename = "" Region: id = 7609 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7610 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 7611 start_va = 0x120000 end_va = 0x13ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 7612 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7613 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7614 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7623 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7624 start_va = 0x400000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 7625 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7626 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7627 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7628 start_va = 0x7edd0000 end_va = 0x7eecffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007edd0000" filename = "" Region: id = 7629 start_va = 0x140000 end_va = 0x1fdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7649 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7650 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 7651 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 7652 start_va = 0x5c0000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 7653 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 7654 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 7655 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7656 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7657 start_va = 0x110000 end_va = 0x113fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 7658 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7659 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7660 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7661 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7662 start_va = 0x6fb30000 end_va = 0x6fbb6fff monitored = 0 entry_point = 0x6fb9dbc0 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\SysWOW64\\wer.dll" (normalized: "c:\\windows\\syswow64\\wer.dll") Region: id = 7663 start_va = 0x6fbc0000 end_va = 0x6fcfefff monitored = 0 entry_point = 0x6fbed880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 7674 start_va = 0x6fb00000 end_va = 0x6fb21fff monitored = 0 entry_point = 0x6fb091f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 7675 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 7676 start_va = 0x6faa0000 end_va = 0x6faf3fff monitored = 0 entry_point = 0x6fad10d0 region_type = mapped_file name = "faultrep.dll" filename = "\\Windows\\SysWOW64\\Faultrep.dll" (normalized: "c:\\windows\\syswow64\\faultrep.dll") Region: id = 7677 start_va = 0x6fa70000 end_va = 0x6fa90fff monitored = 0 entry_point = 0x6fa8a910 region_type = mapped_file name = "dbgcore.dll" filename = "\\Windows\\SysWOW64\\dbgcore.dll" (normalized: "c:\\windows\\syswow64\\dbgcore.dll") Region: id = 7678 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 7679 start_va = 0x480000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 7680 start_va = 0x6c0000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 7681 start_va = 0x120000 end_va = 0x123fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 7682 start_va = 0x130000 end_va = 0x13ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 7683 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 7684 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 7687 start_va = 0x480000 end_va = 0x4a9fff monitored = 0 entry_point = 0x485680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7688 start_va = 0x4f0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 7689 start_va = 0x6c0000 end_va = 0x847fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 7690 start_va = 0x850000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 7691 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7700 start_va = 0x860000 end_va = 0x9e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000860000" filename = "" Region: id = 7701 start_va = 0x5130000 end_va = 0x652ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005130000" filename = "" Region: id = 7702 start_va = 0x480000 end_va = 0x483fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werfault.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\WerFault.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werfault.exe.mui") Region: id = 7703 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7704 start_va = 0x100000 end_va = 0x100fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 7705 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 7706 start_va = 0x490000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 7720 start_va = 0x490000 end_va = 0x490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 7721 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 7722 start_va = 0x4a0000 end_va = 0x4a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 7723 start_va = 0x4b0000 end_va = 0x4b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 7724 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7725 start_va = 0x4b0000 end_va = 0x4b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 7726 start_va = 0x6530000 end_va = 0x6d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006530000" filename = "" Region: id = 7727 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7728 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7729 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7730 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7731 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7732 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7733 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7734 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7735 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7736 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7737 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7738 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7739 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7740 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7741 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7742 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7743 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7744 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7745 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7746 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7747 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7748 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7749 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7750 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7751 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7752 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7753 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7795 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 7796 start_va = 0x540000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 7797 start_va = 0x9f0000 end_va = 0xa6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 7897 start_va = 0x4b0000 end_va = 0x4b1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "faultrep.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\faultrep.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\faultrep.dll.mui") Region: id = 7919 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 7923 start_va = 0x6f5e0000 end_va = 0x6f9fdfff monitored = 0 entry_point = 0x6f6dee80 region_type = mapped_file name = "dbgeng.dll" filename = "\\Windows\\SysWOW64\\dbgeng.dll" (normalized: "c:\\windows\\syswow64\\dbgeng.dll") Region: id = 7924 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 7925 start_va = 0x6f3c0000 end_va = 0x6f42ffff monitored = 0 entry_point = 0x6f414b90 region_type = mapped_file name = "dbgmodel.dll" filename = "\\Windows\\SysWOW64\\DbgModel.dll" (normalized: "c:\\windows\\syswow64\\dbgmodel.dll") Region: id = 7926 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 7927 start_va = 0xa70000 end_va = 0xb59fff monitored = 0 entry_point = 0xaad650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7928 start_va = 0x70050000 end_va = 0x70059fff monitored = 0 entry_point = 0x70053200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 7929 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7945 start_va = 0x6f5d0000 end_va = 0x6f5d7fff monitored = 0 entry_point = 0x6f5d17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 7946 start_va = 0xa70000 end_va = 0xb6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 7947 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7948 start_va = 0xb70000 end_va = 0xea6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 7981 start_va = 0x4c0000 end_va = 0x4c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 7982 start_va = 0x4c0000 end_va = 0x4c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 7983 start_va = 0x4c0000 end_va = 0x4c5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 7984 start_va = 0x4c0000 end_va = 0x4c7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 7985 start_va = 0xeb0000 end_va = 0xfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 7986 start_va = 0x4c0000 end_va = 0x4c9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 7987 start_va = 0x4c0000 end_va = 0x4cbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 7988 start_va = 0x4c0000 end_va = 0x4cdfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 7989 start_va = 0x4c0000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 7990 start_va = 0x4c0000 end_va = 0x4d1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 7991 start_va = 0x4c0000 end_va = 0x4d3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 7992 start_va = 0x4c0000 end_va = 0x4d5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 7993 start_va = 0x4c0000 end_va = 0x4d7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 7994 start_va = 0x4c0000 end_va = 0x4d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 7995 start_va = 0x4c0000 end_va = 0x4dbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 7996 start_va = 0x4c0000 end_va = 0x4ddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 7997 start_va = 0x4c0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 8024 start_va = 0xfb0000 end_va = 0x108ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 8112 start_va = 0x6530000 end_va = 0x65f7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006530000" filename = "" Region: id = 8116 start_va = 0x500000 end_va = 0x5b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 8121 start_va = 0x6600000 end_va = 0x66a8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006600000" filename = "" Region: id = 8190 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 8191 start_va = 0x4d0000 end_va = 0x4d2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wer.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wer.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wer.dll.mui") Region: id = 8192 start_va = 0x500000 end_va = 0x503fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 8193 start_va = 0x6530000 end_va = 0x6d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006530000" filename = "" Region: id = 8194 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 8195 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 8196 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 8197 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 8198 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 8203 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 8204 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 8205 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 8206 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 8207 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 8208 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 8209 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 8210 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 8211 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 8212 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 8213 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 8214 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 8215 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 8216 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 8217 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 8222 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 8223 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 8224 start_va = 0x6530000 end_va = 0x662ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006530000" filename = "" Region: id = 8225 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 8226 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 8227 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 8228 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 8229 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 8230 start_va = 0x6fa00000 end_va = 0x6fa63fff monitored = 0 entry_point = 0x6fa3e270 region_type = mapped_file name = "werui.dll" filename = "\\Windows\\SysWOW64\\werui.dll" (normalized: "c:\\windows\\syswow64\\werui.dll") Region: id = 8231 start_va = 0x510000 end_va = 0x511fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 8232 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 8233 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 8234 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 8235 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 8236 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 8237 start_va = 0x731b0000 end_va = 0x733befff monitored = 0 entry_point = 0x7325b0a0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 8238 start_va = 0x6f460000 end_va = 0x6f5c6fff monitored = 0 entry_point = 0x6f4db9d0 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\SysWOW64\\dui70.dll" (normalized: "c:\\windows\\syswow64\\dui70.dll") Region: id = 8239 start_va = 0x6f430000 end_va = 0x6f457fff monitored = 0 entry_point = 0x6f437820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 8240 start_va = 0x520000 end_va = 0x521fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 8241 start_va = 0x530000 end_va = 0x530fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 8242 start_va = 0x540000 end_va = 0x541fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 8243 start_va = 0x530000 end_va = 0x530fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 8244 start_va = 0x759b0000 end_va = 0x75a33fff monitored = 0 entry_point = 0x759d6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 8245 start_va = 0x550000 end_va = 0x550fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 8246 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 9090 start_va = 0x580000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 9091 start_va = 0x1090000 end_va = 0x10cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 9092 start_va = 0x6630000 end_va = 0x666ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006630000" filename = "" Region: id = 9093 start_va = 0x6670000 end_va = 0x66affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006670000" filename = "" Region: id = 9094 start_va = 0x66b0000 end_va = 0x66effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000066b0000" filename = "" Region: id = 9095 start_va = 0x66f0000 end_va = 0x672ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000066f0000" filename = "" Region: id = 9096 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 9200 start_va = 0x530000 end_va = 0x530fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 9201 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 9340 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 9445 start_va = 0x530000 end_va = 0x534fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werui.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\werui.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werui.dll.mui") Region: id = 9446 start_va = 0x560000 end_va = 0x560fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 9447 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 9573 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 9728 start_va = 0x6730000 end_va = 0x676ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006730000" filename = "" Region: id = 9729 start_va = 0x6770000 end_va = 0x67affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006770000" filename = "" Region: id = 9732 start_va = 0x560000 end_va = 0x560fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 9733 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 9861 start_va = 0x6f7b0000 end_va = 0x6f7b8fff monitored = 0 entry_point = 0x6f7b3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 10139 start_va = 0x560000 end_va = 0x561fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 10140 start_va = 0x6f8b0000 end_va = 0x6f92afff monitored = 0 entry_point = 0x6f8d4d80 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\SysWOW64\\duser.dll" (normalized: "c:\\windows\\syswow64\\duser.dll") Region: id = 10162 start_va = 0x67b0000 end_va = 0x67effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000067b0000" filename = "" Region: id = 10163 start_va = 0x67f0000 end_va = 0x682ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000067f0000" filename = "" Region: id = 10164 start_va = 0x6f820000 end_va = 0x6f8a0fff monitored = 0 entry_point = 0x6f826310 region_type = mapped_file name = "riched20.dll" filename = "\\Windows\\SysWOW64\\riched20.dll" (normalized: "c:\\windows\\syswow64\\riched20.dll") Region: id = 10165 start_va = 0x6f800000 end_va = 0x6f815fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 10166 start_va = 0x6f7c0000 end_va = 0x6f7f0fff monitored = 0 entry_point = 0x6f7d22d0 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\SysWOW64\\msls31.dll" (normalized: "c:\\windows\\syswow64\\msls31.dll") Region: id = 10167 start_va = 0x570000 end_va = 0x570fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 10168 start_va = 0x6830000 end_va = 0x68ebfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006830000" filename = "" Region: id = 10169 start_va = 0x570000 end_va = 0x573fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 10170 start_va = 0x74230000 end_va = 0x7424cfff monitored = 0 entry_point = 0x74233b10 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 10171 start_va = 0x10d0000 end_va = 0x10d3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010d0000" filename = "" Region: id = 10172 start_va = 0x68f0000 end_va = 0x68f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000068f0000" filename = "" Region: id = 10173 start_va = 0x6900000 end_va = 0x6900fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006900000" filename = "" Region: id = 10191 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 10192 start_va = 0x6910000 end_va = 0x6910fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "duser.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\duser.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\duser.dll.mui") Region: id = 10193 start_va = 0x6f9f0000 end_va = 0x6f9fcfff monitored = 0 entry_point = 0x6f9f7d80 region_type = mapped_file name = "atlthunk.dll" filename = "\\Windows\\SysWOW64\\atlthunk.dll" (normalized: "c:\\windows\\syswow64\\atlthunk.dll") Region: id = 10194 start_va = 0x6920000 end_va = 0x6922fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui") Region: id = 10195 start_va = 0x6940000 end_va = 0x6942fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006940000" filename = "" Region: id = 10196 start_va = 0x6950000 end_va = 0x6e41fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006950000" filename = "" Region: id = 10197 start_va = 0x6e50000 end_va = 0x7e8ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 10217 start_va = 0x6950000 end_va = 0x6e41fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006950000" filename = "" Region: id = 10218 start_va = 0x7e90000 end_va = 0x7ed1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007e90000" filename = "" Region: id = 10667 start_va = 0x6930000 end_va = 0x6930fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006930000" filename = "" Region: id = 10668 start_va = 0x77500000 end_va = 0x7761efff monitored = 0 entry_point = 0x77545980 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Thread: id = 213 os_tid = 0x13e8 Thread: id = 217 os_tid = 0x1370 Thread: id = 219 os_tid = 0x13c4 Thread: id = 250 os_tid = 0xc34 Thread: id = 251 os_tid = 0xc2c Thread: id = 252 os_tid = 0xe34 Thread: id = 287 os_tid = 0x1020 Thread: id = 303 os_tid = 0xc78 Process: id = "109" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x174fb000" os_pid = "0xb70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINCachePeriod" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7577 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7578 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7579 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 7580 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 7581 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 7582 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 7583 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 7584 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 7585 start_va = 0x8a0000 end_va = 0x8a1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 7586 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 7587 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 7588 start_va = 0x7f190000 end_va = 0x7f1b2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f190000" filename = "" Region: id = 7589 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7590 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 7591 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7592 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 7615 start_va = 0x1c0000 end_va = 0x1dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 7616 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7617 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7618 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7619 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7620 start_va = 0x8b0000 end_va = 0xa1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 7621 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7622 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7630 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7631 start_va = 0x7f090000 end_va = 0x7f18ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f090000" filename = "" Region: id = 7632 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7633 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 7634 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 7635 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 7636 start_va = 0x500000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 7637 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 7638 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7639 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 7640 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 7641 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 7642 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7643 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7644 start_va = 0x8a0000 end_va = 0x8a3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 7645 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7646 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7647 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7648 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7664 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7665 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7666 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 7667 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 7668 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 7669 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7670 start_va = 0x600000 end_va = 0x787fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 7671 start_va = 0x8b0000 end_va = 0x8d9fff monitored = 0 entry_point = 0x8b5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7672 start_va = 0x920000 end_va = 0xa1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000920000" filename = "" Region: id = 7673 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7692 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7693 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 7694 start_va = 0x1d0000 end_va = 0x1dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 7695 start_va = 0xa20000 end_va = 0xba0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a20000" filename = "" Region: id = 7696 start_va = 0xbb0000 end_va = 0xd0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bb0000" filename = "" Region: id = 7697 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 7698 start_va = 0xbb0000 end_va = 0xc40fff monitored = 0 entry_point = 0xbe8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 7699 start_va = 0xd00000 end_va = 0xd0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 7710 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 7711 start_va = 0x8b0000 end_va = 0x8b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 7712 start_va = 0x8c0000 end_va = 0x8c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 7713 start_va = 0x8c0000 end_va = 0x8c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 7714 start_va = 0x8c0000 end_va = 0x8c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 7715 start_va = 0x8d0000 end_va = 0x8d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008d0000" filename = "" Region: id = 7716 start_va = 0x8c0000 end_va = 0x8c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 7717 start_va = 0x8d0000 end_va = 0x8d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008d0000" filename = "" Region: id = 7718 start_va = 0x8c0000 end_va = 0x8c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 7719 start_va = 0x8d0000 end_va = 0x8d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008d0000" filename = "" Thread: id = 214 os_tid = 0x1384 [0111.496] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0111.496] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0111.496] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0111.496] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0111.497] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0111.497] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0111.497] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0111.498] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0111.498] GetProcessHeap () returned 0x920000 [0111.498] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0111.498] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0111.498] GetLastError () returned 0x7e [0111.498] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0111.498] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0111.498] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x364) returned 0x930a40 [0111.499] SetLastError (dwErrCode=0x7e) [0111.499] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0xe00) returned 0x930db0 [0111.500] GetStartupInfoW (in: lpStartupInfo=0x18fc00 | out: lpStartupInfo=0x18fc00*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0111.500] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0111.500] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0111.500] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0111.500] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINCachePeriod" [0111.500] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINCachePeriod" [0111.501] GetACP () returned 0x4e4 [0111.501] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x0, Size=0x220) returned 0x931bb8 [0111.501] IsValidCodePage (CodePage=0x4e4) returned 1 [0111.501] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fc20 | out: lpCPInfo=0x18fc20) returned 1 [0111.501] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f4e8 | out: lpCPInfo=0x18f4e8) returned 1 [0111.501] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fafc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0111.501] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fafc, cbMultiByte=256, lpWideCharStr=0x18f288, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0111.501] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f4fc | out: lpCharType=0x18f4fc) returned 1 [0111.501] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fafc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0111.501] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fafc, cbMultiByte=256, lpWideCharStr=0x18f238, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0111.501] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0111.501] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0111.501] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0111.501] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f028, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0111.501] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f9fc, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿï\x1dO>8ü\x18", lpUsedDefaultChar=0x0) returned 256 [0111.501] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fafc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0111.501] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fafc, cbMultiByte=256, lpWideCharStr=0x18f258, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0111.502] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0111.502] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f048, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0111.502] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f8fc, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿï\x1dO>8ü\x18", lpUsedDefaultChar=0x0) returned 256 [0111.502] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x0, Size=0x80) returned 0x923848 [0111.502] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0111.502] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x16c) returned 0x931de0 [0111.502] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0111.502] GetLastError () returned 0x0 [0111.502] SetLastError (dwErrCode=0x0) [0111.502] GetEnvironmentStringsW () returned 0x931f58* [0111.502] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x0, Size=0xa8c) returned 0x9329f0 [0111.502] FreeEnvironmentStringsW (penv=0x931f58) returned 1 [0111.503] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x90) returned 0x924538 [0111.503] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x3e) returned 0x92acf0 [0111.503] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x5c) returned 0x928810 [0111.503] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x6e) returned 0x924600 [0111.503] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x78) returned 0x933930 [0111.503] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x62) returned 0x9249d0 [0111.503] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x28) returned 0x923d68 [0111.503] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x48) returned 0x923fb8 [0111.503] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x1a) returned 0x920570 [0111.503] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x3a) returned 0x92ab88 [0111.503] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x62) returned 0x923bc8 [0111.503] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x2a) returned 0x928730 [0111.503] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x2e) returned 0x928490 [0111.503] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x1c) returned 0x923d98 [0111.503] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x144) returned 0x929c88 [0111.503] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x7c) returned 0x928070 [0111.503] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x36) returned 0x92e310 [0111.503] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x3a) returned 0x92af78 [0111.503] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x90) returned 0x924370 [0111.503] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x24) returned 0x9238e8 [0111.503] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x30) returned 0x928768 [0111.503] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x36) returned 0x92e3d0 [0111.503] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x48) returned 0x9228e8 [0111.503] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x52) returned 0x9204b8 [0111.503] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x3c) returned 0x92adc8 [0111.503] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0xd6) returned 0x929e48 [0111.504] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x2e) returned 0x928570 [0111.504] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x1e) returned 0x922938 [0111.504] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x2c) returned 0x9283e8 [0111.504] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x54) returned 0x923de0 [0111.504] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x52) returned 0x924040 [0111.504] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x24) returned 0x923e40 [0111.504] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x42) returned 0x9240a0 [0111.504] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x2c) returned 0x928538 [0111.504] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x44) returned 0x929f78 [0111.504] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x24) returned 0x923918 [0111.504] HeapFree (in: hHeap=0x920000, dwFlags=0x0, lpMem=0x9329f0 | out: hHeap=0x920000) returned 1 [0111.504] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x800) returned 0x931f58 [0111.505] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0111.505] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0111.505] GetStartupInfoW (in: lpStartupInfo=0x18fc64 | out: lpStartupInfo=0x18fc64*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0111.505] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINCachePeriod" [0111.505] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINCachePeriod", pNumArgs=0x18fc50 | out: pNumArgs=0x18fc50) returned 0x932ba8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0111.505] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0111.574] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x0, Size=0x1000) returned 0x934490 [0111.574] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x0, Size=0x34) returned 0x92e650 [0111.574] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_setPINCachePeriod", cchWideChar=-1, lpMultiByteStr=0x92e650, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_setPINCachePeriod", lpUsedDefaultChar=0x0) returned 26 [0111.574] GetLastError () returned 0x0 [0111.574] SetLastError (dwErrCode=0x0) [0111.574] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setPINCachePeriodW") returned 0x0 [0111.575] GetLastError () returned 0x7f [0111.575] SetLastError (dwErrCode=0x7f) [0111.575] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setPINCachePeriodA") returned 0x0 [0111.575] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setPINCachePeriod") returned 0x647cb2b9 [0111.575] GetActiveWindow () returned 0x0 [0111.576] GetLastError () returned 0x7f [0111.576] SetLastError (dwErrCode=0x7f) Thread: id = 216 os_tid = 0x135c Process: id = "110" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x479d4000" os_pid = "0x1380" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "107" os_parent_pid = "0x1368" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setMaxLoginRetries" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "111" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x17564000" os_pid = "0x6a8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "109" os_parent_pid = "0xb70" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINCachePeriod" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "112" image_name = "werfault.exe" filename = "c:\\windows\\syswow64\\werfault.exe" page_root = "0x5abb1000" os_pid = "0x13d0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "109" os_parent_pid = "0xb70" cmd_line = "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 2928 -s 364" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7772 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7773 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7774 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 7775 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 7776 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 7777 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 7778 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 7779 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 7780 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 7781 start_va = 0x10e0000 end_va = 0x1122fff monitored = 0 entry_point = 0x1100f50 region_type = mapped_file name = "werfault.exe" filename = "\\Windows\\SysWOW64\\WerFault.exe" (normalized: "c:\\windows\\syswow64\\werfault.exe") Region: id = 7782 start_va = 0x1130000 end_va = 0x512ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 7783 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 7784 start_va = 0x7e9e0000 end_va = 0x7ea02fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e9e0000" filename = "" Region: id = 7785 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7786 start_va = 0x7fff0000 end_va = 0x7dfb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 7787 start_va = 0x7dfb201b0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfb201b0000" filename = "" Region: id = 7788 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7789 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 7790 start_va = 0x410000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 7791 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7792 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7793 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7794 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7823 start_va = 0x5d0000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 7824 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7825 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7826 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7827 start_va = 0x7e8e0000 end_va = 0x7e9dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e8e0000" filename = "" Region: id = 7828 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7829 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7830 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 7831 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 7832 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 7833 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 7834 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7835 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7836 start_va = 0x440000 end_va = 0x443fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 7837 start_va = 0x5c0000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 7873 start_va = 0x6fb30000 end_va = 0x6fbb6fff monitored = 0 entry_point = 0x6fb9dbc0 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\SysWOW64\\wer.dll" (normalized: "c:\\windows\\syswow64\\wer.dll") Region: id = 7874 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7875 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7876 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7877 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7878 start_va = 0x6fbc0000 end_va = 0x6fcfefff monitored = 0 entry_point = 0x6fbed880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 7879 start_va = 0x6fb00000 end_va = 0x6fb21fff monitored = 0 entry_point = 0x6fb091f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 7880 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 7881 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 7882 start_va = 0x6faa0000 end_va = 0x6faf3fff monitored = 0 entry_point = 0x6fad10d0 region_type = mapped_file name = "faultrep.dll" filename = "\\Windows\\SysWOW64\\Faultrep.dll" (normalized: "c:\\windows\\syswow64\\faultrep.dll") Region: id = 7883 start_va = 0x6fa70000 end_va = 0x6fa90fff monitored = 0 entry_point = 0x6fa8a910 region_type = mapped_file name = "dbgcore.dll" filename = "\\Windows\\SysWOW64\\dbgcore.dll" (normalized: "c:\\windows\\syswow64\\dbgcore.dll") Region: id = 7884 start_va = 0x450000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 7885 start_va = 0x800000 end_va = 0x9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 7886 start_va = 0x450000 end_va = 0x453fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 7887 start_va = 0x490000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 7888 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 7889 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 7890 start_va = 0x460000 end_va = 0x489fff monitored = 0 entry_point = 0x465680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7891 start_va = 0x800000 end_va = 0x987fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 7892 start_va = 0x9d0000 end_va = 0x9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 7893 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7894 start_va = 0x460000 end_va = 0x463fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werfault.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\WerFault.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werfault.exe.mui") Region: id = 7895 start_va = 0x9e0000 end_va = 0xb60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009e0000" filename = "" Region: id = 7896 start_va = 0x5130000 end_va = 0x652ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005130000" filename = "" Region: id = 7915 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7916 start_va = 0x470000 end_va = 0x470fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 7917 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 7918 start_va = 0x4a0000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 7949 start_va = 0x480000 end_va = 0x480fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 7950 start_va = 0x4a0000 end_va = 0x4a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 7951 start_va = 0x580000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 7952 start_va = 0x4b0000 end_va = 0x4b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 7953 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7954 start_va = 0x4b0000 end_va = 0x4b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 7955 start_va = 0x6530000 end_va = 0x6d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006530000" filename = "" Region: id = 7956 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7957 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7958 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7959 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7960 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7961 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7962 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7963 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7964 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7965 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7966 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7967 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7968 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7969 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7970 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7971 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7972 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7973 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7974 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7975 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7976 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 8014 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 8015 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 8016 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 8017 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 8018 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 8019 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 8033 start_va = 0x4b0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 8034 start_va = 0x4f0000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 8035 start_va = 0x5d0000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 8036 start_va = 0x700000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 8065 start_va = 0x4b0000 end_va = 0x4b1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "faultrep.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\faultrep.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\faultrep.dll.mui") Region: id = 8070 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 8071 start_va = 0x6f5e0000 end_va = 0x6f9fdfff monitored = 0 entry_point = 0x6f6dee80 region_type = mapped_file name = "dbgeng.dll" filename = "\\Windows\\SysWOW64\\dbgeng.dll" (normalized: "c:\\windows\\syswow64\\dbgeng.dll") Region: id = 8072 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 8073 start_va = 0x6f3c0000 end_va = 0x6f42ffff monitored = 0 entry_point = 0x6f414b90 region_type = mapped_file name = "dbgmodel.dll" filename = "\\Windows\\SysWOW64\\DbgModel.dll" (normalized: "c:\\windows\\syswow64\\dbgmodel.dll") Region: id = 8074 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 8075 start_va = 0xb70000 end_va = 0xc59fff monitored = 0 entry_point = 0xbad650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 8076 start_va = 0x70050000 end_va = 0x70059fff monitored = 0 entry_point = 0x70053200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 8077 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 8078 start_va = 0x6f5d0000 end_va = 0x6f5d7fff monitored = 0 entry_point = 0x6f5d17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 8079 start_va = 0xb70000 end_va = 0xc6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 8080 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 8090 start_va = 0xc70000 end_va = 0xfa6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 8091 start_va = 0x4c0000 end_va = 0x4c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 8092 start_va = 0x4c0000 end_va = 0x4c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 8093 start_va = 0x4c0000 end_va = 0x4c5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 8094 start_va = 0x4c0000 end_va = 0x4c7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 8095 start_va = 0xfb0000 end_va = 0x10affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 8096 start_va = 0x4c0000 end_va = 0x4c9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 8097 start_va = 0x4c0000 end_va = 0x4cbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 8098 start_va = 0x4c0000 end_va = 0x4cdfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 8099 start_va = 0x4c0000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 8100 start_va = 0x4c0000 end_va = 0x4d1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 8101 start_va = 0x4c0000 end_va = 0x4d3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 8102 start_va = 0x4c0000 end_va = 0x4d5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 8103 start_va = 0x4c0000 end_va = 0x4d7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 8108 start_va = 0x4c0000 end_va = 0x4d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 8109 start_va = 0x4c0000 end_va = 0x4dbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 8110 start_va = 0x4c0000 end_va = 0x4ddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 8111 start_va = 0x4c0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 8115 start_va = 0x6530000 end_va = 0x660ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 8189 start_va = 0x6610000 end_va = 0x66ddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006610000" filename = "" Region: id = 8201 start_va = 0x4c0000 end_va = 0x576fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 8202 start_va = 0x650000 end_va = 0x6f4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 8247 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 8248 start_va = 0x4d0000 end_va = 0x4d2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wer.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wer.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wer.dll.mui") Region: id = 8249 start_va = 0x4e0000 end_va = 0x4e3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 8250 start_va = 0x6610000 end_va = 0x6e0ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006610000" filename = "" Region: id = 8251 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 8252 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 8253 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 8254 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 8255 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 8256 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 8257 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 8258 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 8259 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 8260 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 8261 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 8262 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 8263 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 8280 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 8281 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 8282 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 8283 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 8284 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 8285 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 8286 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 8287 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 8288 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 8289 start_va = 0x6610000 end_va = 0x670ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006610000" filename = "" Region: id = 8290 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 8298 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 8299 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 8300 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 8301 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 8302 start_va = 0x6fa00000 end_va = 0x6fa63fff monitored = 0 entry_point = 0x6fa3e270 region_type = mapped_file name = "werui.dll" filename = "\\Windows\\SysWOW64\\werui.dll" (normalized: "c:\\windows\\syswow64\\werui.dll") Region: id = 8303 start_va = 0x4f0000 end_va = 0x4f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 8304 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 8305 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 8306 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 8307 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 8308 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 8309 start_va = 0x731b0000 end_va = 0x733befff monitored = 0 entry_point = 0x7325b0a0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 8310 start_va = 0x6f460000 end_va = 0x6f5c6fff monitored = 0 entry_point = 0x6f4db9d0 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\SysWOW64\\dui70.dll" (normalized: "c:\\windows\\syswow64\\dui70.dll") Region: id = 8328 start_va = 0x6f430000 end_va = 0x6f457fff monitored = 0 entry_point = 0x6f437820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 8329 start_va = 0x500000 end_va = 0x501fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 8330 start_va = 0x510000 end_va = 0x510fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 8331 start_va = 0x520000 end_va = 0x521fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 8332 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 8333 start_va = 0x759b0000 end_va = 0x75a33fff monitored = 0 entry_point = 0x759d6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 8334 start_va = 0x530000 end_va = 0x530fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 8335 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 9103 start_va = 0x540000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 9104 start_va = 0x650000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 9105 start_va = 0x690000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 9106 start_va = 0x990000 end_va = 0x9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 9107 start_va = 0x6710000 end_va = 0x674ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006710000" filename = "" Region: id = 9108 start_va = 0x6750000 end_va = 0x678ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006750000" filename = "" Region: id = 9109 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 9240 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 9241 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 9341 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 9478 start_va = 0x510000 end_va = 0x514fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werui.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\werui.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werui.dll.mui") Region: id = 9479 start_va = 0x590000 end_va = 0x590fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 9480 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 9574 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 9739 start_va = 0x6790000 end_va = 0x67cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006790000" filename = "" Region: id = 9740 start_va = 0x67d0000 end_va = 0x680ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000067d0000" filename = "" Region: id = 9744 start_va = 0x590000 end_va = 0x590fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 9745 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 9863 start_va = 0x6f7b0000 end_va = 0x6f7b8fff monitored = 0 entry_point = 0x6f7b3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 10141 start_va = 0x590000 end_va = 0x591fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 10142 start_va = 0x6f8b0000 end_va = 0x6f92afff monitored = 0 entry_point = 0x6f8d4d80 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\SysWOW64\\duser.dll" (normalized: "c:\\windows\\syswow64\\duser.dll") Region: id = 10174 start_va = 0x6810000 end_va = 0x684ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006810000" filename = "" Region: id = 10175 start_va = 0x6850000 end_va = 0x688ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006850000" filename = "" Region: id = 10176 start_va = 0x6f820000 end_va = 0x6f8a0fff monitored = 0 entry_point = 0x6f826310 region_type = mapped_file name = "riched20.dll" filename = "\\Windows\\SysWOW64\\riched20.dll" (normalized: "c:\\windows\\syswow64\\riched20.dll") Region: id = 10177 start_va = 0x6f800000 end_va = 0x6f815fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 10178 start_va = 0x6f7c0000 end_va = 0x6f7f0fff monitored = 0 entry_point = 0x6f7d22d0 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\SysWOW64\\msls31.dll" (normalized: "c:\\windows\\syswow64\\msls31.dll") Region: id = 10179 start_va = 0x5a0000 end_va = 0x5a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 10180 start_va = 0x6890000 end_va = 0x694bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006890000" filename = "" Region: id = 10181 start_va = 0x5a0000 end_va = 0x5a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 10182 start_va = 0x74230000 end_va = 0x7424cfff monitored = 0 entry_point = 0x74233b10 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 10183 start_va = 0x5b0000 end_va = 0x5b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 10184 start_va = 0x6d0000 end_va = 0x6d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 10185 start_va = 0x6e0000 end_va = 0x6e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 10198 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 10199 start_va = 0x6f0000 end_va = 0x6f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "duser.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\duser.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\duser.dll.mui") Region: id = 10200 start_va = 0x6f9f0000 end_va = 0x6f9fcfff monitored = 0 entry_point = 0x6f9f7d80 region_type = mapped_file name = "atlthunk.dll" filename = "\\Windows\\SysWOW64\\atlthunk.dll" (normalized: "c:\\windows\\syswow64\\atlthunk.dll") Region: id = 10201 start_va = 0x10b0000 end_va = 0x10b2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui") Region: id = 10202 start_va = 0x10d0000 end_va = 0x10d2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010d0000" filename = "" Region: id = 10203 start_va = 0x6950000 end_va = 0x6e41fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006950000" filename = "" Region: id = 10204 start_va = 0x6e50000 end_va = 0x7e8ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 10219 start_va = 0x7e90000 end_va = 0x7ed1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007e90000" filename = "" Region: id = 10523 start_va = 0x10c0000 end_va = 0x10c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010c0000" filename = "" Region: id = 10524 start_va = 0x77500000 end_va = 0x7761efff monitored = 0 entry_point = 0x77545980 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Thread: id = 218 os_tid = 0x310 Thread: id = 222 os_tid = 0x13f0 Thread: id = 227 os_tid = 0x960 Thread: id = 253 os_tid = 0xe48 Thread: id = 254 os_tid = 0xe4c Thread: id = 255 os_tid = 0xe64 Thread: id = 288 os_tid = 0x9f8 Thread: id = 304 os_tid = 0xcf4 Process: id = "113" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x39514000" os_pid = "0x13bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINPromptHook" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7754 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7755 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7756 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 7757 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 7758 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 7759 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 7760 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 7761 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 7762 start_va = 0x580000 end_va = 0x581fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 7763 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 7764 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 7765 start_va = 0x7e7e0000 end_va = 0x7e802fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e7e0000" filename = "" Region: id = 7766 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7767 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 7768 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7769 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 7815 start_va = 0x400000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 7816 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7817 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7818 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7819 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7820 start_va = 0x590000 end_va = 0x7dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 7821 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7822 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7853 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7854 start_va = 0x7e6e0000 end_va = 0x7e7dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e6e0000" filename = "" Region: id = 7855 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7856 start_va = 0x510000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 7857 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 7858 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 7859 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 7860 start_va = 0x520000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 7861 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 7862 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7863 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 7864 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 7865 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 7866 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7867 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7868 start_va = 0x620000 end_va = 0x623fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 7869 start_va = 0x6e0000 end_va = 0x7dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 7870 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7871 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 7872 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7905 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7906 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7907 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 7908 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 7909 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 7910 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 7911 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7912 start_va = 0x630000 end_va = 0x659fff monitored = 0 entry_point = 0x635680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7913 start_va = 0x7e0000 end_va = 0x967fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 7914 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7939 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7940 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 7941 start_va = 0x970000 end_va = 0xaf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000970000" filename = "" Region: id = 7942 start_va = 0xb00000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 7943 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 7944 start_va = 0x630000 end_va = 0x6c0fff monitored = 0 entry_point = 0x668cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 7977 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 7978 start_va = 0x630000 end_va = 0x630fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 7979 start_va = 0x640000 end_va = 0x640fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 7980 start_va = 0x640000 end_va = 0x647fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 8020 start_va = 0x640000 end_va = 0x640fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 8021 start_va = 0x650000 end_va = 0x651fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 8022 start_va = 0x640000 end_va = 0x640fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 8023 start_va = 0x650000 end_va = 0x650fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 8037 start_va = 0x640000 end_va = 0x640fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 8038 start_va = 0x650000 end_va = 0x650fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Thread: id = 220 os_tid = 0x13d4 [0112.637] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0112.637] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0112.637] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0112.637] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0112.638] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0112.638] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0112.638] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0112.639] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0112.639] GetProcessHeap () returned 0x6e0000 [0112.639] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0112.639] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0112.639] GetLastError () returned 0x7e [0112.639] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0112.640] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0112.640] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x364) returned 0x6f0a38 [0112.640] SetLastError (dwErrCode=0x7e) [0112.640] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0xe00) returned 0x6f0da8 [0112.642] GetStartupInfoW (in: lpStartupInfo=0x18fa40 | out: lpStartupInfo=0x18fa40*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0112.642] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0112.642] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0112.642] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0112.642] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINPromptHook" [0112.642] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINPromptHook" [0112.642] GetACP () returned 0x4e4 [0112.642] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x0, Size=0x220) returned 0x6f1bb0 [0112.642] IsValidCodePage (CodePage=0x4e4) returned 1 [0112.642] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fa60 | out: lpCPInfo=0x18fa60) returned 1 [0112.642] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f328 | out: lpCPInfo=0x18f328) returned 1 [0112.642] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f93c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0112.642] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f93c, cbMultiByte=256, lpWideCharStr=0x18f0c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0112.643] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f33c | out: lpCharType=0x18f33c) returned 1 [0112.643] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f93c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0112.643] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f93c, cbMultiByte=256, lpWideCharStr=0x18f078, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0112.643] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0112.643] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0112.643] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0112.643] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ee68, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0112.643] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f83c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿOâkfxú\x18", lpUsedDefaultChar=0x0) returned 256 [0112.643] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f93c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0112.643] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f93c, cbMultiByte=256, lpWideCharStr=0x18f098, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0112.643] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0112.643] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ee88, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0112.643] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f73c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿOâkfxú\x18", lpUsedDefaultChar=0x0) returned 256 [0112.644] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x0, Size=0x80) returned 0x6e3840 [0112.644] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0112.644] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x16a) returned 0x6f1dd8 [0112.644] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0112.644] GetLastError () returned 0x0 [0112.644] SetLastError (dwErrCode=0x0) [0112.644] GetEnvironmentStringsW () returned 0x6f1f50* [0112.644] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x0, Size=0xa8c) returned 0x6f29e8 [0112.644] FreeEnvironmentStringsW (penv=0x6f1f50) returned 1 [0112.644] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x90) returned 0x6e4530 [0112.644] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x3e) returned 0x6eac58 [0112.644] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x5c) returned 0x6e8a68 [0112.644] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x6e) returned 0x6e45f8 [0112.644] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x78) returned 0x6f3e28 [0112.645] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x62) returned 0x6e49c8 [0112.645] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x28) returned 0x6e3d60 [0112.645] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x48) returned 0x6e3fb0 [0112.645] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x1a) returned 0x6e0570 [0112.645] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x3a) returned 0x6eb048 [0112.645] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x62) returned 0x6e3bc0 [0112.645] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x2a) returned 0x6e8450 [0112.645] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x2e) returned 0x6e8610 [0112.645] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x1c) returned 0x6e3d90 [0112.645] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x144) returned 0x6e9c80 [0112.645] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x7c) returned 0x6e8068 [0112.645] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x36) returned 0x6ee048 [0112.645] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x3a) returned 0x6eaca0 [0112.645] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x90) returned 0x6e4368 [0112.645] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x24) returned 0x6e38e0 [0112.645] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x30) returned 0x6e86f0 [0112.645] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x36) returned 0x6edf88 [0112.645] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x48) returned 0x6e28e0 [0112.645] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x52) returned 0x6e04b8 [0112.645] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x3c) returned 0x6ead30 [0112.645] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0xd6) returned 0x6e9e40 [0112.646] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x2e) returned 0x6e84c0 [0112.646] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x1e) returned 0x6e2930 [0112.646] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x2c) returned 0x6e8680 [0112.646] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x54) returned 0x6e3dd8 [0112.646] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x52) returned 0x6e4038 [0112.646] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x24) returned 0x6e3e38 [0112.646] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x42) returned 0x6e4098 [0112.646] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x2c) returned 0x6e84f8 [0112.646] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x44) returned 0x6e9f70 [0112.646] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x24) returned 0x6e3910 [0112.647] HeapFree (in: hHeap=0x6e0000, dwFlags=0x0, lpMem=0x6f29e8 | out: hHeap=0x6e0000) returned 1 [0112.647] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x800) returned 0x6f1f50 [0112.647] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0112.647] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0112.647] GetStartupInfoW (in: lpStartupInfo=0x18faa4 | out: lpStartupInfo=0x18faa4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0112.757] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINPromptHook" [0112.757] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINPromptHook", pNumArgs=0x18fa90 | out: pNumArgs=0x18fa90) returned 0x6f2ba0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0112.758] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0112.760] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x0, Size=0x1000) returned 0x6f4488 [0112.760] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x0, Size=0x32) returned 0x6ee5c8 [0112.760] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_setPINPromptHook", cchWideChar=-1, lpMultiByteStr=0x6ee5c8, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_setPINPromptHook", lpUsedDefaultChar=0x0) returned 25 [0112.760] GetLastError () returned 0x0 [0112.760] SetLastError (dwErrCode=0x0) [0112.761] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setPINPromptHookW") returned 0x0 [0112.761] GetLastError () returned 0x7f [0112.761] SetLastError (dwErrCode=0x7f) [0112.761] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setPINPromptHookA") returned 0x0 [0112.761] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setPINPromptHook") returned 0x647cb197 [0112.761] GetActiveWindow () returned 0x0 [0112.767] GetLastError () returned 0x7f [0112.767] SetLastError (dwErrCode=0x7f) Thread: id = 223 os_tid = 0x4ec Process: id = "114" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x25a29000" os_pid = "0x13c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setProtectedAuthentication" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7998 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 7999 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8000 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 8001 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 8002 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 8003 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 8004 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 8005 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 8006 start_va = 0xeb0000 end_va = 0xeb1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 8007 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 8008 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 8009 start_va = 0x7f270000 end_va = 0x7f292fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f270000" filename = "" Region: id = 8010 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8011 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 8012 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8013 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 8025 start_va = 0x400000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 8026 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 8027 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 8028 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 8029 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 8030 start_va = 0xec0000 end_va = 0x118ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ec0000" filename = "" Region: id = 8031 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 8032 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 8039 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8040 start_va = 0x7f170000 end_va = 0x7f26ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f170000" filename = "" Region: id = 8041 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8042 start_va = 0x5e0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 8043 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 8044 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 8045 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 8046 start_va = 0x4c0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 8047 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 8048 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 8049 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 8050 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 8051 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 8052 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 8053 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 8054 start_va = 0xeb0000 end_va = 0xeb3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 8055 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 8056 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 8057 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 8058 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 8059 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 8060 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 8061 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 8062 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 8063 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 8064 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 8066 start_va = 0x5f0000 end_va = 0x777fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 8067 start_va = 0xec0000 end_va = 0xee9fff monitored = 0 entry_point = 0xec5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 8068 start_va = 0x1090000 end_va = 0x118ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 8069 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 8083 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 8084 start_va = 0x5c0000 end_va = 0x5c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 8085 start_va = 0x780000 end_va = 0x900fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 8086 start_va = 0xec0000 end_va = 0xfeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ec0000" filename = "" Region: id = 8087 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 8088 start_va = 0xec0000 end_va = 0xf50fff monitored = 0 entry_point = 0xef8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 8089 start_va = 0xfe0000 end_va = 0xfeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 8104 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 8105 start_va = 0xec0000 end_va = 0xec0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ec0000" filename = "" Region: id = 8106 start_va = 0xed0000 end_va = 0xed0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ed0000" filename = "" Region: id = 8107 start_va = 0xed0000 end_va = 0xed7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ed0000" filename = "" Region: id = 8113 start_va = 0xed0000 end_va = 0xed0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ed0000" filename = "" Region: id = 8114 start_va = 0xee0000 end_va = 0xee1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ee0000" filename = "" Region: id = 8117 start_va = 0xed0000 end_va = 0xed0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ed0000" filename = "" Region: id = 8118 start_va = 0xee0000 end_va = 0xee0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ee0000" filename = "" Region: id = 8119 start_va = 0xed0000 end_va = 0xed0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ed0000" filename = "" Region: id = 8120 start_va = 0xee0000 end_va = 0xee0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Thread: id = 225 os_tid = 0x3f8 [0113.249] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0113.250] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0113.250] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0113.250] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0113.250] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0113.251] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0113.251] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0113.252] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0113.252] GetProcessHeap () returned 0x1090000 [0113.252] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0113.252] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0113.252] GetLastError () returned 0x7e [0113.252] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0113.253] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0113.253] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x364) returned 0x10a0a58 [0113.253] SetLastError (dwErrCode=0x7e) [0113.253] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0xe00) returned 0x10a0dc8 [0113.255] GetStartupInfoW (in: lpStartupInfo=0x18fc5c | out: lpStartupInfo=0x18fc5c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0113.255] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0113.255] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0113.255] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0113.255] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setProtectedAuthentication" [0113.255] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setProtectedAuthentication" [0113.255] GetACP () returned 0x4e4 [0113.255] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x0, Size=0x220) returned 0x10a1bd0 [0113.255] IsValidCodePage (CodePage=0x4e4) returned 1 [0113.255] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fc7c | out: lpCPInfo=0x18fc7c) returned 1 [0113.255] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f544 | out: lpCPInfo=0x18f544) returned 1 [0113.256] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb58, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0113.256] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb58, cbMultiByte=256, lpWideCharStr=0x18f2e8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0113.256] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f558 | out: lpCharType=0x18f558) returned 1 [0113.256] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb58, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0113.256] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb58, cbMultiByte=256, lpWideCharStr=0x18f298, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0113.256] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0113.256] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0113.256] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0113.256] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f088, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0113.256] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fa58, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x86yó>\x94ü\x18", lpUsedDefaultChar=0x0) returned 256 [0113.309] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb58, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0113.309] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb58, cbMultiByte=256, lpWideCharStr=0x18f2b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0113.309] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0113.309] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f0a8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0113.309] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f958, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x86yó>\x94ü\x18", lpUsedDefaultChar=0x0) returned 256 [0113.309] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x0, Size=0x80) returned 0x1093860 [0113.309] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0113.309] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x17e) returned 0x10a1df8 [0113.309] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0113.309] GetLastError () returned 0x0 [0113.309] SetLastError (dwErrCode=0x0) [0113.309] GetEnvironmentStringsW () returned 0x10a1f80* [0113.310] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x0, Size=0xa8c) returned 0x10a2a18 [0113.310] FreeEnvironmentStringsW (penv=0x10a1f80) returned 1 [0113.310] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x90) returned 0x1094550 [0113.310] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x3e) returned 0x109ad50 [0113.310] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x5c) returned 0x1098828 [0113.310] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x6e) returned 0x1094618 [0113.310] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x78) returned 0x10a43d8 [0113.310] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x62) returned 0x10949e8 [0113.311] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x28) returned 0x1093d80 [0113.311] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x48) returned 0x1093fd0 [0113.311] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x1a) returned 0x1090570 [0113.311] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x3a) returned 0x109ae28 [0113.311] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x62) returned 0x1093be0 [0113.311] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x2a) returned 0x1098470 [0113.311] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x2e) returned 0x10986d8 [0113.311] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x1c) returned 0x1093db0 [0113.311] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x144) returned 0x1099a40 [0113.311] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x7c) returned 0x1098088 [0113.311] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x36) returned 0x109e468 [0113.311] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x3a) returned 0x109ad98 [0113.311] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x90) returned 0x1094388 [0113.311] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x24) returned 0x1093900 [0113.311] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x30) returned 0x1098400 [0113.311] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x36) returned 0x109df68 [0113.311] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x48) returned 0x10928f8 [0113.311] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x52) returned 0x10904b8 [0113.311] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x3c) returned 0x109ab10 [0113.311] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0xd6) returned 0x1099c00 [0113.311] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x2e) returned 0x10984e0 [0113.311] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x1e) returned 0x1092948 [0113.311] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x2c) returned 0x1098550 [0113.311] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x54) returned 0x1093df8 [0113.311] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x52) returned 0x1094058 [0113.311] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x24) returned 0x1093e58 [0113.312] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x42) returned 0x10940b8 [0113.312] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x2c) returned 0x10985c0 [0113.312] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x44) returned 0x1099d30 [0113.312] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x24) returned 0x1093930 [0113.313] HeapFree (in: hHeap=0x1090000, dwFlags=0x0, lpMem=0x10a2a18 | out: hHeap=0x1090000) returned 1 [0113.313] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x8, Size=0x800) returned 0x10a1f80 [0113.313] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0113.313] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0113.313] GetStartupInfoW (in: lpStartupInfo=0x18fcc0 | out: lpStartupInfo=0x18fcc0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0113.313] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setProtectedAuthentication" [0113.314] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setProtectedAuthentication", pNumArgs=0x18fcac | out: pNumArgs=0x18fcac) returned 0x10a2bd0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0113.314] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0113.317] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x0, Size=0x1000) returned 0x10a44b8 [0113.317] RtlAllocateHeap (HeapHandle=0x1090000, Flags=0x0, Size=0x46) returned 0x109a478 [0113.317] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_setProtectedAuthentication", cchWideChar=-1, lpMultiByteStr=0x109a478, cbMultiByte=70, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_setProtectedAuthentication", lpUsedDefaultChar=0x0) returned 35 [0113.317] GetLastError () returned 0x0 [0113.317] SetLastError (dwErrCode=0x0) [0113.318] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setProtectedAuthenticationW") returned 0x0 [0113.318] GetLastError () returned 0x7f [0113.318] SetLastError (dwErrCode=0x7f) [0113.318] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setProtectedAuthenticationA") returned 0x0 [0113.318] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setProtectedAuthentication") returned 0x647cb381 [0113.318] GetActiveWindow () returned 0x0 [0113.320] GetLastError () returned 0x7f [0113.320] SetLastError (dwErrCode=0x7f) Thread: id = 228 os_tid = 0x4f8 Process: id = "115" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x16fdf000" os_pid = "0xab0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "113" os_parent_pid = "0x13bc" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINPromptHook" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "116" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6b542000" os_pid = "0x9c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setSlotEventHook" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8122 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8123 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8124 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 8125 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 8126 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 8127 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 8128 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 8129 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 8130 start_va = 0x790000 end_va = 0x791fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 8131 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 8132 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 8133 start_va = 0x7e840000 end_va = 0x7e862fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e840000" filename = "" Region: id = 8134 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8135 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 8136 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8137 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 8140 start_va = 0x400000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 8141 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 8142 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 8143 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 8144 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 8145 start_va = 0x7a0000 end_va = 0x92ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 8146 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 8147 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 8148 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8149 start_va = 0x7e740000 end_va = 0x7e83ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e740000" filename = "" Region: id = 8150 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8151 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 8152 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 8153 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 8154 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 8155 start_va = 0x560000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 8156 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 8157 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 8158 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 8159 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 8160 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 8161 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 8162 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 8163 start_va = 0x790000 end_va = 0x793fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 8164 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 8165 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 8166 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 8167 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 8168 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 8169 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 8170 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 8171 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 8172 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 8173 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 8174 start_va = 0x7a0000 end_va = 0x7c9fff monitored = 0 entry_point = 0x7a5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 8175 start_va = 0x830000 end_va = 0x92ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 8176 start_va = 0x930000 end_va = 0xab7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 8177 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 8178 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 8179 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 8180 start_va = 0x7a0000 end_va = 0x82ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 8181 start_va = 0xac0000 end_va = 0xc40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 8182 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 8183 start_va = 0xc50000 end_va = 0xce0fff monitored = 0 entry_point = 0xc88cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 8184 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 8185 start_va = 0x7a0000 end_va = 0x7a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 8186 start_va = 0x820000 end_va = 0x82ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 8187 start_va = 0x7b0000 end_va = 0x7b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007b0000" filename = "" Region: id = 8188 start_va = 0x7b0000 end_va = 0x7b7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007b0000" filename = "" Region: id = 8199 start_va = 0x7b0000 end_va = 0x7b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 8200 start_va = 0x7c0000 end_va = 0x7c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 8218 start_va = 0x7b0000 end_va = 0x7b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 8219 start_va = 0x7c0000 end_va = 0x7c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 8220 start_va = 0x7b0000 end_va = 0x7b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007b0000" filename = "" Region: id = 8221 start_va = 0x7c0000 end_va = 0x7c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Thread: id = 229 os_tid = 0x7b4 [0114.036] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0114.036] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0114.036] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0114.036] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0114.036] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0114.037] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0114.037] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0114.037] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0114.038] GetProcessHeap () returned 0x830000 [0114.038] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0114.038] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0114.038] GetLastError () returned 0x7e [0114.038] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0114.039] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0114.039] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x364) returned 0x840a38 [0114.039] SetLastError (dwErrCode=0x7e) [0114.039] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0xe00) returned 0x840da8 [0114.041] GetStartupInfoW (in: lpStartupInfo=0x18fb4c | out: lpStartupInfo=0x18fb4c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0114.041] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0114.041] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0114.041] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0114.041] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setSlotEventHook" [0114.041] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setSlotEventHook" [0114.041] GetACP () returned 0x4e4 [0114.041] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x0, Size=0x220) returned 0x841bb0 [0114.041] IsValidCodePage (CodePage=0x4e4) returned 1 [0114.041] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fb6c | out: lpCPInfo=0x18fb6c) returned 1 [0114.041] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f434 | out: lpCPInfo=0x18f434) returned 1 [0114.042] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa48, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0114.042] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa48, cbMultiByte=256, lpWideCharStr=0x18f1d8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0114.042] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f448 | out: lpCharType=0x18f448) returned 1 [0114.042] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa48, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0114.042] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa48, cbMultiByte=256, lpWideCharStr=0x18f188, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0114.042] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0114.042] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0114.042] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0114.042] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ef78, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0114.042] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f948, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿBF¼\x06\x84û\x18", lpUsedDefaultChar=0x0) returned 256 [0114.042] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa48, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0114.042] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa48, cbMultiByte=256, lpWideCharStr=0x18f1a8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0114.042] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0114.042] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ef98, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0114.043] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f848, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿBF¼\x06\x84û\x18", lpUsedDefaultChar=0x0) returned 256 [0114.043] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x0, Size=0x80) returned 0x833840 [0114.043] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0114.043] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x16a) returned 0x841dd8 [0114.043] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0114.043] GetLastError () returned 0x0 [0114.043] SetLastError (dwErrCode=0x0) [0114.043] GetEnvironmentStringsW () returned 0x841f50* [0114.043] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x0, Size=0xa8c) returned 0x8429e8 [0114.044] FreeEnvironmentStringsW (penv=0x841f50) returned 1 [0114.044] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x90) returned 0x834530 [0114.044] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x3e) returned 0x83ac58 [0114.044] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x5c) returned 0x838808 [0114.044] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x6e) returned 0x8345f8 [0114.044] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x78) returned 0x8443a8 [0114.044] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x62) returned 0x8349c8 [0114.044] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x28) returned 0x833d60 [0114.044] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x48) returned 0x833fb0 [0114.044] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x1a) returned 0x830570 [0114.044] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x3a) returned 0x83a988 [0114.044] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x62) returned 0x833bc0 [0114.044] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x2a) returned 0x838728 [0114.044] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x2e) returned 0x8384f8 [0114.044] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x1c) returned 0x833d90 [0114.044] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x144) returned 0x839a20 [0114.044] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x7c) returned 0x838068 [0114.044] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x36) returned 0x83e108 [0114.045] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x3a) returned 0x83ae98 [0114.045] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x90) returned 0x834368 [0114.045] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x24) returned 0x8338e0 [0114.045] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x30) returned 0x838530 [0114.045] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x36) returned 0x83e388 [0114.045] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x48) returned 0x8328e0 [0114.045] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x52) returned 0x8304b8 [0114.045] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x3c) returned 0x83ab38 [0114.045] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0xd6) returned 0x839e40 [0114.045] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x2e) returned 0x838568 [0114.045] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x1e) returned 0x832930 [0114.045] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x2c) returned 0x8385d8 [0114.045] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x54) returned 0x833dd8 [0114.045] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x52) returned 0x834038 [0114.045] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x24) returned 0x833e38 [0114.045] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x42) returned 0x834098 [0114.045] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x2c) returned 0x8385a0 [0114.045] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x44) returned 0x839f70 [0114.045] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x24) returned 0x833910 [0114.046] HeapFree (in: hHeap=0x830000, dwFlags=0x0, lpMem=0x8429e8 | out: hHeap=0x830000) returned 1 [0114.097] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x800) returned 0x841f50 [0114.097] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0114.098] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0114.098] GetStartupInfoW (in: lpStartupInfo=0x18fbb0 | out: lpStartupInfo=0x18fbb0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0114.098] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setSlotEventHook" [0114.098] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setSlotEventHook", pNumArgs=0x18fb9c | out: pNumArgs=0x18fb9c) returned 0x842ba0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0114.098] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0114.101] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x0, Size=0x1000) returned 0x844488 [0114.101] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x0, Size=0x32) returned 0x83e508 [0114.101] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_setSlotEventHook", cchWideChar=-1, lpMultiByteStr=0x83e508, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_setSlotEventHook", lpUsedDefaultChar=0x0) returned 25 [0114.102] GetLastError () returned 0x0 [0114.102] SetLastError (dwErrCode=0x0) [0114.102] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setSlotEventHookW") returned 0x0 [0114.102] GetLastError () returned 0x7f [0114.102] SetLastError (dwErrCode=0x7f) [0114.102] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setSlotEventHookA") returned 0x0 [0114.102] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setSlotEventHook") returned 0x647cb106 [0114.102] GetActiveWindow () returned 0x0 [0114.103] GetLastError () returned 0x7f [0114.103] SetLastError (dwErrCode=0x7f) Thread: id = 231 os_tid = 0xcf0 Process: id = "117" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6b47a000" os_pid = "0x450" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "114" os_parent_pid = "0x13c8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setProtectedAuthentication" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "118" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x280b4000" os_pid = "0xc08" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "116" os_parent_pid = "0x9c8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setSlotEventHook" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "119" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x67b58000" os_pid = "0xc10" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setTokenPromptHook" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8264 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8265 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8266 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 8267 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 8268 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 8269 start_va = 0x8b0000 end_va = 0x8b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 8270 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 8271 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 8272 start_va = 0x7fed0000 end_va = 0x7fef2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fed0000" filename = "" Region: id = 8273 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8274 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 8275 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8276 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 8277 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 8278 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 8279 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 8291 start_va = 0x400000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 8292 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 8293 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 8294 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 8295 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 8296 start_va = 0x8c0000 end_va = 0xb8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 8297 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 8311 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 8312 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8313 start_va = 0x7fdd0000 end_va = 0x7fecffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fdd0000" filename = "" Region: id = 8314 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8315 start_va = 0x5d0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 8316 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 8317 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 8318 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 8319 start_va = 0x4c0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 8320 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 8321 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 8322 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 8323 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 8324 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 8325 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 8326 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 8327 start_va = 0x8b0000 end_va = 0x8b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 8336 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 8337 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 8338 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 8339 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 8340 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 8341 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 8342 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 8343 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 8344 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 8345 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 8346 start_va = 0x5e0000 end_va = 0x767fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 8347 start_va = 0x8c0000 end_va = 0x8e9fff monitored = 0 entry_point = 0x8c5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 8348 start_va = 0xa90000 end_va = 0xb8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a90000" filename = "" Region: id = 8349 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 8350 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 8351 start_va = 0x5c0000 end_va = 0x5c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 8352 start_va = 0x8c0000 end_va = 0xa40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 8353 start_va = 0xb90000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 8354 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 8355 start_va = 0xc20000 end_va = 0xcb0fff monitored = 0 entry_point = 0xc58cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 8356 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 8357 start_va = 0xa50000 end_va = 0xa50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 8358 start_va = 0xa60000 end_va = 0xa60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a60000" filename = "" Region: id = 8359 start_va = 0xa60000 end_va = 0xa67fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a60000" filename = "" Region: id = 8362 start_va = 0xa60000 end_va = 0xa60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 8363 start_va = 0xa70000 end_va = 0xa71fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a70000" filename = "" Region: id = 8364 start_va = 0xa60000 end_va = 0xa60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 8365 start_va = 0xa70000 end_va = 0xa70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a70000" filename = "" Region: id = 8366 start_va = 0xa60000 end_va = 0xa60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a60000" filename = "" Region: id = 8367 start_va = 0xa70000 end_va = 0xa70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Thread: id = 232 os_tid = 0xb5c [0115.248] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0115.248] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0115.248] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0115.248] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0115.248] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0115.248] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0115.249] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0115.249] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0115.250] GetProcessHeap () returned 0xa90000 [0115.263] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0115.263] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0115.263] GetLastError () returned 0x7e [0115.263] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0115.264] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0115.264] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x364) returned 0xaa0a48 [0115.264] SetLastError (dwErrCode=0x7e) [0115.264] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0xe00) returned 0xaa0db8 [0115.266] GetStartupInfoW (in: lpStartupInfo=0x18fc78 | out: lpStartupInfo=0x18fc78*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0115.266] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0115.266] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0115.266] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0115.266] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setTokenPromptHook" [0115.266] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setTokenPromptHook" [0115.266] GetACP () returned 0x4e4 [0115.266] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x0, Size=0x220) returned 0xaa1bc0 [0115.266] IsValidCodePage (CodePage=0x4e4) returned 1 [0115.266] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fc98 | out: lpCPInfo=0x18fc98) returned 1 [0115.266] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f560 | out: lpCPInfo=0x18f560) returned 1 [0115.266] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb74, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0115.266] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb74, cbMultiByte=256, lpWideCharStr=0x18f308, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0115.266] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f574 | out: lpCharType=0x18f574) returned 1 [0115.266] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb74, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0115.266] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb74, cbMultiByte=256, lpWideCharStr=0x18f2b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0115.266] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0115.267] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0115.267] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0115.267] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f0a8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0115.267] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fa74, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿLB©K°ü\x18", lpUsedDefaultChar=0x0) returned 256 [0115.267] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb74, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0115.267] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb74, cbMultiByte=256, lpWideCharStr=0x18f2d8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0115.267] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0115.267] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f0c8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0115.267] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f974, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿLB©K°ü\x18", lpUsedDefaultChar=0x0) returned 256 [0115.267] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x0, Size=0x80) returned 0xa93848 [0115.267] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0115.267] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x16e) returned 0xaa1de8 [0115.267] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0115.267] GetLastError () returned 0x0 [0115.267] SetLastError (dwErrCode=0x0) [0115.267] GetEnvironmentStringsW () returned 0xaa1f60* [0115.268] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x0, Size=0xa8c) returned 0xaa29f8 [0115.268] FreeEnvironmentStringsW (penv=0xaa1f60) returned 1 [0115.268] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x90) returned 0xa94538 [0115.268] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x3e) returned 0xa9aa70 [0115.268] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x5c) returned 0xa98a78 [0115.268] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x6e) returned 0xa94830 [0115.268] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x78) returned 0xaa3638 [0115.268] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x62) returned 0xa949d0 [0115.268] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x28) returned 0xa93d68 [0115.268] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x48) returned 0xa93fb8 [0115.268] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x1a) returned 0xa93d98 [0115.268] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x3a) returned 0xa9acf8 [0115.268] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x62) returned 0xa94600 [0115.268] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x2a) returned 0xa986f8 [0115.268] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x2e) returned 0xa98730 [0115.268] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x1c) returned 0xa947a0 [0115.268] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x144) returned 0xa99c90 [0115.268] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x7c) returned 0xa94370 [0115.268] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x36) returned 0xa9e258 [0115.268] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x3a) returned 0xa9ab90 [0115.269] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x90) returned 0xa93de0 [0115.269] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x24) returned 0xa947c8 [0115.269] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x30) returned 0xa98880 [0115.269] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x36) returned 0xa9e1d8 [0115.269] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x48) returned 0xa93bc8 [0115.269] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x52) returned 0xa938e8 [0115.269] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x3c) returned 0xa9ac68 [0115.269] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0xd6) returned 0xa99e50 [0115.269] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x2e) returned 0xa988f0 [0115.269] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x1e) returned 0xa93c18 [0115.269] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x2c) returned 0xa98998 [0115.269] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x54) returned 0xa928e8 [0115.269] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x52) returned 0xa904b8 [0115.269] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x24) returned 0xa94040 [0115.269] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x42) returned 0xa94070 [0115.269] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x2c) returned 0xa98928 [0115.269] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x44) returned 0xa99f80 [0115.269] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x24) returned 0xa940c0 [0115.269] HeapFree (in: hHeap=0xa90000, dwFlags=0x0, lpMem=0xaa29f8 | out: hHeap=0xa90000) returned 1 [0115.269] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x8, Size=0x800) returned 0xaa1f60 [0115.270] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0115.270] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0115.270] GetStartupInfoW (in: lpStartupInfo=0x18fcdc | out: lpStartupInfo=0x18fcdc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0115.270] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setTokenPromptHook" [0115.270] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setTokenPromptHook", pNumArgs=0x18fcc8 | out: pNumArgs=0x18fcc8) returned 0xaa2bb0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0115.270] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0115.273] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x0, Size=0x1000) returned 0xaa4498 [0115.273] RtlAllocateHeap (HeapHandle=0xa90000, Flags=0x0, Size=0x36) returned 0xa9e558 [0115.273] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_setTokenPromptHook", cchWideChar=-1, lpMultiByteStr=0xa9e558, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_setTokenPromptHook", lpUsedDefaultChar=0x0) returned 27 [0115.273] GetLastError () returned 0x0 [0115.273] SetLastError (dwErrCode=0x0) [0115.273] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setTokenPromptHookW") returned 0x0 [0115.273] GetLastError () returned 0x7f [0115.273] SetLastError (dwErrCode=0x7f) [0115.273] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setTokenPromptHookA") returned 0x0 [0115.274] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setTokenPromptHook") returned 0x647cb228 [0115.274] GetActiveWindow () returned 0x0 [0115.274] GetLastError () returned 0x7f [0115.275] SetLastError (dwErrCode=0x7f) Thread: id = 234 os_tid = 0x734 Process: id = "120" image_name = "werfault.exe" filename = "c:\\windows\\syswow64\\werfault.exe" page_root = "0x6a5b8000" os_pid = "0xc24" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "119" os_parent_pid = "0xc10" cmd_line = "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 3088 -s 364" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8368 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8369 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8370 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 8371 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 8372 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 8373 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 8374 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 8375 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 8376 start_va = 0x660000 end_va = 0x660fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 8377 start_va = 0x10e0000 end_va = 0x1122fff monitored = 0 entry_point = 0x1100f50 region_type = mapped_file name = "werfault.exe" filename = "\\Windows\\SysWOW64\\WerFault.exe" (normalized: "c:\\windows\\syswow64\\werfault.exe") Region: id = 8378 start_va = 0x1130000 end_va = 0x512ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 8379 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 8380 start_va = 0x7f4d0000 end_va = 0x7f4f2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f4d0000" filename = "" Region: id = 8381 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8382 start_va = 0x7fff0000 end_va = 0x7dfb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 8383 start_va = 0x7dfb201b0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfb201b0000" filename = "" Region: id = 8384 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8385 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 8386 start_va = 0x400000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 8387 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 8388 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 8389 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 8390 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 8391 start_va = 0x670000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 8392 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 8393 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 8394 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8395 start_va = 0x7f3d0000 end_va = 0x7f4cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f3d0000" filename = "" Region: id = 8396 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8397 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 8398 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 8399 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 8400 start_va = 0x5a0000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 8401 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 8402 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 8403 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 8404 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 8405 start_va = 0x660000 end_va = 0x663fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 8406 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 8407 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 8408 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 8409 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 8410 start_va = 0x6fb30000 end_va = 0x6fbb6fff monitored = 0 entry_point = 0x6fb9dbc0 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\SysWOW64\\wer.dll" (normalized: "c:\\windows\\syswow64\\wer.dll") Region: id = 8411 start_va = 0x6fbc0000 end_va = 0x6fcfefff monitored = 0 entry_point = 0x6fbed880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 8412 start_va = 0x6fb00000 end_va = 0x6fb21fff monitored = 0 entry_point = 0x6fb091f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 8429 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 8430 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 8431 start_va = 0x6faa0000 end_va = 0x6faf3fff monitored = 0 entry_point = 0x6fad10d0 region_type = mapped_file name = "faultrep.dll" filename = "\\Windows\\SysWOW64\\Faultrep.dll" (normalized: "c:\\windows\\syswow64\\faultrep.dll") Region: id = 8432 start_va = 0x6fa70000 end_va = 0x6fa90fff monitored = 0 entry_point = 0x6fa8a910 region_type = mapped_file name = "dbgcore.dll" filename = "\\Windows\\SysWOW64\\dbgcore.dll" (normalized: "c:\\windows\\syswow64\\dbgcore.dll") Region: id = 8433 start_va = 0x670000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 8434 start_va = 0x700000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 8435 start_va = 0x800000 end_va = 0x91ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 8436 start_va = 0x680000 end_va = 0x683fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 8437 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 8438 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 8439 start_va = 0x690000 end_va = 0x6b9fff monitored = 0 entry_point = 0x695680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 8440 start_va = 0x920000 end_va = 0xaa7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000920000" filename = "" Region: id = 8441 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 8450 start_va = 0xab0000 end_va = 0xc30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 8451 start_va = 0x5130000 end_va = 0x652ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005130000" filename = "" Region: id = 8452 start_va = 0x690000 end_va = 0x693fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werfault.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\WerFault.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werfault.exe.mui") Region: id = 8475 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 8476 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 8477 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 8478 start_va = 0x800000 end_va = 0x8effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 8479 start_va = 0x910000 end_va = 0x91ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000910000" filename = "" Region: id = 8493 start_va = 0x6a0000 end_va = 0x6a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 8494 start_va = 0x6b0000 end_va = 0x6b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 8495 start_va = 0x6c0000 end_va = 0x6c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 8496 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 8497 start_va = 0x6c0000 end_va = 0x6c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 8498 start_va = 0x6530000 end_va = 0x6d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006530000" filename = "" Region: id = 8499 start_va = 0x6c0000 end_va = 0x6c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 8500 start_va = 0x6c0000 end_va = 0x6c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 8501 start_va = 0x6c0000 end_va = 0x6c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 8502 start_va = 0x6c0000 end_va = 0x6c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 8503 start_va = 0x6c0000 end_va = 0x6c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 8504 start_va = 0x6c0000 end_va = 0x6c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 8505 start_va = 0x6c0000 end_va = 0x6c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 8506 start_va = 0x6c0000 end_va = 0x6c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 8507 start_va = 0x6c0000 end_va = 0x6c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 8508 start_va = 0x6c0000 end_va = 0x6c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 8509 start_va = 0x6c0000 end_va = 0x6c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 8510 start_va = 0x6c0000 end_va = 0x6c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 8511 start_va = 0x6c0000 end_va = 0x6c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 8538 start_va = 0x6c0000 end_va = 0x6c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 8539 start_va = 0x6c0000 end_va = 0x6c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 8540 start_va = 0x6c0000 end_va = 0x6c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 8541 start_va = 0x6c0000 end_va = 0x6c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 8542 start_va = 0x6c0000 end_va = 0x6c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 8543 start_va = 0x6c0000 end_va = 0x6c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 8544 start_va = 0x6c0000 end_va = 0x6c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 8545 start_va = 0x6c0000 end_va = 0x6c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 8546 start_va = 0x6c0000 end_va = 0x6c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 8547 start_va = 0x6c0000 end_va = 0x6c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 8548 start_va = 0x6c0000 end_va = 0x6c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 8549 start_va = 0x6c0000 end_va = 0x6c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 8550 start_va = 0x6c0000 end_va = 0x6c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 8551 start_va = 0x6c0000 end_va = 0x6c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 8606 start_va = 0x450000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 8607 start_va = 0x490000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 8608 start_va = 0x800000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 8609 start_va = 0x8e0000 end_va = 0x8effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008e0000" filename = "" Region: id = 8710 start_va = 0x6c0000 end_va = 0x6c1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "faultrep.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\faultrep.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\faultrep.dll.mui") Region: id = 8711 start_va = 0x6d0000 end_va = 0x6d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 8712 start_va = 0x6f5e0000 end_va = 0x6f9fdfff monitored = 0 entry_point = 0x6f6dee80 region_type = mapped_file name = "dbgeng.dll" filename = "\\Windows\\SysWOW64\\dbgeng.dll" (normalized: "c:\\windows\\syswow64\\dbgeng.dll") Region: id = 8713 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 8714 start_va = 0x6f3c0000 end_va = 0x6f42ffff monitored = 0 entry_point = 0x6f414b90 region_type = mapped_file name = "dbgmodel.dll" filename = "\\Windows\\SysWOW64\\DbgModel.dll" (normalized: "c:\\windows\\syswow64\\dbgmodel.dll") Region: id = 8715 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 8716 start_va = 0xc40000 end_va = 0xd29fff monitored = 0 entry_point = 0xc7d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 8717 start_va = 0x70050000 end_va = 0x70059fff monitored = 0 entry_point = 0x70053200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 8718 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 8775 start_va = 0x6f5d0000 end_va = 0x6f5d7fff monitored = 0 entry_point = 0x6f5d17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 8776 start_va = 0xc40000 end_va = 0xd3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 8777 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 8778 start_va = 0xd40000 end_va = 0x1076fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 8801 start_va = 0x6d0000 end_va = 0x6d1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 8802 start_va = 0x6d0000 end_va = 0x6d3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 8803 start_va = 0x6d0000 end_va = 0x6d5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 8804 start_va = 0x6d0000 end_va = 0x6d7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 8805 start_va = 0x450000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 8806 start_va = 0x6d0000 end_va = 0x6d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 8807 start_va = 0x6d0000 end_va = 0x6dbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 8808 start_va = 0x6d0000 end_va = 0x6ddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 8809 start_va = 0x6d0000 end_va = 0x6dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 8810 start_va = 0x6d0000 end_va = 0x6e1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 8811 start_va = 0x6d0000 end_va = 0x6e3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 8812 start_va = 0x6d0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 8813 start_va = 0x6d0000 end_va = 0x6e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 8814 start_va = 0x6d0000 end_va = 0x6e9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 8815 start_va = 0x6d0000 end_va = 0x6ebfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 8816 start_va = 0x6d0000 end_va = 0x6edfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 8817 start_va = 0x6d0000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 8818 start_va = 0x6530000 end_va = 0x660ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 8888 start_va = 0x6610000 end_va = 0x66dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006610000" filename = "" Region: id = 8889 start_va = 0x66e0000 end_va = 0x6798fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000066e0000" filename = "" Region: id = 8894 start_va = 0x67a0000 end_va = 0x6843fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000067a0000" filename = "" Region: id = 8901 start_va = 0x6d0000 end_va = 0x6d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 8902 start_va = 0x6e0000 end_va = 0x6e2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wer.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wer.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wer.dll.mui") Region: id = 8903 start_va = 0x6f0000 end_va = 0x6f3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 8904 start_va = 0x6610000 end_va = 0x6e0ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006610000" filename = "" Region: id = 8905 start_va = 0x880000 end_va = 0x886fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 8906 start_va = 0x880000 end_va = 0x886fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 8907 start_va = 0x880000 end_va = 0x886fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 8908 start_va = 0x880000 end_va = 0x886fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 8909 start_va = 0x880000 end_va = 0x886fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 8910 start_va = 0x880000 end_va = 0x886fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 8911 start_va = 0x880000 end_va = 0x886fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 8912 start_va = 0x880000 end_va = 0x886fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 8913 start_va = 0x880000 end_va = 0x886fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 8914 start_va = 0x880000 end_va = 0x886fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 8915 start_va = 0x880000 end_va = 0x886fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 8916 start_va = 0x880000 end_va = 0x886fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 8917 start_va = 0x880000 end_va = 0x886fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 8918 start_va = 0x880000 end_va = 0x886fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 8919 start_va = 0x880000 end_va = 0x886fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 8920 start_va = 0x880000 end_va = 0x886fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 8921 start_va = 0x880000 end_va = 0x886fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 8922 start_va = 0x880000 end_va = 0x886fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 8923 start_va = 0x880000 end_va = 0x886fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 8924 start_va = 0x880000 end_va = 0x886fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 8925 start_va = 0x880000 end_va = 0x886fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 8926 start_va = 0x880000 end_va = 0x886fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 8927 start_va = 0x6610000 end_va = 0x670ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006610000" filename = "" Region: id = 8928 start_va = 0x880000 end_va = 0x886fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 8929 start_va = 0x880000 end_va = 0x886fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 8930 start_va = 0x880000 end_va = 0x886fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 8931 start_va = 0x880000 end_va = 0x886fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 8932 start_va = 0x880000 end_va = 0x886fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 8933 start_va = 0x6fa00000 end_va = 0x6fa63fff monitored = 0 entry_point = 0x6fa3e270 region_type = mapped_file name = "werui.dll" filename = "\\Windows\\SysWOW64\\werui.dll" (normalized: "c:\\windows\\syswow64\\werui.dll") Region: id = 8934 start_va = 0x550000 end_va = 0x551fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 8935 start_va = 0x731b0000 end_va = 0x733befff monitored = 0 entry_point = 0x7325b0a0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 8936 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 8937 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 8938 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 8939 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 8940 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 8941 start_va = 0x6f460000 end_va = 0x6f5c6fff monitored = 0 entry_point = 0x6f4db9d0 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\SysWOW64\\dui70.dll" (normalized: "c:\\windows\\syswow64\\dui70.dll") Region: id = 8942 start_va = 0x560000 end_va = 0x561fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 8943 start_va = 0x6f430000 end_va = 0x6f457fff monitored = 0 entry_point = 0x6f437820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 8944 start_va = 0x880000 end_va = 0x880fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 8945 start_va = 0x570000 end_va = 0x571fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 8962 start_va = 0x880000 end_va = 0x880fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 8963 start_va = 0x759b0000 end_va = 0x75a33fff monitored = 0 entry_point = 0x759d6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 8964 start_va = 0x890000 end_va = 0x890fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000890000" filename = "" Region: id = 8965 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 9327 start_va = 0x5b0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 9328 start_va = 0x5f0000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 9329 start_va = 0x8a0000 end_va = 0x8dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 9330 start_va = 0x1080000 end_va = 0x10bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001080000" filename = "" Region: id = 9331 start_va = 0x6710000 end_va = 0x674ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006710000" filename = "" Region: id = 9332 start_va = 0x6750000 end_va = 0x678ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006750000" filename = "" Region: id = 9333 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 9417 start_va = 0x880000 end_va = 0x880fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 9418 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 9572 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 9654 start_va = 0x880000 end_va = 0x884fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werui.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\werui.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werui.dll.mui") Region: id = 9655 start_va = 0x8f0000 end_va = 0x8f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 9656 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 9852 start_va = 0x6f7b0000 end_va = 0x6f7b8fff monitored = 0 entry_point = 0x6f7b3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 10096 start_va = 0x6790000 end_va = 0x67cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006790000" filename = "" Region: id = 10097 start_va = 0x67d0000 end_va = 0x680ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000067d0000" filename = "" Region: id = 10131 start_va = 0x8f0000 end_va = 0x8f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 10132 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 10311 start_va = 0x6f740000 end_va = 0x6f748fff monitored = 0 entry_point = 0x6f743830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 10525 start_va = 0x580000 end_va = 0x581fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 10526 start_va = 0x6f8b0000 end_va = 0x6f92afff monitored = 0 entry_point = 0x6f8d4d80 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\SysWOW64\\duser.dll" (normalized: "c:\\windows\\syswow64\\duser.dll") Region: id = 10536 start_va = 0x6810000 end_va = 0x684ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006810000" filename = "" Region: id = 10537 start_va = 0x6850000 end_va = 0x688ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006850000" filename = "" Region: id = 10538 start_va = 0x6f820000 end_va = 0x6f8a0fff monitored = 0 entry_point = 0x6f826310 region_type = mapped_file name = "riched20.dll" filename = "\\Windows\\SysWOW64\\riched20.dll" (normalized: "c:\\windows\\syswow64\\riched20.dll") Region: id = 10539 start_va = 0x6f800000 end_va = 0x6f815fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 10540 start_va = 0x6f7c0000 end_va = 0x6f7f0fff monitored = 0 entry_point = 0x6f7d22d0 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\SysWOW64\\msls31.dll" (normalized: "c:\\windows\\syswow64\\msls31.dll") Region: id = 10541 start_va = 0x8f0000 end_va = 0x8f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 10542 start_va = 0x6890000 end_va = 0x694bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006890000" filename = "" Region: id = 10543 start_va = 0x8f0000 end_va = 0x8f3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 10544 start_va = 0x74230000 end_va = 0x7424cfff monitored = 0 entry_point = 0x74233b10 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 10545 start_va = 0x900000 end_va = 0x903fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 10546 start_va = 0x10c0000 end_va = 0x10c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010c0000" filename = "" Region: id = 10547 start_va = 0x10d0000 end_va = 0x10d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010d0000" filename = "" Region: id = 10564 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 10565 start_va = 0x6950000 end_va = 0x6950fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "duser.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\duser.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\duser.dll.mui") Region: id = 10566 start_va = 0x6f9f0000 end_va = 0x6f9fcfff monitored = 0 entry_point = 0x6f9f7d80 region_type = mapped_file name = "atlthunk.dll" filename = "\\Windows\\SysWOW64\\atlthunk.dll" (normalized: "c:\\windows\\syswow64\\atlthunk.dll") Region: id = 10567 start_va = 0x6960000 end_va = 0x6962fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui") Region: id = 10568 start_va = 0x630000 end_va = 0x632fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 10569 start_va = 0x6970000 end_va = 0x6e61fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006970000" filename = "" Region: id = 10570 start_va = 0x6e70000 end_va = 0x7eaffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 10592 start_va = 0x7eb0000 end_va = 0x7ef1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007eb0000" filename = "" Region: id = 10600 start_va = 0x590000 end_va = 0x590fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 10601 start_va = 0x77500000 end_va = 0x7761efff monitored = 0 entry_point = 0x77545980 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Thread: id = 235 os_tid = 0xba0 Thread: id = 237 os_tid = 0x980 Thread: id = 243 os_tid = 0xae4 Thread: id = 265 os_tid = 0xee8 Thread: id = 266 os_tid = 0xeec Thread: id = 267 os_tid = 0xf14 Thread: id = 301 os_tid = 0xc7c Thread: id = 316 os_tid = 0x430 Process: id = "121" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6b172000" os_pid = "0xbe0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_terminate" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8413 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8414 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8415 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 8416 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 8417 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 8418 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 8419 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 8420 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 8421 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 8422 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 8423 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 8424 start_va = 0x7fd70000 end_va = 0x7fd92fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fd70000" filename = "" Region: id = 8425 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8426 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 8427 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8428 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 8442 start_va = 0x410000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 8443 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 8444 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 8445 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 8446 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 8447 start_va = 0x480000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 8448 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 8449 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 8453 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8454 start_va = 0x7fc70000 end_va = 0x7fd6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fc70000" filename = "" Region: id = 8455 start_va = 0x610000 end_va = 0x6cdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8456 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 8457 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 8458 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 8459 start_va = 0x6d0000 end_va = 0x7cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 8460 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 8461 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 8462 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 8463 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 8464 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 8465 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 8466 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 8467 start_va = 0x400000 end_va = 0x403fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 8468 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 8469 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 8470 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 8471 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 8472 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 8473 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 8474 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 8480 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 8481 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 8482 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 8483 start_va = 0x410000 end_va = 0x439fff monitored = 0 entry_point = 0x415680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 8484 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 8485 start_va = 0x7d0000 end_va = 0x957fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 8486 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 8487 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 8488 start_va = 0x410000 end_va = 0x410fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 8489 start_va = 0x420000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 8490 start_va = 0x960000 end_va = 0xae0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000960000" filename = "" Region: id = 8491 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 8492 start_va = 0xaf0000 end_va = 0xb80fff monitored = 0 entry_point = 0xb28cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 8512 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 8513 start_va = 0x420000 end_va = 0x42ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 8514 start_va = 0x460000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 8515 start_va = 0xaf0000 end_va = 0xbeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 8516 start_va = 0x420000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 8517 start_va = 0x440000 end_va = 0x445fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 8518 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8519 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8520 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8521 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8522 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8523 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8524 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8525 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8526 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8527 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8528 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8529 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8530 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8531 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8532 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8533 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8534 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8535 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8536 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8537 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8554 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8555 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8556 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8557 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8558 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8559 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8560 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8561 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8562 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8563 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8564 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8565 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8566 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8567 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8568 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8569 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8570 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8571 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8572 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8573 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8574 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8575 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8576 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8577 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8578 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8579 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8580 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8581 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8582 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8583 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8584 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8585 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8586 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8587 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8588 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8589 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8590 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8591 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8592 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8593 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8594 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8595 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8596 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8597 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8598 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8599 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8600 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8601 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8602 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8603 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8604 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8605 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8610 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8611 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8612 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8613 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8614 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8615 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8616 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8617 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8618 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8619 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8620 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8621 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8622 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8623 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8624 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8625 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8626 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8627 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8628 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8629 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8630 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8631 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8632 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8633 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8634 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8635 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8636 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8637 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8638 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8639 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8640 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8641 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8642 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8643 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8644 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8645 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8646 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8647 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8648 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8649 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8650 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8651 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8652 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8653 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8654 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8655 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8656 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8657 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8658 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8659 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8660 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8661 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8662 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8663 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8664 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8665 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8666 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8667 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8668 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8669 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8670 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8671 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8672 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8673 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8674 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8675 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8676 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8677 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8678 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8679 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8680 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8681 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8682 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8683 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8684 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8685 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8686 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8687 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8688 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8689 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8690 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8691 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8692 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8693 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8694 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8695 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8696 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8697 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8698 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8699 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8700 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8701 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8702 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8703 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8704 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8705 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8706 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8707 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8708 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8709 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8719 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8720 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8721 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8722 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8723 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8724 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8725 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8726 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8727 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8728 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8729 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8730 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8731 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8732 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8733 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8734 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8735 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8736 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8737 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8738 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8739 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8740 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8741 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8742 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8743 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8744 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8745 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8746 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8747 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8748 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8749 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8750 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8751 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8752 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8753 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8754 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8755 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8756 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8757 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8758 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8759 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8760 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8761 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8762 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8763 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8764 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8765 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8766 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8767 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8768 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8769 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8770 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8771 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8772 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8773 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8774 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8779 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8780 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8781 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8782 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8783 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8784 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8785 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8786 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8787 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8788 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8789 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8790 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8791 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8792 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8793 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8794 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8795 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8796 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8797 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8798 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8799 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 8800 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 17033 start_va = 0x420000 end_va = 0x42ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 17034 start_va = 0x420000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 17035 start_va = 0x440000 end_va = 0x445fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 17036 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Thread: id = 238 os_tid = 0xc3c [0115.898] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0115.899] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0115.899] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0115.899] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0115.899] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0115.899] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0115.900] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0115.900] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0115.901] GetProcessHeap () returned 0x510000 [0115.901] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0115.901] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0115.901] GetLastError () returned 0x7e [0115.901] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0115.901] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0115.901] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x364) returned 0x520a28 [0115.902] SetLastError (dwErrCode=0x7e) [0115.902] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0xe00) returned 0x520d98 [0115.904] GetStartupInfoW (in: lpStartupInfo=0x18f738 | out: lpStartupInfo=0x18f738*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0115.904] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0115.904] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0115.904] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0115.904] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_terminate" [0115.904] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_terminate" [0115.904] GetACP () returned 0x4e4 [0115.904] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x220) returned 0x521ba0 [0115.904] IsValidCodePage (CodePage=0x4e4) returned 1 [0115.904] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f758 | out: lpCPInfo=0x18f758) returned 1 [0115.904] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f020 | out: lpCPInfo=0x18f020) returned 1 [0115.904] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f634, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0115.904] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f634, cbMultiByte=256, lpWideCharStr=0x18edc8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0115.904] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f034 | out: lpCharType=0x18f034) returned 1 [0115.905] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f634, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0115.905] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f634, cbMultiByte=256, lpWideCharStr=0x18ed78, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0115.905] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0115.905] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0115.905] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0115.905] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18eb68, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0115.905] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f534, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÍ\x84¤.p÷\x18", lpUsedDefaultChar=0x0) returned 256 [0115.905] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f634, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0115.905] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f634, cbMultiByte=256, lpWideCharStr=0x18ed98, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0115.905] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0115.905] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18eb88, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0115.905] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f434, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÍ\x84¤.p÷\x18", lpUsedDefaultChar=0x0) returned 256 [0115.906] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x80) returned 0x513830 [0115.906] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0115.906] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x15c) returned 0x519a10 [0115.906] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0115.906] GetLastError () returned 0x0 [0115.954] SetLastError (dwErrCode=0x0) [0115.954] GetEnvironmentStringsW () returned 0x521dc8* [0115.954] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0xa8c) returned 0x522860 [0115.955] FreeEnvironmentStringsW (penv=0x521dc8) returned 1 [0115.955] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x90) returned 0x514520 [0115.955] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x3e) returned 0x51b110 [0115.955] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x5c) returned 0x5187f8 [0115.955] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x6e) returned 0x5145e8 [0115.955] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x78) returned 0x5236a0 [0115.955] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x62) returned 0x5149b8 [0115.955] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x28) returned 0x513d50 [0115.955] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x48) returned 0x513fa0 [0115.955] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x1a) returned 0x510570 [0115.955] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x3a) returned 0x51ac48 [0115.955] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x62) returned 0x513bb0 [0115.955] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x2a) returned 0x518638 [0115.955] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x2e) returned 0x518478 [0115.955] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x1c) returned 0x513d80 [0115.955] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x144) returned 0x521dc8 [0115.956] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x7c) returned 0x518058 [0115.956] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x36) returned 0x51e478 [0115.956] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x3a) returned 0x51aff0 [0115.956] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x90) returned 0x514358 [0115.956] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x24) returned 0x5138d0 [0115.956] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x30) returned 0x5184b0 [0115.956] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x36) returned 0x51e5b8 [0115.956] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x48) returned 0x5128d8 [0115.956] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x52) returned 0x5104b8 [0115.956] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x3c) returned 0x51b038 [0115.956] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0xd6) returned 0x519bd0 [0115.956] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x2e) returned 0x5184e8 [0115.956] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x1e) returned 0x512928 [0115.956] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x2c) returned 0x518670 [0115.956] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x54) returned 0x513dc8 [0115.956] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x52) returned 0x514028 [0115.956] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x24) returned 0x513e28 [0115.956] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x42) returned 0x514088 [0115.956] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x2c) returned 0x5186a8 [0115.956] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x44) returned 0x519d00 [0115.956] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x24) returned 0x513900 [0115.957] HeapFree (in: hHeap=0x510000, dwFlags=0x0, lpMem=0x522860 | out: hHeap=0x510000) returned 1 [0115.957] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x800) returned 0x521f18 [0115.957] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0115.958] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0115.958] GetStartupInfoW (in: lpStartupInfo=0x18f79c | out: lpStartupInfo=0x18f79c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0115.958] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_terminate" [0115.958] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_terminate", pNumArgs=0x18f788 | out: pNumArgs=0x18f788) returned 0x522b68*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0115.958] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0115.961] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x1000) returned 0x524300 [0115.961] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x24) returned 0x51a708 [0115.961] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_terminate", cchWideChar=-1, lpMultiByteStr=0x51a708, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_terminate", lpUsedDefaultChar=0x0) returned 18 [0115.962] GetLastError () returned 0x0 [0115.962] SetLastError (dwErrCode=0x0) [0115.962] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_terminateW") returned 0x0 [0115.962] GetLastError () returned 0x7f [0115.962] SetLastError (dwErrCode=0x7f) [0115.962] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_terminateA") returned 0x0 [0115.962] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_terminate") returned 0x647cad58 [0115.962] GetActiveWindow () returned 0x0 [0115.964] HeapFree (in: hHeap=0x510000, dwFlags=0x0, lpMem=0x524300 | out: hHeap=0x510000) returned 1 [0115.964] HeapFree (in: hHeap=0x510000, dwFlags=0x0, lpMem=0x51a708 | out: hHeap=0x510000) returned 1 [0115.964] GetCurrentProcessId () returned 0xbe0 [0115.964] GetCurrentThreadId () returned 0xc3c [0115.964] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0115.974] Thread32First (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0115.975] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0115.976] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0115.976] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0115.977] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0115.978] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0115.979] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0115.979] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0115.980] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0115.981] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0115.982] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0115.982] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0115.983] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0115.995] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0115.996] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0115.996] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0115.997] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0115.998] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0115.999] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0115.999] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.040] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.041] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.042] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.043] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.043] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.044] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.045] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.046] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.047] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.047] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.048] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.049] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.050] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.052] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.053] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.053] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.054] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.055] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.056] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.056] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.057] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.058] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.059] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.059] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.060] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.061] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.062] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.062] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.063] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.064] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.065] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.066] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.067] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.068] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.068] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.069] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.070] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.071] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.071] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.072] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.073] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.074] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.075] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.076] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.076] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.077] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.078] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.079] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.079] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.080] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.081] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.082] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.091] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.091] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.092] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.093] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.094] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.094] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.095] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.096] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.097] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.099] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.100] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.101] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.102] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.102] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.103] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.104] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.104] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.105] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.106] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.107] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.107] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.108] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.109] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.110] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.110] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.111] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.112] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.113] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.114] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.115] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.115] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.116] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.117] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.118] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.118] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.119] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.120] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.121] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.121] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.122] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.123] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.124] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.124] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.125] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.126] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.127] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.127] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.128] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.133] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.134] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.135] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.135] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.136] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.136] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.137] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.137] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.138] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.139] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.139] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.140] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.140] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.141] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.141] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.142] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.143] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.143] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.144] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.145] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.145] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.146] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.146] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.147] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.148] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.148] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.149] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.149] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.150] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.150] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.151] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.152] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.152] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.153] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.153] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.154] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.155] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.155] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.156] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.156] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.157] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.158] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.158] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.159] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.159] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.161] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.162] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.163] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.164] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.165] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.165] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.166] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.167] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.219] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.219] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.220] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.221] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.222] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.222] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.223] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.224] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.225] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.225] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.226] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.227] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.228] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.228] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.230] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.231] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.231] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.232] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.233] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.234] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.234] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.235] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.236] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.236] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.237] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.238] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.239] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.239] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.240] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.241] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.242] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.242] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.243] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.244] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.246] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.247] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.248] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.249] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.249] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.250] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.251] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.252] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.252] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.253] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.254] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.254] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.255] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.255] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.256] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.257] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.257] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.258] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.258] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.259] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.259] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.312] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.313] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.314] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.315] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.316] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.317] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.318] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.318] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.319] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.320] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.321] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.322] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.323] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.324] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.325] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.326] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.327] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.327] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.328] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.329] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.330] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.331] Thread32Next (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0116.849] CloseHandle (hObject=0x150) returned 1 [0116.849] OpenThread (dwDesiredAccess=0x100000, bInheritHandle=0, dwThreadId=0xc20) returned 0x150 [0116.849] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xffffffff) returned 0x0 [0176.146] CloseHandle (hObject=0x150) returned 1 [0176.146] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0176.161] Thread32First (hSnapshot=0x150, lpte=0x18f76c) returned 1 [0177.991] CloseHandle (hObject=0x150) returned 1 [0177.991] FreeLibrary (hLibModule=0x647c0000) returned 1 [0178.197] LocalFree (hMem=0x522b68) returned 0x0 [0178.197] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0178.197] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0178.198] HeapFree (in: hHeap=0x510000, dwFlags=0x0, lpMem=0x513830 | out: hHeap=0x510000) returned 1 [0178.199] HeapFree (in: hHeap=0x510000, dwFlags=0x0, lpMem=0x521f18 | out: hHeap=0x510000) returned 1 [0178.199] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-2", hFile=0x0, dwFlags=0x800) returned 0x772e0000 [0178.199] GetProcAddress (hModule=0x772e0000, lpProcName="AppPolicyGetProcessTerminationMethod") returned 0x0 [0178.199] GetModuleHandleExW (in: dwFlags=0x0, lpModuleName="mscoree.dll", phModule=0x18f794 | out: phModule=0x18f794) returned 0 [0178.200] ExitProcess (uExitCode=0x0) [0178.200] HeapFree (in: hHeap=0x510000, dwFlags=0x0, lpMem=0x520a28 | out: hHeap=0x510000) returned 1 Thread: id = 242 os_tid = 0xc20 Process: id = "122" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x5b949000" os_pid = "0x5b4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "119" os_parent_pid = "0xc10" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setTokenPromptHook" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "123" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x5258a000" os_pid = "0xdf0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_deserializeTokenId" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8819 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8820 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8821 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 8822 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 8823 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 8824 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 8825 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 8826 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 8827 start_va = 0x680000 end_va = 0x681fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 8828 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 8829 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 8830 start_va = 0x7e8a0000 end_va = 0x7e8c2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e8a0000" filename = "" Region: id = 8831 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8832 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 8833 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8834 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 8844 start_va = 0x400000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 8845 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 8846 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 8847 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 8848 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 8849 start_va = 0x690000 end_va = 0x83ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 8850 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 8851 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 8852 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8853 start_va = 0x7e7a0000 end_va = 0x7e89ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e7a0000" filename = "" Region: id = 8854 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8855 start_va = 0x520000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 8856 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 8857 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 8858 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 8859 start_va = 0x530000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 8860 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 8861 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 8862 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 8863 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 8864 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 8865 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 8866 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 8867 start_va = 0x680000 end_va = 0x683fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 8868 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 8869 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 8870 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 8871 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 8872 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 8873 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 8874 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 8875 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 8876 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 8877 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 8878 start_va = 0x690000 end_va = 0x6b9fff monitored = 0 entry_point = 0x695680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 8879 start_va = 0x740000 end_va = 0x83ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 8880 start_va = 0x840000 end_va = 0x9c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 8881 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 8882 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 8883 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 8884 start_va = 0x9d0000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 8885 start_va = 0xb60000 end_va = 0xccffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 8886 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 8887 start_va = 0x690000 end_va = 0x720fff monitored = 0 entry_point = 0x6c8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 8890 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 8891 start_va = 0x690000 end_va = 0x690fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 8892 start_va = 0x6a0000 end_va = 0x6a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 8893 start_va = 0x6a0000 end_va = 0x6a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 8895 start_va = 0x6a0000 end_va = 0x6a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 8896 start_va = 0x6b0000 end_va = 0x6b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006b0000" filename = "" Region: id = 8897 start_va = 0x6a0000 end_va = 0x6a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 8898 start_va = 0x6b0000 end_va = 0x6b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006b0000" filename = "" Region: id = 8899 start_va = 0x6a0000 end_va = 0x6a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 8900 start_va = 0x6b0000 end_va = 0x6b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Thread: id = 244 os_tid = 0xc28 [0116.872] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0116.872] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0116.872] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0116.872] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0116.872] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0116.872] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0116.873] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0116.873] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0116.873] GetProcessHeap () returned 0x740000 [0116.874] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0116.874] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0116.874] GetLastError () returned 0x7e [0116.874] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0116.874] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0116.874] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x364) returned 0x750a58 [0116.874] SetLastError (dwErrCode=0x7e) [0116.874] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0xe00) returned 0x750dc8 [0116.876] GetStartupInfoW (in: lpStartupInfo=0x18fe64 | out: lpStartupInfo=0x18fe64*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0116.876] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0116.876] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0116.876] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0116.876] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_deserializeTokenId" [0116.876] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_deserializeTokenId" [0116.876] GetACP () returned 0x4e4 [0116.876] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x0, Size=0x220) returned 0x751bd0 [0116.876] IsValidCodePage (CodePage=0x4e4) returned 1 [0116.876] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fe84 | out: lpCPInfo=0x18fe84) returned 1 [0116.876] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f74c | out: lpCPInfo=0x18f74c) returned 1 [0116.876] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd60, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0116.876] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd60, cbMultiByte=256, lpWideCharStr=0x18f4e8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0116.876] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f760 | out: lpCharType=0x18f760) returned 1 [0116.876] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd60, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0116.876] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd60, cbMultiByte=256, lpWideCharStr=0x18f4a8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0116.877] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0116.877] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0116.877] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0116.877] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f298, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0116.877] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fc60, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿññ+v\x9cþ\x18", lpUsedDefaultChar=0x0) returned 256 [0116.877] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd60, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0116.877] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd60, cbMultiByte=256, lpWideCharStr=0x18f4b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0116.877] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0116.877] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f2a8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0116.877] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fb60, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿññ+v\x9cþ\x18", lpUsedDefaultChar=0x0) returned 256 [0116.877] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x0, Size=0x80) returned 0x743858 [0116.877] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0116.877] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x17a) returned 0x751df8 [0116.877] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0116.877] GetLastError () returned 0x0 [0116.877] SetLastError (dwErrCode=0x0) [0116.877] GetEnvironmentStringsW () returned 0x751f80* [0116.878] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x0, Size=0xa8c) returned 0x752a18 [0116.878] FreeEnvironmentStringsW (penv=0x751f80) returned 1 [0116.878] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x90) returned 0x744548 [0116.878] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x3e) returned 0x74a9a8 [0116.878] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x5c) returned 0x748a88 [0116.878] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x6e) returned 0x744840 [0116.878] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x78) returned 0x7534d8 [0116.878] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x62) returned 0x7449e0 [0116.878] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x28) returned 0x743d78 [0116.878] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x48) returned 0x743fc8 [0116.878] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x1a) returned 0x743da8 [0116.878] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x3a) returned 0x74aa80 [0116.878] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x62) returned 0x744610 [0116.878] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x2a) returned 0x748660 [0116.878] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x2e) returned 0x748820 [0116.878] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x1c) returned 0x7447b0 [0116.879] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x144) returned 0x749ca0 [0116.879] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x7c) returned 0x744380 [0116.879] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x36) returned 0x74e428 [0116.879] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x3a) returned 0x74ad50 [0116.879] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x90) returned 0x743df0 [0116.879] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x24) returned 0x7447d8 [0116.879] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x30) returned 0x7487e8 [0116.879] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x36) returned 0x74e6a8 [0116.879] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x48) returned 0x743bd8 [0116.879] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x52) returned 0x7438f8 [0116.879] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x3c) returned 0x74aa38 [0116.879] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0xd6) returned 0x749e60 [0116.879] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x2e) returned 0x748698 [0116.879] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x1e) returned 0x743c28 [0116.879] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x2c) returned 0x748708 [0116.879] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x54) returned 0x7428f0 [0116.879] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x52) returned 0x7404b8 [0116.879] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x24) returned 0x744050 [0116.879] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x42) returned 0x744080 [0116.879] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x2c) returned 0x748740 [0116.879] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x44) returned 0x749f90 [0116.879] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x24) returned 0x7440d0 [0116.880] HeapFree (in: hHeap=0x740000, dwFlags=0x0, lpMem=0x752a18 | out: hHeap=0x740000) returned 1 [0116.880] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x800) returned 0x751f80 [0116.880] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0116.880] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0116.880] GetStartupInfoW (in: lpStartupInfo=0x18fec8 | out: lpStartupInfo=0x18fec8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0116.880] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_deserializeTokenId" [0116.880] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_deserializeTokenId", pNumArgs=0x18feb4 | out: pNumArgs=0x18feb4) returned 0x752bd0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0116.881] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0116.966] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x0, Size=0x1000) returned 0x7544b8 [0116.966] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x0, Size=0x42) returned 0x7482c0 [0116.966] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_token_deserializeTokenId", cchWideChar=-1, lpMultiByteStr=0x7482c0, cbMultiByte=66, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_token_deserializeTokenId", lpUsedDefaultChar=0x0) returned 33 [0116.967] GetLastError () returned 0x0 [0116.967] SetLastError (dwErrCode=0x0) [0116.967] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_deserializeTokenIdW") returned 0x0 [0116.967] GetLastError () returned 0x7f [0116.967] SetLastError (dwErrCode=0x7f) [0116.967] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_deserializeTokenIdA") returned 0x0 [0116.967] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_deserializeTokenId") returned 0x647cd9f5 [0116.967] GetActiveWindow () returned 0x0 [0116.968] GetLastError () returned 0x7f [0116.968] SetLastError (dwErrCode=0x7f) Thread: id = 246 os_tid = 0xdfc Process: id = "124" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x5234a000" os_pid = "0xe00" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "123" os_parent_pid = "0xdf0" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_deserializeTokenId" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "125" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x74fa1000" os_pid = "0xe18" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_duplicateTokenId" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8946 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8947 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 8948 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 8949 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 8950 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 8951 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 8952 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 8953 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 8954 start_va = 0xc90000 end_va = 0xc91fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c90000" filename = "" Region: id = 8955 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 8956 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 8957 start_va = 0x7f220000 end_va = 0x7f242fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f220000" filename = "" Region: id = 8958 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8959 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 8960 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8961 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 8966 start_va = 0x400000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 8967 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 8968 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 8969 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 8970 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 8971 start_va = 0xca0000 end_va = 0xe0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ca0000" filename = "" Region: id = 8972 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 8973 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 8974 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8975 start_va = 0x7f120000 end_va = 0x7f21ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f120000" filename = "" Region: id = 8976 start_va = 0x470000 end_va = 0x52dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8977 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 8978 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 8979 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 8980 start_va = 0x530000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 8981 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 8982 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 8983 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 8984 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 8985 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 8986 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 8987 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 8988 start_va = 0xc90000 end_va = 0xc93fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c90000" filename = "" Region: id = 8989 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 8990 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 8991 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 8992 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 8993 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 8994 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 8995 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 8996 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 8997 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 8998 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 8999 start_va = 0x630000 end_va = 0x7b7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 9000 start_va = 0xca0000 end_va = 0xcc9fff monitored = 0 entry_point = 0xca5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 9001 start_va = 0xd10000 end_va = 0xe0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d10000" filename = "" Region: id = 9002 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 9003 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 9004 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 9005 start_va = 0x460000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 9006 start_va = 0x7c0000 end_va = 0x940fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 9007 start_va = 0xe10000 end_va = 0xe8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Region: id = 9008 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 9009 start_va = 0xe90000 end_va = 0xf20fff monitored = 0 entry_point = 0xec8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 9010 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 9011 start_va = 0xca0000 end_va = 0xca0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ca0000" filename = "" Region: id = 9012 start_va = 0xcb0000 end_va = 0xcb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cb0000" filename = "" Region: id = 9013 start_va = 0xcb0000 end_va = 0xcb7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cb0000" filename = "" Region: id = 9014 start_va = 0xcb0000 end_va = 0xcb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 9015 start_va = 0xcc0000 end_va = 0xcc1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cc0000" filename = "" Region: id = 9016 start_va = 0xcb0000 end_va = 0xcb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 9017 start_va = 0xcc0000 end_va = 0xcc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cc0000" filename = "" Region: id = 9018 start_va = 0xcb0000 end_va = 0xcb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cb0000" filename = "" Region: id = 9019 start_va = 0xcc0000 end_va = 0xcc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Thread: id = 247 os_tid = 0xc30 [0117.671] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0117.671] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0117.671] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0117.671] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0117.672] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0117.672] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0117.672] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0117.672] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0117.673] GetProcessHeap () returned 0xd10000 [0117.673] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0117.673] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0117.673] GetLastError () returned 0x7e [0117.673] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0117.673] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0117.673] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x364) returned 0xd20a48 [0117.673] SetLastError (dwErrCode=0x7e) [0117.674] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0xe00) returned 0xd20db8 [0117.675] GetStartupInfoW (in: lpStartupInfo=0x18f6a0 | out: lpStartupInfo=0x18f6a0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0117.676] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0117.676] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0117.676] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0117.676] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_duplicateTokenId" [0117.676] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_duplicateTokenId" [0117.676] GetACP () returned 0x4e4 [0117.676] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x0, Size=0x220) returned 0xd21bc0 [0117.676] IsValidCodePage (CodePage=0x4e4) returned 1 [0117.676] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f6c0 | out: lpCPInfo=0x18f6c0) returned 1 [0117.676] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18ef88 | out: lpCPInfo=0x18ef88) returned 1 [0117.676] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f59c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0117.676] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f59c, cbMultiByte=256, lpWideCharStr=0x18ed28, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0117.676] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18ef9c | out: lpCharType=0x18ef9c) returned 1 [0117.676] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f59c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0117.676] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f59c, cbMultiByte=256, lpWideCharStr=0x18ecd8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0117.676] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0117.677] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0117.677] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0117.677] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18eac8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0117.677] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f49c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x82/\x0bRØö\x18", lpUsedDefaultChar=0x0) returned 256 [0117.677] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f59c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0117.677] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f59c, cbMultiByte=256, lpWideCharStr=0x18ecf8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0117.677] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0117.677] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18eae8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0117.677] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f39c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x82/\x0bRØö\x18", lpUsedDefaultChar=0x0) returned 256 [0117.677] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x0, Size=0x80) returned 0xd13850 [0117.677] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0117.677] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x176) returned 0xd21de8 [0117.677] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0117.677] GetLastError () returned 0x0 [0117.677] SetLastError (dwErrCode=0x0) [0117.677] GetEnvironmentStringsW () returned 0xd21f68* [0117.678] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x0, Size=0xa8c) returned 0xd22a00 [0117.678] FreeEnvironmentStringsW (penv=0xd21f68) returned 1 [0117.678] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x90) returned 0xd14540 [0117.678] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x3e) returned 0xd1aab8 [0117.678] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x5c) returned 0xd18818 [0117.678] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x6e) returned 0xd14608 [0117.678] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x78) returned 0xd234c0 [0117.678] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x62) returned 0xd149d8 [0117.678] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x28) returned 0xd13d70 [0117.678] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x48) returned 0xd13fc0 [0117.679] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x1a) returned 0xd10570 [0117.679] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x3a) returned 0xd1b0a0 [0117.679] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x62) returned 0xd13bd0 [0117.679] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x2a) returned 0xd18658 [0117.679] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x2e) returned 0xd18498 [0117.679] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x1c) returned 0xd13da0 [0117.679] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x144) returned 0xd19c90 [0117.679] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x7c) returned 0xd18078 [0117.679] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x36) returned 0xd1e098 [0117.679] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x3a) returned 0xd1a9e0 [0117.679] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x90) returned 0xd14378 [0117.679] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x24) returned 0xd138f0 [0117.679] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x30) returned 0xd186c8 [0117.679] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x36) returned 0xd1e218 [0117.679] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x48) returned 0xd128f0 [0117.679] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x52) returned 0xd104b8 [0117.679] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x3c) returned 0xd1aef0 [0117.679] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0xd6) returned 0xd19e50 [0117.679] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x2e) returned 0xd18738 [0117.679] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x1e) returned 0xd12940 [0117.679] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x2c) returned 0xd185b0 [0117.679] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x54) returned 0xd13de8 [0117.679] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x52) returned 0xd14048 [0117.679] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x24) returned 0xd13e48 [0117.679] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x42) returned 0xd140a8 [0117.679] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x2c) returned 0xd18460 [0117.679] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x44) returned 0xd19f80 [0117.679] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x24) returned 0xd13920 [0117.680] HeapFree (in: hHeap=0xd10000, dwFlags=0x0, lpMem=0xd22a00 | out: hHeap=0xd10000) returned 1 [0117.680] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x800) returned 0xd21f68 [0117.680] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0117.680] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0117.680] GetStartupInfoW (in: lpStartupInfo=0x18f704 | out: lpStartupInfo=0x18f704*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0117.680] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_duplicateTokenId" [0117.681] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_duplicateTokenId", pNumArgs=0x18f6f0 | out: pNumArgs=0x18f6f0) returned 0xd22bb8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0117.681] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0117.743] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x0, Size=0x1000) returned 0xd244a0 [0117.743] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x0, Size=0x3e) returned 0xd1b130 [0117.743] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_token_duplicateTokenId", cchWideChar=-1, lpMultiByteStr=0xd1b130, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_token_duplicateTokenId", lpUsedDefaultChar=0x0) returned 31 [0117.743] GetLastError () returned 0x0 [0117.743] SetLastError (dwErrCode=0x0) [0117.743] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_duplicateTokenIdW") returned 0x0 [0117.743] GetLastError () returned 0x7f [0117.744] SetLastError (dwErrCode=0x7f) [0117.744] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_duplicateTokenIdA") returned 0x0 [0117.744] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_duplicateTokenId") returned 0x647c4602 [0117.744] GetActiveWindow () returned 0x0 [0117.767] GetLastError () returned 0x7f [0117.767] SetLastError (dwErrCode=0x7f) Thread: id = 249 os_tid = 0xc54 Process: id = "126" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x59617000" os_pid = "0xc38" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "125" os_parent_pid = "0xe18" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_duplicateTokenId" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "127" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x660b9000" os_pid = "0xe68" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_ensureAccess" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9024 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9025 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9026 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 9027 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 9028 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 9029 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 9030 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 9031 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 9032 start_va = 0x810000 end_va = 0x811fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 9033 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 9034 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 9035 start_va = 0x7f300000 end_va = 0x7f322fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f300000" filename = "" Region: id = 9036 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9037 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 9038 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9039 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 9042 start_va = 0x400000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 9043 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 9044 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 9045 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 9046 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 9047 start_va = 0x820000 end_va = 0x9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 9048 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 9049 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 9050 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9051 start_va = 0x7f200000 end_va = 0x7f2fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f200000" filename = "" Region: id = 9052 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9053 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 9054 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 9055 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 9056 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 9057 start_va = 0x4e0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 9058 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 9059 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 9060 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 9061 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 9062 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 9063 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 9064 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 9065 start_va = 0x810000 end_va = 0x813fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 9066 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 9067 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 9068 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 9069 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 9070 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 9071 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 9072 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 9073 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 9074 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 9075 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 9076 start_va = 0x5e0000 end_va = 0x767fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 9077 start_va = 0x820000 end_va = 0x849fff monitored = 0 entry_point = 0x825680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 9078 start_va = 0x8d0000 end_va = 0x9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008d0000" filename = "" Region: id = 9079 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 9080 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 9081 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 9082 start_va = 0x9d0000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 9083 start_va = 0xb60000 end_va = 0xc6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 9084 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 9085 start_va = 0x820000 end_va = 0x8b0fff monitored = 0 entry_point = 0x858cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 9086 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 9087 start_va = 0x820000 end_va = 0x820fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 9088 start_va = 0x830000 end_va = 0x830fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 9089 start_va = 0x830000 end_va = 0x837fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 9097 start_va = 0x830000 end_va = 0x830fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 9098 start_va = 0x840000 end_va = 0x841fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 9099 start_va = 0x830000 end_va = 0x830fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 9100 start_va = 0x840000 end_va = 0x840fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 9101 start_va = 0x830000 end_va = 0x830fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 9102 start_va = 0x840000 end_va = 0x840fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Thread: id = 256 os_tid = 0xe7c [0118.149] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0118.149] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0118.150] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0118.150] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0118.150] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0118.150] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0118.151] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0118.151] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0118.151] GetProcessHeap () returned 0x8d0000 [0118.151] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0118.151] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0118.151] GetLastError () returned 0x7e [0118.151] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0118.152] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0118.152] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x364) returned 0x8e0a40 [0118.152] SetLastError (dwErrCode=0x7e) [0118.152] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0xe00) returned 0x8e0db0 [0118.153] GetStartupInfoW (in: lpStartupInfo=0x18fc7c | out: lpStartupInfo=0x18fc7c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0118.154] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0118.154] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0118.154] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0118.154] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_ensureAccess" [0118.154] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_ensureAccess" [0118.154] GetACP () returned 0x4e4 [0118.154] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x0, Size=0x220) returned 0x8e1bb8 [0118.154] IsValidCodePage (CodePage=0x4e4) returned 1 [0118.154] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fc9c | out: lpCPInfo=0x18fc9c) returned 1 [0118.154] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f564 | out: lpCPInfo=0x18f564) returned 1 [0118.154] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb78, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0118.154] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb78, cbMultiByte=256, lpWideCharStr=0x18f308, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0118.154] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f578 | out: lpCharType=0x18f578) returned 1 [0118.154] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb78, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0118.154] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb78, cbMultiByte=256, lpWideCharStr=0x18f2b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0118.154] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0118.154] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0118.154] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0118.154] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f0a8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0118.155] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fa78, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÑ\x90ß\x88´ü\x18", lpUsedDefaultChar=0x0) returned 256 [0118.155] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb78, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0118.155] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb78, cbMultiByte=256, lpWideCharStr=0x18f2d8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0118.155] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0118.155] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f0c8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0118.155] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f978, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÑ\x90ß\x88´ü\x18", lpUsedDefaultChar=0x0) returned 256 [0118.155] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x0, Size=0x80) returned 0x8d3848 [0118.155] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0118.155] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x16e) returned 0x8e1de0 [0118.155] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0118.155] GetLastError () returned 0x0 [0118.155] SetLastError (dwErrCode=0x0) [0118.155] GetEnvironmentStringsW () returned 0x8e1f58* [0118.155] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x0, Size=0xa8c) returned 0x8e29f0 [0118.156] FreeEnvironmentStringsW (penv=0x8e1f58) returned 1 [0118.156] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x90) returned 0x8d4538 [0118.156] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x3e) returned 0x8daf30 [0118.156] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x5c) returned 0x8d8a70 [0118.156] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x6e) returned 0x8d4600 [0118.156] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x78) returned 0x8e3930 [0118.156] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x62) returned 0x8d4c30 [0118.156] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x28) returned 0x8d3d68 [0118.156] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x48) returned 0x8d3fb8 [0118.156] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x1a) returned 0x8d0570 [0118.156] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x3a) returned 0x8dac18 [0118.156] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x62) returned 0x8d3bc8 [0118.156] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x2a) returned 0x8d88b0 [0118.156] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x2e) returned 0x8d8840 [0118.156] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x1c) returned 0x8d3d98 [0118.156] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x144) returned 0x8d9c88 [0118.156] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x7c) returned 0x8d82d0 [0118.156] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x36) returned 0x8de310 [0118.156] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x3a) returned 0x8daa68 [0118.156] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x90) returned 0x8d4370 [0118.156] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x24) returned 0x8d38e8 [0118.156] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x30) returned 0x8d88e8 [0118.156] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x36) returned 0x8de010 [0118.156] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x48) returned 0x8d28e8 [0118.156] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x52) returned 0x8d04b8 [0118.156] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x3c) returned 0x8db050 [0118.156] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0xd6) returned 0x8d9e48 [0118.157] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x2e) returned 0x8d8680 [0118.157] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x1e) returned 0x8d2938 [0118.157] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x2c) returned 0x8d8920 [0118.157] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x54) returned 0x8d3de0 [0118.157] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x52) returned 0x8d4040 [0118.157] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x24) returned 0x8d3e40 [0118.157] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x42) returned 0x8d40a0 [0118.157] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x2c) returned 0x8d8990 [0118.157] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x44) returned 0x8d9f78 [0118.157] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x24) returned 0x8d3918 [0118.157] HeapFree (in: hHeap=0x8d0000, dwFlags=0x0, lpMem=0x8e29f0 | out: hHeap=0x8d0000) returned 1 [0118.157] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x800) returned 0x8e1f58 [0118.158] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0118.158] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0118.158] GetStartupInfoW (in: lpStartupInfo=0x18fce0 | out: lpStartupInfo=0x18fce0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0118.158] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_ensureAccess" [0118.158] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_ensureAccess", pNumArgs=0x18fccc | out: pNumArgs=0x18fccc) returned 0x8e2ba8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0118.158] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0118.161] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x0, Size=0x1000) returned 0x8e4490 [0118.161] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x0, Size=0x36) returned 0x8de410 [0118.161] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_token_ensureAccess", cchWideChar=-1, lpMultiByteStr=0x8de410, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_token_ensureAccess", lpUsedDefaultChar=0x0) returned 27 [0118.161] GetLastError () returned 0x0 [0118.161] SetLastError (dwErrCode=0x0) [0118.161] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_ensureAccessW") returned 0x0 [0118.161] GetLastError () returned 0x7f [0118.161] SetLastError (dwErrCode=0x7f) [0118.162] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_ensureAccessA") returned 0x0 [0118.162] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_ensureAccess") returned 0x647cd3d9 [0118.162] GetActiveWindow () returned 0x0 [0118.163] GetLastError () returned 0x7f [0118.163] SetLastError (dwErrCode=0x7f) Thread: id = 258 os_tid = 0xe80 Process: id = "128" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x523cc000" os_pid = "0xc58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "127" os_parent_pid = "0xe68" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_ensureAccess" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "129" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x260d1000" os_pid = "0xe98" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_enumTokenIds" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9110 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9111 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9112 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 9113 start_va = 0x90000 end_va = 0x93fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 9114 start_va = 0xa0000 end_va = 0xa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 9115 start_va = 0xb0000 end_va = 0xb1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 9116 start_va = 0x150000 end_va = 0x151fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 9117 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 9118 start_va = 0x400000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 9119 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 9120 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 9121 start_va = 0x7f6a0000 end_va = 0x7f6c2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6a0000" filename = "" Region: id = 9122 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9123 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 9124 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9125 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 9126 start_va = 0xc0000 end_va = 0xeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 9127 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 9128 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 9129 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 9130 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 9131 start_va = 0x500000 end_va = 0x6dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 9132 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 9133 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 9134 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9135 start_va = 0x7f5a0000 end_va = 0x7f69ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f5a0000" filename = "" Region: id = 9136 start_va = 0xf0000 end_va = 0x1adfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9137 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 9138 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 9139 start_va = 0x1b0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 9140 start_va = 0x6e0000 end_va = 0x7dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 9141 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 9142 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 9143 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 9144 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 9145 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 9146 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 9147 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 9148 start_va = 0x1f0000 end_va = 0x1f3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 9149 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 9150 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 9151 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 9152 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 9153 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 9155 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 9156 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 9157 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 9158 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 9159 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 9160 start_va = 0x500000 end_va = 0x529fff monitored = 0 entry_point = 0x505680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 9161 start_va = 0x5e0000 end_va = 0x6dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 9162 start_va = 0x7e0000 end_va = 0x967fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 9163 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 9164 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 9165 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 9166 start_va = 0xe0000 end_va = 0xeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 9167 start_va = 0x500000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 9168 start_va = 0x970000 end_va = 0xaf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000970000" filename = "" Region: id = 9169 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 9170 start_va = 0xb00000 end_va = 0xb90fff monitored = 0 entry_point = 0xb38cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 9171 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 9172 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 9173 start_va = 0x590000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 9174 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 9175 start_va = 0x510000 end_va = 0x517fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 9176 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 9177 start_va = 0x520000 end_va = 0x521fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 9178 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 9179 start_va = 0x520000 end_va = 0x520fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 9180 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 9181 start_va = 0x520000 end_va = 0x520fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Thread: id = 259 os_tid = 0xc50 [0118.500] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0118.500] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0118.500] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0118.500] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0118.500] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0118.500] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0118.501] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0118.501] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0118.502] GetProcessHeap () returned 0x5e0000 [0118.502] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0118.502] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0118.502] GetLastError () returned 0x7e [0118.502] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0118.502] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0118.502] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x364) returned 0x5f0a40 [0118.503] SetLastError (dwErrCode=0x7e) [0118.503] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0xe00) returned 0x5f0db0 [0118.505] GetStartupInfoW (in: lpStartupInfo=0x4ffa34 | out: lpStartupInfo=0x4ffa34*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0118.505] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0118.505] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0118.505] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0118.505] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_enumTokenIds" [0118.505] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_enumTokenIds" [0118.505] GetACP () returned 0x4e4 [0118.505] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x220) returned 0x5f1bb8 [0118.505] IsValidCodePage (CodePage=0x4e4) returned 1 [0118.505] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x4ffa54 | out: lpCPInfo=0x4ffa54) returned 1 [0118.505] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x4ff31c | out: lpCPInfo=0x4ff31c) returned 1 [0118.505] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4ff930, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0118.505] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4ff930, cbMultiByte=256, lpWideCharStr=0x4ff0b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0118.505] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x4ff330 | out: lpCharType=0x4ff330) returned 1 [0118.506] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4ff930, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0118.506] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4ff930, cbMultiByte=256, lpWideCharStr=0x4ff078, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0118.506] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0118.506] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0118.506] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0118.506] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x4fee68, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0118.506] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x4ff830, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿºä\x84álúO", lpUsedDefaultChar=0x0) returned 256 [0118.506] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4ff930, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0118.506] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4ff930, cbMultiByte=256, lpWideCharStr=0x4ff088, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0118.506] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0118.506] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x4fee78, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0118.506] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x4ff730, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿºä\x84álúO", lpUsedDefaultChar=0x0) returned 256 [0118.506] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x80) returned 0x5e3848 [0118.507] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0118.507] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x16e) returned 0x5f1de0 [0118.507] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0118.507] GetLastError () returned 0x0 [0118.507] SetLastError (dwErrCode=0x0) [0118.507] GetEnvironmentStringsW () returned 0x5f1f58* [0118.507] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0xa8c) returned 0x5f29f0 [0118.507] FreeEnvironmentStringsW (penv=0x5f1f58) returned 1 [0118.507] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x90) returned 0x5e4538 [0118.507] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x3e) returned 0x5eaa68 [0118.508] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x5c) returned 0x5e8810 [0118.508] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x6e) returned 0x5e4600 [0118.508] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x78) returned 0x5f38b0 [0118.508] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x62) returned 0x5e49d0 [0118.508] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x28) returned 0x5e3d68 [0118.508] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x48) returned 0x5e3fb8 [0118.508] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x1a) returned 0x5e0570 [0118.508] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x3a) returned 0x5ea9d8 [0118.508] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x62) returned 0x5e3bc8 [0118.508] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2a) returned 0x5e8688 [0118.508] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2e) returned 0x5e8538 [0118.508] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x1c) returned 0x5e3d98 [0118.508] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x144) returned 0x5e9a28 [0118.508] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x7c) returned 0x5e8070 [0118.508] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x36) returned 0x5ee350 [0118.508] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x3a) returned 0x5eb008 [0118.508] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x90) returned 0x5e4370 [0118.508] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x24) returned 0x5e38e8 [0118.508] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x30) returned 0x5e8570 [0118.508] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x36) returned 0x5ee110 [0118.508] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x48) returned 0x5e28e8 [0118.509] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x52) returned 0x5e04b8 [0118.509] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x3c) returned 0x5eae10 [0118.509] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0xd6) returned 0x5e9e48 [0118.509] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2e) returned 0x5e8420 [0118.509] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x1e) returned 0x5e2938 [0118.509] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2c) returned 0x5e85e0 [0118.509] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x54) returned 0x5e3de0 [0118.509] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x52) returned 0x5e4040 [0118.509] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x24) returned 0x5e3e40 [0118.509] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x42) returned 0x5e40a0 [0118.509] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x2c) returned 0x5e86c0 [0118.509] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x44) returned 0x5e9f78 [0118.509] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x24) returned 0x5e3918 [0118.510] HeapFree (in: hHeap=0x5e0000, dwFlags=0x0, lpMem=0x5f29f0 | out: hHeap=0x5e0000) returned 1 [0118.510] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x8, Size=0x800) returned 0x5f1f58 [0118.510] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0118.510] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0118.510] GetStartupInfoW (in: lpStartupInfo=0x4ffa98 | out: lpStartupInfo=0x4ffa98*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0118.510] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_enumTokenIds" [0118.510] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_enumTokenIds", pNumArgs=0x4ffa84 | out: pNumArgs=0x4ffa84) returned 0x5f2ba8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0118.511] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0118.513] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x1000) returned 0x5f4490 [0118.513] RtlAllocateHeap (HeapHandle=0x5e0000, Flags=0x0, Size=0x36) returned 0x5ee4d0 [0118.513] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_token_enumTokenIds", cchWideChar=-1, lpMultiByteStr=0x5ee4d0, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_token_enumTokenIds", lpUsedDefaultChar=0x0) returned 27 [0118.513] GetLastError () returned 0x0 [0118.513] SetLastError (dwErrCode=0x0) [0118.514] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_enumTokenIdsW") returned 0x0 [0118.514] GetLastError () returned 0x7f [0118.514] SetLastError (dwErrCode=0x7f) [0118.514] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_enumTokenIdsA") returned 0x0 [0118.514] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_enumTokenIds") returned 0x647c5113 [0118.514] GetActiveWindow () returned 0x0 [0118.515] GetLastError () returned 0x7f [0118.515] SetLastError (dwErrCode=0x7f) Thread: id = 261 os_tid = 0xe9c Process: id = "130" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x56e9e000" os_pid = "0xea8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "129" os_parent_pid = "0xe98" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_enumTokenIds" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "131" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6d7ea000" os_pid = "0xeac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenId" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9182 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9183 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9184 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 9185 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 9186 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 9187 start_va = 0x7a0000 end_va = 0x7a1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 9188 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 9189 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 9190 start_va = 0x7f230000 end_va = 0x7f252fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f230000" filename = "" Region: id = 9191 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9192 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 9193 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9194 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 9195 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 9196 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 9197 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 9202 start_va = 0x400000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 9203 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 9204 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 9205 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 9206 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 9207 start_va = 0x7b0000 end_va = 0xa2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 9208 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 9209 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 9210 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9211 start_va = 0x7f130000 end_va = 0x7f22ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f130000" filename = "" Region: id = 9212 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9213 start_va = 0x4c0000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 9214 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 9215 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 9216 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 9217 start_va = 0x4d0000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 9218 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 9219 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 9220 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 9221 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 9222 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 9223 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 9224 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 9225 start_va = 0x7a0000 end_va = 0x7a3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 9226 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 9227 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 9228 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 9229 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 9230 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 9231 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 9232 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 9233 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 9234 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 9235 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 9236 start_va = 0x5d0000 end_va = 0x757fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 9237 start_va = 0x7b0000 end_va = 0x7d9fff monitored = 0 entry_point = 0x7b5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 9238 start_va = 0x930000 end_va = 0xa2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 9239 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 9242 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 9243 start_va = 0x760000 end_va = 0x760fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 9244 start_va = 0xa30000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 9245 start_va = 0xbc0000 end_va = 0xd5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bc0000" filename = "" Region: id = 9246 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 9247 start_va = 0x7b0000 end_va = 0x840fff monitored = 0 entry_point = 0x7e8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 9248 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 9249 start_va = 0x7b0000 end_va = 0x7b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 9250 start_va = 0x7c0000 end_va = 0x7c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 9251 start_va = 0x7c0000 end_va = 0x7c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 9252 start_va = 0x7c0000 end_va = 0x7c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 9253 start_va = 0x7d0000 end_va = 0x7d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 9254 start_va = 0x7c0000 end_va = 0x7c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 9255 start_va = 0x7d0000 end_va = 0x7d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 9256 start_va = 0x7c0000 end_va = 0x7c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 9257 start_va = 0x7d0000 end_va = 0x7d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Thread: id = 262 os_tid = 0xeb8 [0118.905] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0118.905] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0118.905] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0118.905] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0118.905] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0118.905] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0118.906] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0118.906] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0118.907] GetProcessHeap () returned 0x930000 [0118.907] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0118.907] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0118.907] GetLastError () returned 0x7e [0118.907] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0118.907] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0118.907] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x364) returned 0x940a08 [0118.907] SetLastError (dwErrCode=0x7e) [0118.907] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0xe00) returned 0x940d78 [0118.909] GetStartupInfoW (in: lpStartupInfo=0x18f950 | out: lpStartupInfo=0x18f950*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0118.909] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0118.909] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0118.909] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0118.909] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenId" [0118.909] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenId" [0118.909] GetACP () returned 0x4e4 [0118.909] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x0, Size=0x220) returned 0x941b80 [0118.909] IsValidCodePage (CodePage=0x4e4) returned 1 [0118.909] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f970 | out: lpCPInfo=0x18f970) returned 1 [0118.909] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f238 | out: lpCPInfo=0x18f238) returned 1 [0118.909] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f84c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0118.910] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f84c, cbMultiByte=256, lpWideCharStr=0x18efd8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0118.910] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f24c | out: lpCharType=0x18f24c) returned 1 [0118.910] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f84c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0118.910] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f84c, cbMultiByte=256, lpWideCharStr=0x18ef88, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0118.910] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0118.910] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0118.910] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0118.910] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ed78, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0118.910] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f74c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x1d\x1c9)\x88ù\x18", lpUsedDefaultChar=0x0) returned 256 [0118.910] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f84c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0118.910] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f84c, cbMultiByte=256, lpWideCharStr=0x18efa8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0118.910] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0118.910] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ed98, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0118.910] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f64c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x1d\x1c9)\x88ù\x18", lpUsedDefaultChar=0x0) returned 256 [0118.910] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x0, Size=0x80) returned 0x933848 [0118.910] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0118.911] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x16c) returned 0x941da8 [0118.911] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0118.911] GetLastError () returned 0x0 [0118.911] SetLastError (dwErrCode=0x0) [0118.911] GetEnvironmentStringsW () returned 0x941f20* [0118.911] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x0, Size=0xa8c) returned 0x9429b8 [0118.911] FreeEnvironmentStringsW (penv=0x941f20) returned 1 [0118.911] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x90) returned 0x934538 [0118.911] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x3e) returned 0x93a958 [0118.911] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x5c) returned 0x938a38 [0118.911] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x6e) returned 0x934830 [0118.911] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x78) returned 0x943a78 [0118.912] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x62) returned 0x933fb8 [0118.912] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x28) returned 0x939e10 [0118.912] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x48) returned 0x933d68 [0118.912] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x1a) returned 0x934600 [0118.912] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x3a) returned 0x93a9e8 [0118.912] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x62) returned 0x9347a0 [0118.912] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x2a) returned 0x9388e8 [0118.912] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x2e) returned 0x938648 [0118.912] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x1c) returned 0x934628 [0118.912] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x144) returned 0x939c50 [0118.912] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x7c) returned 0x938298 [0118.912] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x36) returned 0x93dfd8 [0118.912] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x3a) returned 0x93af40 [0118.912] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x90) returned 0x93a260 [0118.912] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x24) returned 0x933bc8 [0118.912] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x30) returned 0x938840 [0118.912] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x36) returned 0x93e418 [0118.912] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x48) returned 0x9338e8 [0118.912] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x52) returned 0x9328e8 [0118.912] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x3c) returned 0x93add8 [0118.912] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0xd6) returned 0x9304a0 [0118.912] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x2e) returned 0x9386f0 [0118.912] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x1e) returned 0x930580 [0118.912] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x2c) returned 0x938610 [0118.912] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x54) returned 0x934370 [0118.912] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x52) returned 0x933de0 [0118.912] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x24) returned 0x9343d0 [0118.912] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x42) returned 0x934040 [0118.912] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x2c) returned 0x9387d0 [0118.912] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x44) returned 0x934090 [0118.912] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x24) returned 0x933e40 [0118.913] HeapFree (in: hHeap=0x930000, dwFlags=0x0, lpMem=0x9429b8 | out: hHeap=0x930000) returned 1 [0118.913] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x800) returned 0x941f20 [0118.913] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0118.913] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0118.913] GetStartupInfoW (in: lpStartupInfo=0x18f9b4 | out: lpStartupInfo=0x18f9b4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0118.913] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenId" [0118.914] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenId", pNumArgs=0x18f9a0 | out: pNumArgs=0x18f9a0) returned 0x942b70*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0118.914] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0118.920] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x0, Size=0x1000) returned 0x944458 [0118.921] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x0, Size=0x34) returned 0x93e118 [0118.921] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_token_freeTokenId", cchWideChar=-1, lpMultiByteStr=0x93e118, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_token_freeTokenId", lpUsedDefaultChar=0x0) returned 26 [0118.921] GetLastError () returned 0x0 [0118.921] SetLastError (dwErrCode=0x0) [0118.921] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_freeTokenIdW") returned 0x0 [0118.921] GetLastError () returned 0x7f [0118.921] SetLastError (dwErrCode=0x7f) [0118.921] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_freeTokenIdA") returned 0x0 [0118.921] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_freeTokenId") returned 0x647c4538 [0118.921] GetActiveWindow () returned 0x0 [0118.922] GetLastError () returned 0x7f [0118.922] SetLastError (dwErrCode=0x7f) Thread: id = 264 os_tid = 0xee4 Process: id = "132" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x520ef000" os_pid = "0xf00" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "131" os_parent_pid = "0xeac" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenId" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "133" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x52104000" os_pid = "0xf18" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenIdList" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9261 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9262 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9263 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 9264 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 9265 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 9266 start_va = 0xd80000 end_va = 0xd81fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d80000" filename = "" Region: id = 9267 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 9268 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 9269 start_va = 0x7e5e0000 end_va = 0x7e602fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e5e0000" filename = "" Region: id = 9270 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9271 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 9272 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9273 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 9274 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 9275 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 9276 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 9279 start_va = 0x400000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 9280 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 9281 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 9282 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 9283 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 9284 start_va = 0xd90000 end_va = 0xe8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d90000" filename = "" Region: id = 9285 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 9286 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 9287 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9288 start_va = 0x7e4e0000 end_va = 0x7e5dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e4e0000" filename = "" Region: id = 9289 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9290 start_va = 0x4f0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 9291 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 9292 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 9293 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 9294 start_va = 0x500000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 9295 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 9296 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 9297 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 9298 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 9299 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 9300 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 9301 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 9302 start_va = 0xd80000 end_va = 0xd83fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d80000" filename = "" Region: id = 9303 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 9304 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 9305 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 9306 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 9307 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 9308 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 9309 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 9310 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 9311 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 9312 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 9313 start_va = 0x600000 end_va = 0x787fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 9314 start_va = 0xe90000 end_va = 0xeb9fff monitored = 0 entry_point = 0xe95680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 9315 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 9316 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 9317 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 9318 start_va = 0x790000 end_va = 0x910fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 9319 start_va = 0xe90000 end_va = 0x101ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e90000" filename = "" Region: id = 9320 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 9321 start_va = 0xe90000 end_va = 0xf20fff monitored = 0 entry_point = 0xec8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 9322 start_va = 0x1010000 end_va = 0x101ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001010000" filename = "" Region: id = 9323 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 9324 start_va = 0xe90000 end_va = 0xe90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e90000" filename = "" Region: id = 9325 start_va = 0xea0000 end_va = 0xea0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ea0000" filename = "" Region: id = 9326 start_va = 0xea0000 end_va = 0xea7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ea0000" filename = "" Region: id = 9334 start_va = 0xea0000 end_va = 0xea0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 9335 start_va = 0xeb0000 end_va = 0xeb1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000eb0000" filename = "" Region: id = 9336 start_va = 0xea0000 end_va = 0xea0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 9337 start_va = 0xeb0000 end_va = 0xeb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000eb0000" filename = "" Region: id = 9338 start_va = 0xea0000 end_va = 0xea0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ea0000" filename = "" Region: id = 9339 start_va = 0xeb0000 end_va = 0xeb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Thread: id = 268 os_tid = 0xf24 [0119.328] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0119.328] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0119.328] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0119.328] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0119.329] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0119.329] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0119.329] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0119.329] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0119.330] GetProcessHeap () returned 0xd90000 [0119.330] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0119.330] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0119.330] GetLastError () returned 0x7e [0119.330] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0119.330] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0119.330] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x364) returned 0xda0a48 [0119.330] SetLastError (dwErrCode=0x7e) [0119.331] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0xe00) returned 0xda0db8 [0119.332] GetStartupInfoW (in: lpStartupInfo=0x18fd88 | out: lpStartupInfo=0x18fd88*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0119.332] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0119.332] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0119.332] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0119.332] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenIdList" [0119.332] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenIdList" [0119.332] GetACP () returned 0x4e4 [0119.332] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x0, Size=0x220) returned 0xda1bc0 [0119.332] IsValidCodePage (CodePage=0x4e4) returned 1 [0119.332] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fda8 | out: lpCPInfo=0x18fda8) returned 1 [0119.332] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f670 | out: lpCPInfo=0x18f670) returned 1 [0119.333] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc84, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0119.333] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc84, cbMultiByte=256, lpWideCharStr=0x18f418, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0119.333] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f684 | out: lpCharType=0x18f684) returned 1 [0119.333] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc84, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0119.333] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc84, cbMultiByte=256, lpWideCharStr=0x18f3c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0119.333] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0119.333] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0119.333] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0119.333] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f1b8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0119.333] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fb84, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x1c\x1eI\x91Àý\x18", lpUsedDefaultChar=0x0) returned 256 [0119.333] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc84, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0119.333] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc84, cbMultiByte=256, lpWideCharStr=0x18f3e8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0119.333] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0119.333] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f1d8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0119.333] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fa84, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x1c\x1eI\x91Àý\x18", lpUsedDefaultChar=0x0) returned 256 [0119.333] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x0, Size=0x80) returned 0xd93850 [0119.334] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0119.334] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x174) returned 0xda1de8 [0119.334] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0119.334] GetLastError () returned 0x0 [0119.334] SetLastError (dwErrCode=0x0) [0119.334] GetEnvironmentStringsW () returned 0xda1f68* [0119.334] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x0, Size=0xa8c) returned 0xda2a00 [0119.334] FreeEnvironmentStringsW (penv=0xda1f68) returned 1 [0119.334] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x90) returned 0xd94540 [0119.334] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x3e) returned 0xd9b0e8 [0119.334] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x5c) returned 0xd98818 [0119.334] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x6e) returned 0xd94608 [0119.334] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x78) returned 0xda39c0 [0119.335] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x62) returned 0xd949d8 [0119.335] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x28) returned 0xd93d70 [0119.335] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x48) returned 0xd93fc0 [0119.335] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x1a) returned 0xd90570 [0119.335] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x3a) returned 0xd9add0 [0119.335] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x62) returned 0xd93bd0 [0119.335] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x2a) returned 0xd983f0 [0119.335] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x2e) returned 0xd98620 [0119.335] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x1c) returned 0xd93da0 [0119.335] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x144) returned 0xd99c90 [0119.335] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x7c) returned 0xd98078 [0119.335] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x36) returned 0xd9e598 [0119.335] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x3a) returned 0xd9ad88 [0119.335] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x90) returned 0xd94378 [0119.335] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x24) returned 0xd938f0 [0119.335] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x30) returned 0xd98540 [0119.335] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x36) returned 0xd9df58 [0119.335] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x48) returned 0xd928f0 [0119.335] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x52) returned 0xd904b8 [0119.335] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x3c) returned 0xd9ad40 [0119.335] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0xd6) returned 0xd99e50 [0119.335] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x2e) returned 0xd98578 [0119.335] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x1e) returned 0xd92940 [0119.335] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x2c) returned 0xd98690 [0119.335] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x54) returned 0xd93de8 [0119.335] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x52) returned 0xd94048 [0119.335] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x24) returned 0xd93e48 [0119.336] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x42) returned 0xd940a8 [0119.336] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x2c) returned 0xd986c8 [0119.336] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x44) returned 0xd99f80 [0119.336] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x24) returned 0xd93920 [0119.336] HeapFree (in: hHeap=0xd90000, dwFlags=0x0, lpMem=0xda2a00 | out: hHeap=0xd90000) returned 1 [0119.336] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x8, Size=0x800) returned 0xda1f68 [0119.336] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0119.336] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0119.337] GetStartupInfoW (in: lpStartupInfo=0x18fdec | out: lpStartupInfo=0x18fdec*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0119.337] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenIdList" [0119.337] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenIdList", pNumArgs=0x18fdd8 | out: pNumArgs=0x18fdd8) returned 0xda2bb8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0119.337] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0119.349] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x0, Size=0x1000) returned 0xda44a0 [0119.349] RtlAllocateHeap (HeapHandle=0xd90000, Flags=0x0, Size=0x3c) returned 0xd9b130 [0119.349] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_token_freeTokenIdList", cchWideChar=-1, lpMultiByteStr=0xd9b130, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_token_freeTokenIdList", lpUsedDefaultChar=0x0) returned 30 [0119.349] GetLastError () returned 0x0 [0119.349] SetLastError (dwErrCode=0x0) [0119.349] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_freeTokenIdListW") returned 0x0 [0119.350] GetLastError () returned 0x7f [0119.350] SetLastError (dwErrCode=0x7f) [0119.350] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_freeTokenIdListA") returned 0x0 [0119.350] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_freeTokenIdList") returned 0x647c502f [0119.350] GetActiveWindow () returned 0x0 [0119.351] GetLastError () returned 0x7f [0119.351] SetLastError (dwErrCode=0x7f) Thread: id = 270 os_tid = 0xc4c Process: id = "134" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x3cee000" os_pid = "0xf3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "133" os_parent_pid = "0xf18" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenIdList" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "135" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6a51d000" os_pid = "0xc60" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_login" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9342 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9343 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9344 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 9345 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 9346 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 9347 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 9348 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 9349 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 9350 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 9351 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 9352 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 9353 start_va = 0x7fa80000 end_va = 0x7faa2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fa80000" filename = "" Region: id = 9354 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9355 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 9356 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9357 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 9360 start_va = 0x410000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 9361 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 9362 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 9363 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 9364 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 9365 start_va = 0x480000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 9366 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 9368 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 9369 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9370 start_va = 0x7f980000 end_va = 0x7fa7ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f980000" filename = "" Region: id = 9371 start_va = 0x5a0000 end_va = 0x65dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9372 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 9373 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 9374 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 9375 start_va = 0x660000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 9376 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 9377 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 9378 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 9379 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 9380 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 9381 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 9382 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 9383 start_va = 0x400000 end_va = 0x403fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 9384 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 9385 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 9386 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 9387 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 9388 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 9389 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 9390 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 9391 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 9392 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 9393 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 9394 start_va = 0x410000 end_va = 0x439fff monitored = 0 entry_point = 0x415680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 9395 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 9396 start_va = 0x760000 end_va = 0x8e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 9397 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 9398 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 9399 start_va = 0x410000 end_va = 0x410fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 9400 start_va = 0x8f0000 end_va = 0xa70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 9401 start_va = 0xa80000 end_va = 0xb9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 9402 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 9403 start_va = 0xa80000 end_va = 0xb10fff monitored = 0 entry_point = 0xab8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 9404 start_va = 0xb90000 end_va = 0xb9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 9405 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 9406 start_va = 0x420000 end_va = 0x420fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 9407 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 9408 start_va = 0x430000 end_va = 0x437fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 9409 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 9410 start_va = 0x440000 end_va = 0x441fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 9411 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 9412 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 9413 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 9414 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Thread: id = 271 os_tid = 0xf40 [0119.748] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0119.748] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0119.749] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0119.749] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0119.749] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0119.749] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0119.750] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0119.750] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0119.750] GetProcessHeap () returned 0x4a0000 [0119.750] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0119.751] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0119.751] GetLastError () returned 0x7e [0119.751] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0119.751] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0119.751] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x364) returned 0x4b0a28 [0119.751] SetLastError (dwErrCode=0x7e) [0119.752] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0xe00) returned 0x4b0d98 [0119.754] GetStartupInfoW (in: lpStartupInfo=0x18f714 | out: lpStartupInfo=0x18f714*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0119.754] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0119.754] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0119.754] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0119.754] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_login" [0119.754] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_login" [0119.754] GetACP () returned 0x4e4 [0119.754] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x220) returned 0x4b1ba0 [0119.754] IsValidCodePage (CodePage=0x4e4) returned 1 [0119.754] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f734 | out: lpCPInfo=0x18f734) returned 1 [0119.754] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18effc | out: lpCPInfo=0x18effc) returned 1 [0119.755] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f610, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0119.755] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f610, cbMultiByte=256, lpWideCharStr=0x18ed98, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0119.755] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f010 | out: lpCharType=0x18f010) returned 1 [0119.755] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f610, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0119.755] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f610, cbMultiByte=256, lpWideCharStr=0x18ed58, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0119.755] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0119.755] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0119.755] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0119.755] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18eb48, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0119.755] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f510, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿuhZ\x86L÷\x18", lpUsedDefaultChar=0x0) returned 256 [0119.755] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f610, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0119.755] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f610, cbMultiByte=256, lpWideCharStr=0x18ed68, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0119.756] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0119.756] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18eb58, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0119.756] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f410, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿuhZ\x86L÷\x18", lpUsedDefaultChar=0x0) returned 256 [0119.756] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x80) returned 0x4a3830 [0119.756] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0119.756] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x160) returned 0x4a9c70 [0119.756] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0119.756] GetLastError () returned 0x0 [0119.756] SetLastError (dwErrCode=0x0) [0119.756] GetEnvironmentStringsW () returned 0x4b1dc8* [0119.756] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0xa8c) returned 0x4b2860 [0119.757] FreeEnvironmentStringsW (penv=0x4b1dc8) returned 1 [0119.757] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x90) returned 0x4a4520 [0119.757] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x3e) returned 0x4aa978 [0119.757] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x5c) returned 0x4a87f8 [0119.757] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x6e) returned 0x4a45e8 [0119.757] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x78) returned 0x4b3820 [0119.757] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x62) returned 0x4a49b8 [0119.757] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x28) returned 0x4a3d50 [0119.757] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x48) returned 0x4a3fa0 [0119.757] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x1a) returned 0x4a0570 [0119.757] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x3a) returned 0x4aa9c0 [0119.757] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x62) returned 0x4a3bb0 [0119.757] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x2a) returned 0x4a8520 [0119.757] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x2e) returned 0x4a8670 [0119.757] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x1c) returned 0x4a3d80 [0119.757] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x144) returned 0x4b1dc8 [0119.757] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x7c) returned 0x4a8058 [0119.758] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x36) returned 0x4ae038 [0119.758] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x3a) returned 0x4aac48 [0119.758] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x90) returned 0x4a4358 [0119.758] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x24) returned 0x4a38d0 [0119.758] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x30) returned 0x4a8478 [0119.758] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x36) returned 0x4ae578 [0119.758] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x48) returned 0x4a28d8 [0119.758] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x52) returned 0x4a04b8 [0119.758] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x3c) returned 0x4aac00 [0119.758] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0xd6) returned 0x4a9e30 [0119.758] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x2e) returned 0x4a8718 [0119.758] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x1e) returned 0x4a2928 [0119.758] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x2c) returned 0x4a8558 [0119.758] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x54) returned 0x4a3dc8 [0119.758] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x52) returned 0x4a4028 [0119.758] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x24) returned 0x4a3e28 [0119.758] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x42) returned 0x4a4088 [0119.758] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x2c) returned 0x4a8590 [0119.758] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x44) returned 0x4a9f60 [0119.758] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x24) returned 0x4a3900 [0119.759] HeapFree (in: hHeap=0x4a0000, dwFlags=0x0, lpMem=0x4b2860 | out: hHeap=0x4a0000) returned 1 [0119.759] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x8, Size=0x800) returned 0x4b1f18 [0119.759] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0119.759] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0119.759] GetStartupInfoW (in: lpStartupInfo=0x18f778 | out: lpStartupInfo=0x18f778*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0119.759] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_login" [0119.760] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_login", pNumArgs=0x18f764 | out: pNumArgs=0x18f764) returned 0x4b2b68*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0119.780] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0119.782] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x1000) returned 0x4b4300 [0119.782] RtlAllocateHeap (HeapHandle=0x4a0000, Flags=0x0, Size=0x28) returned 0x4aa6a8 [0119.782] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_token_login", cchWideChar=-1, lpMultiByteStr=0x4aa6a8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_token_login", lpUsedDefaultChar=0x0) returned 20 [0119.783] GetLastError () returned 0x0 [0119.783] SetLastError (dwErrCode=0x0) [0119.783] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_loginW") returned 0x0 [0119.783] GetLastError () returned 0x7f [0119.783] SetLastError (dwErrCode=0x7f) [0119.783] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_loginA") returned 0x0 [0119.783] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_login") returned 0x647c4c4b [0119.783] GetActiveWindow () returned 0x0 [0119.784] GetLastError () returned 0x7f [0119.784] SetLastError (dwErrCode=0x7f) Thread: id = 273 os_tid = 0xc6c Process: id = "136" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x5210c000" os_pid = "0xf58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "135" os_parent_pid = "0xc60" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_login" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "137" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x7b735000" os_pid = "0xf6c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_logout" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9419 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9420 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9421 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 9422 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 9423 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 9424 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 9425 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 9426 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 9427 start_va = 0xbe0000 end_va = 0xbe1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000be0000" filename = "" Region: id = 9428 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 9429 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 9430 start_va = 0x7e410000 end_va = 0x7e432fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e410000" filename = "" Region: id = 9431 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9432 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 9433 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9434 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 9437 start_va = 0x400000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 9438 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 9439 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 9440 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 9441 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 9442 start_va = 0xbf0000 end_va = 0xe4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bf0000" filename = "" Region: id = 9443 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 9444 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 9448 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9449 start_va = 0x7e310000 end_va = 0x7e40ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e310000" filename = "" Region: id = 9450 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9451 start_va = 0x590000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 9452 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 9453 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 9454 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 9455 start_va = 0x5a0000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 9456 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 9457 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 9458 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 9459 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 9460 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 9461 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 9462 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 9463 start_va = 0xbe0000 end_va = 0xbe3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000be0000" filename = "" Region: id = 9464 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 9465 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 9466 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 9467 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 9468 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 9469 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 9470 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 9471 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 9472 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 9473 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 9474 start_va = 0x6a0000 end_va = 0x827fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 9475 start_va = 0xbf0000 end_va = 0xc19fff monitored = 0 entry_point = 0xbf5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 9476 start_va = 0xd50000 end_va = 0xe4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d50000" filename = "" Region: id = 9477 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 9481 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 9482 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 9483 start_va = 0x830000 end_va = 0x9b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 9484 start_va = 0xbf0000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bf0000" filename = "" Region: id = 9485 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 9486 start_va = 0xc20000 end_va = 0xcb0fff monitored = 0 entry_point = 0xc58cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 9487 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 9488 start_va = 0xbf0000 end_va = 0xbf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bf0000" filename = "" Region: id = 9489 start_va = 0xc10000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 9490 start_va = 0xc00000 end_va = 0xc00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c00000" filename = "" Region: id = 9491 start_va = 0xc00000 end_va = 0xc07fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c00000" filename = "" Region: id = 9492 start_va = 0xc00000 end_va = 0xc00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 9493 start_va = 0xc20000 end_va = 0xc21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c20000" filename = "" Region: id = 9494 start_va = 0xc00000 end_va = 0xc00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 9495 start_va = 0xc20000 end_va = 0xc20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c20000" filename = "" Region: id = 9496 start_va = 0xc00000 end_va = 0xc00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c00000" filename = "" Region: id = 9497 start_va = 0xc20000 end_va = 0xc20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Thread: id = 274 os_tid = 0xf70 [0120.158] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0120.158] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0120.158] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0120.158] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0120.159] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0120.159] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0120.159] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0120.160] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0120.160] GetProcessHeap () returned 0xd50000 [0120.160] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0120.160] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0120.160] GetLastError () returned 0x7e [0120.161] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0120.161] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0120.161] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x364) returned 0xd60a28 [0120.161] SetLastError (dwErrCode=0x7e) [0120.161] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0xe00) returned 0xd60d98 [0120.163] GetStartupInfoW (in: lpStartupInfo=0x18fa30 | out: lpStartupInfo=0x18fa30*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0120.163] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0120.163] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0120.163] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0120.163] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_logout" [0120.163] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_logout" [0120.163] GetACP () returned 0x4e4 [0120.164] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x0, Size=0x220) returned 0xd61ba0 [0120.164] IsValidCodePage (CodePage=0x4e4) returned 1 [0120.164] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fa50 | out: lpCPInfo=0x18fa50) returned 1 [0120.164] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f318 | out: lpCPInfo=0x18f318) returned 1 [0120.164] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f92c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0120.164] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f92c, cbMultiByte=256, lpWideCharStr=0x18f0b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0120.164] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f32c | out: lpCharType=0x18f32c) returned 1 [0120.164] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f92c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0120.164] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f92c, cbMultiByte=256, lpWideCharStr=0x18f068, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0120.164] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0120.164] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0120.164] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0120.164] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ee58, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0120.164] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f82c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x83#6¼hú\x18", lpUsedDefaultChar=0x0) returned 256 [0120.165] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f92c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0120.165] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f92c, cbMultiByte=256, lpWideCharStr=0x18f088, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0120.165] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0120.165] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ee78, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0120.165] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f72c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x83#6¼hú\x18", lpUsedDefaultChar=0x0) returned 256 [0120.165] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x0, Size=0x80) returned 0xd53830 [0120.165] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0120.165] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x162) returned 0xd61dc8 [0120.165] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0120.165] GetLastError () returned 0x0 [0120.165] SetLastError (dwErrCode=0x0) [0120.165] GetEnvironmentStringsW () returned 0xd61f38* [0120.166] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x0, Size=0xa8c) returned 0xd629d0 [0120.166] FreeEnvironmentStringsW (penv=0xd61f38) returned 1 [0120.166] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x90) returned 0xd54520 [0120.166] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x3e) returned 0xd5ad68 [0120.166] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x5c) returned 0xd587f8 [0120.166] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x6e) returned 0xd545e8 [0120.166] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x78) returned 0xd63c10 [0120.167] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x62) returned 0xd549b8 [0120.167] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x28) returned 0xd53d50 [0120.167] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x48) returned 0xd53fa0 [0120.167] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x1a) returned 0xd50570 [0120.167] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x3a) returned 0xd5ae88 [0120.167] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x62) returned 0xd53bb0 [0120.167] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x2a) returned 0xd585c8 [0120.167] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x2e) returned 0xd58600 [0120.168] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x1c) returned 0xd53d80 [0120.168] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x144) returned 0xd59c70 [0120.168] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x7c) returned 0xd58058 [0120.168] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x36) returned 0xd5e078 [0120.168] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x3a) returned 0xd5aa50 [0120.168] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x90) returned 0xd54358 [0120.168] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x24) returned 0xd538d0 [0120.168] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x30) returned 0xd58718 [0120.168] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x36) returned 0xd5e0f8 [0120.168] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x48) returned 0xd528d8 [0120.168] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x52) returned 0xd504b8 [0120.168] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x3c) returned 0xd5adf8 [0120.168] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0xd6) returned 0xd59e30 [0120.168] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x2e) returned 0xd58440 [0120.168] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x1e) returned 0xd52928 [0120.168] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x2c) returned 0xd58408 [0120.168] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x54) returned 0xd53dc8 [0120.168] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x52) returned 0xd54028 [0120.168] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x24) returned 0xd53e28 [0120.168] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x42) returned 0xd54088 [0120.168] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x2c) returned 0xd58478 [0120.168] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x44) returned 0xd59f60 [0120.168] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x24) returned 0xd53900 [0120.169] HeapFree (in: hHeap=0xd50000, dwFlags=0x0, lpMem=0xd629d0 | out: hHeap=0xd50000) returned 1 [0120.169] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x8, Size=0x800) returned 0xd61f38 [0120.169] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0120.169] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0120.169] GetStartupInfoW (in: lpStartupInfo=0x18fa94 | out: lpStartupInfo=0x18fa94*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0120.170] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_logout" [0120.170] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_logout", pNumArgs=0x18fa80 | out: pNumArgs=0x18fa80) returned 0xd62b88*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0120.170] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0120.173] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x0, Size=0x1000) returned 0xd64470 [0120.173] RtlAllocateHeap (HeapHandle=0xd50000, Flags=0x0, Size=0x2a) returned 0xd58670 [0120.173] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_token_logout", cchWideChar=-1, lpMultiByteStr=0xd58670, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_token_logout", lpUsedDefaultChar=0x0) returned 21 [0120.174] GetLastError () returned 0x0 [0120.174] SetLastError (dwErrCode=0x0) [0120.174] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_logoutW") returned 0x0 [0120.174] GetLastError () returned 0x7f [0120.174] SetLastError (dwErrCode=0x7f) [0120.174] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_logoutA") returned 0x0 [0120.174] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_logout") returned 0x647c4b1f [0120.175] GetActiveWindow () returned 0x0 [0120.176] GetLastError () returned 0x7f [0120.176] SetLastError (dwErrCode=0x7f) Thread: id = 276 os_tid = 0xf98 Process: id = "138" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x5aae6000" os_pid = "0xf9c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "137" os_parent_pid = "0xf6c" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_logout" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "139" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x52054000" os_pid = "0xc5c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_sameTokenId" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9502 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9503 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9504 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 9505 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 9506 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 9507 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 9508 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 9509 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 9510 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 9511 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 9512 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 9513 start_va = 0x7ed40000 end_va = 0x7ed62fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed40000" filename = "" Region: id = 9514 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9515 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 9516 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9517 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 9518 start_va = 0x410000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 9519 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 9520 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 9521 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 9522 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 9523 start_va = 0x570000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 9524 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 9525 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 9526 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9527 start_va = 0x7ec40000 end_va = 0x7ed3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ec40000" filename = "" Region: id = 9528 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9529 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 9530 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 9531 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 9532 start_va = 0x710000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 9533 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 9534 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 9535 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 9536 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 9537 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 9538 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 9539 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 9540 start_va = 0x4c0000 end_va = 0x4c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 9541 start_va = 0x560000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 9542 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 9543 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 9544 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 9545 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 9546 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 9547 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 9548 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 9549 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 9550 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 9551 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 9552 start_va = 0x4d0000 end_va = 0x4f9fff monitored = 0 entry_point = 0x4d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 9553 start_va = 0x810000 end_va = 0x997fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 9554 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 9555 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 9556 start_va = 0x4d0000 end_va = 0x4d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 9557 start_va = 0x9a0000 end_va = 0xb20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009a0000" filename = "" Region: id = 9558 start_va = 0xb30000 end_va = 0xcdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 9559 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 9560 start_va = 0x570000 end_va = 0x600fff monitored = 0 entry_point = 0x5a8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 9561 start_va = 0x610000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 9562 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 9563 start_va = 0x4e0000 end_va = 0x4e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 9564 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 9565 start_va = 0x4f0000 end_va = 0x4f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 9566 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 9567 start_va = 0x500000 end_va = 0x501fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 9568 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 9569 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 9570 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 9571 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Thread: id = 278 os_tid = 0x654 [0120.907] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0120.908] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0120.908] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0120.908] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0120.908] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0120.908] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0120.909] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0120.909] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0120.909] GetProcessHeap () returned 0x610000 [0120.909] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0120.910] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0120.910] GetLastError () returned 0x7e [0120.910] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0120.910] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0120.910] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x364) returned 0x620a40 [0120.910] SetLastError (dwErrCode=0x7e) [0120.910] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xe00) returned 0x620db0 [0120.912] GetStartupInfoW (in: lpStartupInfo=0x18f744 | out: lpStartupInfo=0x18f744*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0120.912] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0120.912] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0120.912] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0120.912] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_sameTokenId" [0120.912] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_sameTokenId" [0120.912] GetACP () returned 0x4e4 [0120.912] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x220) returned 0x621bb8 [0120.912] IsValidCodePage (CodePage=0x4e4) returned 1 [0120.912] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f764 | out: lpCPInfo=0x18f764) returned 1 [0120.912] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f02c | out: lpCPInfo=0x18f02c) returned 1 [0120.912] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f640, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0120.912] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f640, cbMultiByte=256, lpWideCharStr=0x18edc8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0120.912] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f040 | out: lpCharType=0x18f040) returned 1 [0120.913] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f640, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0120.913] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f640, cbMultiByte=256, lpWideCharStr=0x18ed88, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0120.913] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0120.913] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0120.913] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0120.913] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18eb78, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0120.913] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f540, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x13\x1bè\x1a|÷\x18", lpUsedDefaultChar=0x0) returned 256 [0120.913] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f640, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0120.913] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f640, cbMultiByte=256, lpWideCharStr=0x18ed98, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0120.913] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0120.913] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18eb88, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0120.913] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f440, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x13\x1bè\x1a|÷\x18", lpUsedDefaultChar=0x0) returned 256 [0120.913] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x80) returned 0x613848 [0120.914] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0120.914] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x16c) returned 0x621de0 [0120.914] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0120.914] GetLastError () returned 0x0 [0120.914] SetLastError (dwErrCode=0x0) [0120.914] GetEnvironmentStringsW () returned 0x621f58* [0120.914] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0xa8c) returned 0x6229f0 [0120.914] FreeEnvironmentStringsW (penv=0x621f58) returned 1 [0120.914] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x90) returned 0x614798 [0120.914] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x3e) returned 0x61aa68 [0120.914] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x5c) returned 0x618a70 [0120.914] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x6e) returned 0x614860 [0120.914] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x78) returned 0x6241b0 [0120.915] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x62) returned 0x614c30 [0120.915] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x28) returned 0x613d68 [0120.915] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x48) returned 0x613fb8 [0120.915] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x1a) returned 0x610570 [0120.915] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x3a) returned 0x61abd0 [0120.915] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x62) returned 0x613bc8 [0120.915] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x2a) returned 0x6188b0 [0120.915] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x2e) returned 0x6187d0 [0120.915] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x1c) returned 0x613d98 [0120.915] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x144) returned 0x619c88 [0120.915] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x7c) returned 0x6182d0 [0120.915] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x36) returned 0x61e050 [0120.915] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x3a) returned 0x61ad38 [0120.915] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x90) returned 0x614370 [0120.915] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x24) returned 0x6138e8 [0120.915] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x30) returned 0x618680 [0120.915] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x36) returned 0x61e4d0 [0120.915] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x48) returned 0x6128e8 [0120.915] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x52) returned 0x6104b8 [0120.916] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x3c) returned 0x61b0e0 [0120.916] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0xd6) returned 0x619e48 [0120.916] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x2e) returned 0x618728 [0120.916] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x1e) returned 0x612938 [0120.916] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x2c) returned 0x618808 [0120.916] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x54) returned 0x613de0 [0120.916] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x52) returned 0x614040 [0120.916] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x24) returned 0x613e40 [0120.916] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x42) returned 0x6140a0 [0120.916] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x2c) returned 0x618840 [0120.916] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x44) returned 0x619f78 [0120.916] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x24) returned 0x613918 [0120.917] HeapFree (in: hHeap=0x610000, dwFlags=0x0, lpMem=0x6229f0 | out: hHeap=0x610000) returned 1 [0120.917] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x8, Size=0x800) returned 0x621f58 [0120.917] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0120.917] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0120.917] GetStartupInfoW (in: lpStartupInfo=0x18f7a8 | out: lpStartupInfo=0x18f7a8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0120.918] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_sameTokenId" [0120.918] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_sameTokenId", pNumArgs=0x18f794 | out: pNumArgs=0x18f794) returned 0x622ba8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0120.919] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0120.922] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x1000) returned 0x624490 [0120.922] RtlAllocateHeap (HeapHandle=0x610000, Flags=0x0, Size=0x34) returned 0x61e650 [0120.922] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_token_sameTokenId", cchWideChar=-1, lpMultiByteStr=0x61e650, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_token_sameTokenId", lpUsedDefaultChar=0x0) returned 26 [0120.922] GetLastError () returned 0x0 [0120.922] SetLastError (dwErrCode=0x0) [0120.922] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_sameTokenIdW") returned 0x0 [0120.922] GetLastError () returned 0x7f [0120.922] SetLastError (dwErrCode=0x7f) [0120.923] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_sameTokenIdA") returned 0x0 [0120.923] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_sameTokenId") returned 0x647c4750 [0120.923] GetActiveWindow () returned 0x0 [0120.924] GetLastError () returned 0x7f [0120.924] SetLastError (dwErrCode=0x7f) Thread: id = 280 os_tid = 0xfb4 Process: id = "140" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6b3be000" os_pid = "0xfc8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "139" os_parent_pid = "0xc5c" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_sameTokenId" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "141" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x5c263000" os_pid = "0xfcc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=must" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9575 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9576 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9577 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 9578 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 9579 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 9580 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 9581 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 9582 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 9583 start_va = 0xcc0000 end_va = 0xcc1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 9584 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 9585 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 9586 start_va = 0x7e980000 end_va = 0x7e9a2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e980000" filename = "" Region: id = 9587 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9588 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 9589 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9590 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 9593 start_va = 0x400000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 9594 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 9595 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 9596 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 9597 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 9598 start_va = 0xcd0000 end_va = 0xeeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 9599 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 9600 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 9601 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9602 start_va = 0x7e880000 end_va = 0x7e97ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e880000" filename = "" Region: id = 9603 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9604 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 9605 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 9606 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 9607 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 9608 start_va = 0x560000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 9609 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 9610 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 9611 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 9612 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 9613 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 9614 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 9615 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 9616 start_va = 0xcc0000 end_va = 0xcc3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 9617 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 9618 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 9619 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 9620 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 9621 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 9622 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 9623 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 9624 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 9625 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 9626 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 9627 start_va = 0x660000 end_va = 0x7e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 9628 start_va = 0xcd0000 end_va = 0xcf9fff monitored = 0 entry_point = 0xcd5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 9629 start_va = 0xdf0000 end_va = 0xeeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000df0000" filename = "" Region: id = 9630 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 9631 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 9632 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 9633 start_va = 0x7f0000 end_va = 0x970fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 9634 start_va = 0xcd0000 end_va = 0xd6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 9635 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 9636 start_va = 0xef0000 end_va = 0xf80fff monitored = 0 entry_point = 0xf28cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 9637 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 9638 start_va = 0xcd0000 end_va = 0xcd2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 9639 start_va = 0xd60000 end_va = 0xd6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d60000" filename = "" Region: id = 9640 start_va = 0xef0000 end_va = 0xffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Region: id = 9642 start_va = 0x10000000 end_va = 0x10023fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000010000000" filename = "" Region: id = 9643 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 9644 start_va = 0x1000000 end_va = 0x109ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 9645 start_va = 0x743a0000 end_va = 0x743b2fff monitored = 0 entry_point = 0x743a1d20 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 9646 start_va = 0x6f9d0000 end_va = 0x6f9ebfff monitored = 0 entry_point = 0x6f9d4720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 9647 start_va = 0x6f9b0000 end_va = 0x6f9c4fff monitored = 0 entry_point = 0x6f9b5210 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\SysWOW64\\samcli.dll" (normalized: "c:\\windows\\syswow64\\samcli.dll") Region: id = 9648 start_va = 0x6f9a0000 end_va = 0x6f9a9fff monitored = 0 entry_point = 0x6f9a28d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 9649 start_va = 0x6f970000 end_va = 0x6f99efff monitored = 0 entry_point = 0x6f985140 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\SysWOW64\\logoncli.dll" (normalized: "c:\\windows\\syswow64\\logoncli.dll") Region: id = 9650 start_va = 0x6f960000 end_va = 0x6f96ffff monitored = 0 entry_point = 0x6f9634d0 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 9651 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 9652 start_va = 0x6f940000 end_va = 0x6f958fff monitored = 0 entry_point = 0x6f9447e0 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 9653 start_va = 0x77200000 end_va = 0x7725efff monitored = 0 entry_point = 0x77204af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 9675 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 9676 start_va = 0xce0000 end_va = 0xd1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 9705 start_va = 0xce0000 end_va = 0xce3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 9706 start_va = 0xd10000 end_va = 0xd1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d10000" filename = "" Region: id = 9707 start_va = 0xcf0000 end_va = 0xcfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 9708 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 9709 start_va = 0xd20000 end_va = 0xd41fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 9710 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 9711 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 9722 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 9731 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 9741 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 9746 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 9753 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 9754 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 9755 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 9763 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 9789 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 9801 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 9819 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 9836 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 9844 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 9849 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 9853 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 9858 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 9859 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 9860 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 9862 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 9884 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 9891 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 9907 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 9924 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 9928 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 9936 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 9957 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 9970 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 9973 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 9991 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10027 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10042 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10062 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10086 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10093 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10130 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10134 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10161 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10216 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10248 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10271 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10282 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10287 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10291 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10312 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10320 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10334 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10353 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10364 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10369 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10394 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10414 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10446 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10476 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10494 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10499 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10522 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10535 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10574 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10593 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10602 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10609 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10628 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10659 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10688 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10726 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10740 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10750 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10755 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10766 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10813 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10823 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10849 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10878 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10917 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10943 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10973 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10998 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11008 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11013 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11044 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11083 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11134 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11177 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11199 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11235 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11275 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11295 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11337 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11360 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11376 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11388 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11418 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11426 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11440 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11478 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11516 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11537 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11548 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11570 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11583 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11592 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11605 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11607 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11624 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11631 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11643 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11660 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11668 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11676 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11683 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11686 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11693 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11694 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11713 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11727 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11740 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11747 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11761 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11773 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11792 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11805 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11813 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11819 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11820 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 11827 start_va = 0xcf0000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Thread: id = 281 os_tid = 0xfd0 [0121.281] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0121.281] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0121.281] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0121.281] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0121.281] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0121.282] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0121.282] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0121.282] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0121.283] GetProcessHeap () returned 0xdf0000 [0121.283] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0121.283] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0121.283] GetLastError () returned 0x7e [0121.283] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0121.283] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0121.283] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x364) returned 0xe00958 [0121.284] SetLastError (dwErrCode=0x7e) [0121.284] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0xe00) returned 0xe00cc8 [0121.286] GetStartupInfoW (in: lpStartupInfo=0x18f9ec | out: lpStartupInfo=0x18f9ec*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0121.286] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0121.286] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0121.286] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0121.286] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=must" [0121.286] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=must" [0121.286] GetACP () returned 0x4e4 [0121.286] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x0, Size=0x220) returned 0xe01ad0 [0121.286] IsValidCodePage (CodePage=0x4e4) returned 1 [0121.286] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fa0c | out: lpCPInfo=0x18fa0c) returned 1 [0121.286] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f2d4 | out: lpCPInfo=0x18f2d4) returned 1 [0121.286] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8e8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0121.286] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8e8, cbMultiByte=256, lpWideCharStr=0x18f078, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0121.286] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f2e8 | out: lpCharType=0x18f2e8) returned 1 [0121.286] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8e8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0121.286] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8e8, cbMultiByte=256, lpWideCharStr=0x18f028, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0121.286] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0121.287] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0121.287] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0121.287] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ee18, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0121.287] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f7e8, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x01Ùñ\x97$ú\x18", lpUsedDefaultChar=0x0) returned 256 [0121.287] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8e8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0121.287] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8e8, cbMultiByte=256, lpWideCharStr=0x18f048, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0121.287] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0121.287] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ee38, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0121.287] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f6e8, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x01Ùñ\x97$ú\x18", lpUsedDefaultChar=0x0) returned 256 [0121.287] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x0, Size=0x80) returned 0xdf3800 [0121.287] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0121.287] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x142) returned 0xdf9ba0 [0121.287] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0121.287] GetLastError () returned 0x0 [0121.287] SetLastError (dwErrCode=0x0) [0121.287] GetEnvironmentStringsW () returned 0xe01cf8* [0121.288] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x0, Size=0xa8c) returned 0xe02790 [0121.288] FreeEnvironmentStringsW (penv=0xe01cf8) returned 1 [0121.288] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x90) returned 0xdf44f8 [0121.288] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x3e) returned 0xdfab30 [0121.288] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x5c) returned 0xdf9990 [0121.288] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x6e) returned 0xdf45c0 [0121.288] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x78) returned 0xe039d0 [0121.288] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x62) returned 0xdf4990 [0121.288] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x28) returned 0xdf3d20 [0121.288] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x48) returned 0xdf3f70 [0121.288] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x1a) returned 0xdf3fc0 [0121.288] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x3a) returned 0xdfa9c8 [0121.288] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x62) returned 0xdf3b80 [0121.288] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x2a) returned 0xdf95a8 [0121.288] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x2e) returned 0xdf9490 [0121.288] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x1c) returned 0xdf0570 [0121.288] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x144) returned 0xe01cf8 [0121.288] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x7c) returned 0xdf8030 [0121.288] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x36) returned 0xdfe2a8 [0121.289] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x3a) returned 0xdfae90 [0121.289] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x90) returned 0xdf4330 [0121.289] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x24) returned 0xdf3d50 [0121.289] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x30) returned 0xdf9340 [0121.289] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x36) returned 0xdfdf28 [0121.289] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x48) returned 0xdf38a0 [0121.289] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x52) returned 0xdf28b8 [0121.289] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x3c) returned 0xdfa8a8 [0121.289] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0xd6) returned 0xdf9d60 [0121.289] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x2e) returned 0xdf93e8 [0121.289] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x1e) returned 0xdf38f0 [0121.289] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x2c) returned 0xdf9458 [0121.289] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x54) returned 0xdf04b8 [0121.289] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x52) returned 0xdf3d98 [0121.289] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x24) returned 0xdf3df8 [0121.289] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x42) returned 0xdf4000 [0121.289] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x2c) returned 0xdf94c8 [0121.289] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x44) returned 0xdf4050 [0121.289] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x24) returned 0xdf9e90 [0121.290] HeapFree (in: hHeap=0xdf0000, dwFlags=0x0, lpMem=0xe02790 | out: hHeap=0xdf0000) returned 1 [0121.290] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x800) returned 0xe01e48 [0121.290] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0121.290] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0121.290] GetStartupInfoW (in: lpStartupInfo=0x18fa50 | out: lpStartupInfo=0x18fa50*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0121.290] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=must" [0121.290] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=must", pNumArgs=0x18fa3c | out: pNumArgs=0x18fa3c) returned 0xe02a98*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0121.291] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0121.294] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x0, Size=0x1000) returned 0xe04230 [0121.294] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x0, Size=0xa) returned 0xdfa080 [0121.294] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="must", cchWideChar=-1, lpMultiByteStr=0xdfa080, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="must", lpUsedDefaultChar=0x0) returned 5 [0121.294] GetLastError () returned 0x0 [0121.294] SetLastError (dwErrCode=0x0) [0121.294] GetProcAddress (hModule=0x647c0000, lpProcName="mustW") returned 0x0 [0121.294] GetLastError () returned 0x7f [0121.294] SetLastError (dwErrCode=0x7f) [0121.294] GetProcAddress (hModule=0x647c0000, lpProcName="mustA") returned 0x0 [0121.294] GetProcAddress (hModule=0x647c0000, lpProcName="must") returned 0x647c4e94 [0121.295] GetActiveWindow () returned 0x0 [0121.295] VirtualAlloc (lpAddress=0x0, dwSize=0x2d82, flAllocationType=0x3000, flProtect=0x4) returned 0xcd0000 [0121.296] VirtualProtect (in: lpAddress=0xcd0000, dwSize=0x2d82, flNewProtect=0x20, lpflOldProtect=0x18f974 | out: lpflOldProtect=0x18f974*=0x4) returned 1 [0121.306] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x100000) returned 0xefe020 [0121.334] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x4) returned 0xdf40a0 [0121.334] RtlAllocateHeap (HeapHandle=0xdf0000, Flags=0x8, Size=0x20800) returned 0xe05238 [0121.337] RtlFreeHeap (HeapHandle=0xdf0000, Flags=0x0, BaseAddress=0xdf40a0) returned 1 [0121.339] GetNativeSystemInfo (in: lpSystemInfo=0x18f7fc | out: lpSystemInfo=0x18f7fc*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0121.340] VirtualAlloc (lpAddress=0x10000000, dwSize=0x24000, flAllocationType=0x3000, flProtect=0x4) returned 0x10000000 [0121.344] LoadLibraryA (lpLibFileName="msvcrt.dll") returned 0x754e0000 [0121.344] GetProcAddress (hModule=0x754e0000, lpProcName="_snprintf") returned 0x75555020 [0121.344] GetProcAddress (hModule=0x754e0000, lpProcName="memchr") returned 0x75568380 [0121.344] GetProcAddress (hModule=0x754e0000, lpProcName="malloc") returned 0x75527900 [0121.344] GetProcAddress (hModule=0x754e0000, lpProcName="_errno") returned 0x75515cd0 [0121.344] GetProcAddress (hModule=0x754e0000, lpProcName="_strtoi64") returned 0x75511e60 [0121.345] GetProcAddress (hModule=0x754e0000, lpProcName="_vsnprintf") returned 0x755563d0 [0121.345] GetProcAddress (hModule=0x754e0000, lpProcName="memset") returned 0x75568c80 [0121.345] GetProcAddress (hModule=0x754e0000, lpProcName="qsort") returned 0x7553c200 [0121.345] GetProcAddress (hModule=0x754e0000, lpProcName="_ftol2_sse") returned 0x7557a580 [0121.345] GetProcAddress (hModule=0x754e0000, lpProcName="_vsnwprintf") returned 0x75556840 [0121.345] GetProcAddress (hModule=0x754e0000, lpProcName="free") returned 0x75527740 [0121.345] GetProcAddress (hModule=0x754e0000, lpProcName="_time64") returned 0x7556ea10 [0121.345] GetProcAddress (hModule=0x754e0000, lpProcName="strncpy") returned 0x75569350 [0121.345] GetProcAddress (hModule=0x754e0000, lpProcName="strchr") returned 0x75568d90 [0121.346] GetProcAddress (hModule=0x754e0000, lpProcName="strtod") returned 0x75511ba0 [0121.346] GetProcAddress (hModule=0x754e0000, lpProcName="localeconv") returned 0x7553c100 [0121.346] GetProcAddress (hModule=0x754e0000, lpProcName="memcpy") returned 0x755684a0 [0121.346] GetProcAddress (hModule=0x754e0000, lpProcName="atol") returned 0x7550fe40 [0121.346] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x75820000 [0121.346] GetProcAddress (hModule=0x75820000, lpProcName="FindNextFileW") returned 0x758469a0 [0121.346] GetProcAddress (hModule=0x75820000, lpProcName="GetTickCount") returned 0x75845eb0 [0121.346] GetProcAddress (hModule=0x75820000, lpProcName="SetThreadPriority") returned 0x75839990 [0121.346] GetProcAddress (hModule=0x75820000, lpProcName="FlushFileBuffers") returned 0x758469b0 [0121.346] GetProcAddress (hModule=0x75820000, lpProcName="LocalAlloc") returned 0x75837a30 [0121.347] GetProcAddress (hModule=0x75820000, lpProcName="GetExitCodeProcess") returned 0x7583fdb0 [0121.347] GetProcAddress (hModule=0x75820000, lpProcName="GetSystemTimeAsFileTime") returned 0x75837620 [0121.347] GetProcAddress (hModule=0x75820000, lpProcName="GetFileAttributesW") returned 0x75846a50 [0121.347] GetProcAddress (hModule=0x75820000, lpProcName="MultiByteToWideChar") returned 0x75832ad0 [0121.347] GetProcAddress (hModule=0x75820000, lpProcName="SetCurrentDirectoryA") returned 0x75862290 [0121.347] GetProcAddress (hModule=0x75820000, lpProcName="Sleep") returned 0x75837990 [0121.347] GetProcAddress (hModule=0x75820000, lpProcName="lstrcmpiW") returned 0x75837590 [0121.347] GetProcAddress (hModule=0x75820000, lpProcName="GetDriveTypeW") returned 0x75846a10 [0121.347] GetProcAddress (hModule=0x75820000, lpProcName="GetLastError") returned 0x75833870 [0121.348] GetProcAddress (hModule=0x75820000, lpProcName="CreateDirectoryW") returned 0x75846860 [0121.348] GetProcAddress (hModule=0x75820000, lpProcName="lstrcatA") returned 0x7583f640 [0121.348] GetProcAddress (hModule=0x75820000, lpProcName="CreateMutexW") returned 0x758466f0 [0121.348] GetProcAddress (hModule=0x75820000, lpProcName="GetCurrentThread") returned 0x758375f0 [0121.348] GetProcAddress (hModule=0x75820000, lpProcName="GetProcessId") returned 0x7583a6a0 [0121.348] GetProcAddress (hModule=0x75820000, lpProcName="DisconnectNamedPipe") returned 0x75860990 [0121.348] GetProcAddress (hModule=0x75820000, lpProcName="lstrcmpA") returned 0x7583cc30 [0121.348] GetProcAddress (hModule=0x75820000, lpProcName="K32GetModuleFileNameExW") returned 0x758616a0 [0121.348] GetProcAddress (hModule=0x75820000, lpProcName="MoveFileW") returned 0x7583b1d0 [0121.349] GetProcAddress (hModule=0x75820000, lpProcName="ExitThread") returned 0x776b7a80 [0121.349] GetProcAddress (hModule=0x75820000, lpProcName="GetNumberFormatA") returned 0x75876060 [0121.349] GetProcAddress (hModule=0x75820000, lpProcName="GetCurrentProcessId") returned 0x758323e0 [0121.349] GetProcAddress (hModule=0x75820000, lpProcName="SwitchToThread") returned 0x7583a690 [0121.349] GetProcAddress (hModule=0x75820000, lpProcName="GetModuleHandleW") returned 0x75839bc0 [0121.349] GetProcAddress (hModule=0x75820000, lpProcName="GetProcAddress") returned 0x758378b0 [0121.349] GetProcAddress (hModule=0x75820000, lpProcName="HeapCreate") returned 0x7583a100 [0121.349] GetProcAddress (hModule=0x75820000, lpProcName="HeapFree") returned 0x75831ba0 [0121.349] GetProcAddress (hModule=0x75820000, lpProcName="HeapAlloc") returned 0x77682bd0 [0121.349] GetProcAddress (hModule=0x75820000, lpProcName="GetModuleHandleA") returned 0x758399f0 [0121.350] GetProcAddress (hModule=0x75820000, lpProcName="LoadLibraryA") returned 0x75844bf0 [0121.350] GetProcAddress (hModule=0x75820000, lpProcName="GetCurrentProcess") returned 0x758338c0 [0121.350] GetProcAddress (hModule=0x75820000, lpProcName="lstrcatW") returned 0x7585d170 [0121.350] GetProcAddress (hModule=0x75820000, lpProcName="WideCharToMultiByte") returned 0x75833880 [0121.350] GetProcAddress (hModule=0x75820000, lpProcName="FindFirstFileW") returned 0x75846960 [0121.350] GetProcAddress (hModule=0x75820000, lpProcName="GetWindowsDirectoryW") returned 0x75845120 [0121.350] GetProcAddress (hModule=0x75820000, lpProcName="SetFileAttributesW") returned 0x75846c20 [0121.350] GetProcAddress (hModule=0x75820000, lpProcName="lstrlenW") returned 0x75833690 [0121.350] GetProcAddress (hModule=0x75820000, lpProcName="LoadLibraryW") returned 0x7583a840 [0121.351] GetProcAddress (hModule=0x75820000, lpProcName="FreeLibrary") returned 0x75839f50 [0121.351] GetProcAddress (hModule=0x75820000, lpProcName="GetCommandLineW") returned 0x7583aba0 [0121.351] GetProcAddress (hModule=0x75820000, lpProcName="GetVersionExA") returned 0x7583a700 [0121.351] GetProcAddress (hModule=0x75820000, lpProcName="GetSystemInfo") returned 0x7583a0f0 [0121.351] GetProcAddress (hModule=0x75820000, lpProcName="GetCurrentDirectoryW") returned 0x7583a9a0 [0121.351] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x74ec0000 [0121.351] GetProcAddress (hModule=0x74ec0000, lpProcName="CharUpperBuffA") returned 0x74f4aba0 [0121.351] GetProcAddress (hModule=0x74ec0000, lpProcName="CharUpperBuffW") returned 0x74ef4d90 [0121.351] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x75e00000 [0121.351] GetProcAddress (hModule=0x75e00000, lpProcName="CommandLineToArgvW") returned 0x75fabf80 [0121.351] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75a90000 [0121.352] GetProcAddress (hModule=0x75a90000, lpProcName="CoCreateInstance") returned 0x75690060 [0121.352] GetProcAddress (hModule=0x75a90000, lpProcName="CoInitializeEx") returned 0x756688d0 [0121.352] GetProcAddress (hModule=0x75a90000, lpProcName="CoSetProxyBlanket") returned 0x756660a0 [0121.352] GetProcAddress (hModule=0x75a90000, lpProcName="CoInitializeSecurity") returned 0x756d3870 [0121.352] LoadLibraryA (lpLibFileName="OLEAUT32.dll") returned 0x74bb0000 [0121.356] GetProcAddress (hModule=0x74bb0000, lpProcName=0x14) returned 0x74bc2a10 [0121.356] GetProcAddress (hModule=0x74bb0000, lpProcName=0x6) returned 0x74bc9d40 [0121.356] GetProcAddress (hModule=0x74bb0000, lpProcName=0x2) returned 0x74bc9c90 [0121.356] GetProcAddress (hModule=0x74bb0000, lpProcName=0x9) returned 0x74bc9570 [0121.357] GetProcAddress (hModule=0x74bb0000, lpProcName=0x13) returned 0x74bc25b0 [0121.357] GetProcAddress (hModule=0x74bb0000, lpProcName=0x10) returned 0x74bc6200 [0121.357] GetProcAddress (hModule=0x74bb0000, lpProcName=0x19) returned 0x74bc5830 [0121.357] VirtualProtect (in: lpAddress=0x10001000, dwSize=0x18800, flNewProtect=0x20, lpflOldProtect=0x18f8b8 | out: lpflOldProtect=0x18f8b8*=0x4) returned 1 [0121.360] VirtualProtect (in: lpAddress=0x1001a000, dwSize=0x4800, flNewProtect=0x2, lpflOldProtect=0x18f8b8 | out: lpflOldProtect=0x18f8b8*=0x4) returned 1 [0121.360] VirtualProtect (in: lpAddress=0x1001f000, dwSize=0x2000, flNewProtect=0x4, lpflOldProtect=0x18f8b8 | out: lpflOldProtect=0x18f8b8*=0x4) returned 1 [0121.360] VirtualProtect (in: lpAddress=0x10022000, dwSize=0x600, flNewProtect=0x2, lpflOldProtect=0x18f8b8 | out: lpflOldProtect=0x18f8b8*=0x4) returned 1 [0121.360] VirtualProtect (in: lpAddress=0x10023000, dwSize=0xe00, flNewProtect=0x2, lpflOldProtect=0x18f8b8 | out: lpflOldProtect=0x18f8b8*=0x4) returned 1 [0121.360] NtFlushInstructionCache (ProcessHandle=0xffffffff, BaseAddress=0x0, NumberOfBytesToFlush=0x0) returned 0x0 [0121.361] HeapCreate (flOptions=0x0, dwInitialSize=0x96000, dwMaximumSize=0x0) returned 0x1000000 [0121.363] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x100) returned 0x107f5a8 [0121.364] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x7a) returned 0x107f6b0 [0121.365] GetNumberFormatA (in: Locale=0x7d3, dwFlags=0xb4, lpValue="electricmadness", lpFormat=0x0, lpNumberStr=0x18f46c, cchNumber=34 | out: lpNumberStr="") returned 0 [0121.366] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x28) returned 0x107f738 [0121.366] GetFileAttributesW (lpFileName="C:\\INTERNAL\\__empty" (normalized: "c:\\internal\\__empty")) returned 0xffffffff [0121.372] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f738 | out: hHeap=0x1000000) returned 1 [0121.385] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f6e4, cbMultiByte=-1, lpWideCharStr=0x18f4e4, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0121.385] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f6e4, cbMultiByte=-1, lpWideCharStr=0x18f4e4, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0121.385] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f6e4, cbMultiByte=-1, lpWideCharStr=0x18f4e4, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0121.385] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f6e4, cbMultiByte=-1, lpWideCharStr=0x18f4e4, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0121.385] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f6e4, cbMultiByte=-1, lpWideCharStr=0x18f4e4, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0121.386] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f6e4, cbMultiByte=-1, lpWideCharStr=0x18f4e4, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0121.386] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f6e4, cbMultiByte=-1, lpWideCharStr=0x18f4e4, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0121.386] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f6e4, cbMultiByte=-1, lpWideCharStr=0x18f4e4, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0121.386] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f6e4, cbMultiByte=-1, lpWideCharStr=0x18f4e4, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0121.386] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f6e4, cbMultiByte=-1, lpWideCharStr=0x18f4e4, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0121.386] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f6e4, cbMultiByte=-1, lpWideCharStr=0x18f4e4, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0121.386] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f6e4, cbMultiByte=-1, lpWideCharStr=0x18f4e4, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0121.386] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f6e4, cbMultiByte=-1, lpWideCharStr=0x18f4e4, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0121.386] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f6e4, cbMultiByte=-1, lpWideCharStr=0x18f4e4, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0121.387] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f6e4, cbMultiByte=-1, lpWideCharStr=0x18f4e4, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0121.387] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f6e4, cbMultiByte=-1, lpWideCharStr=0x18f4e4, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0121.387] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f6e4, cbMultiByte=-1, lpWideCharStr=0x18f4e4, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0121.388] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f6e4, cbMultiByte=-1, lpWideCharStr=0x18f4e4, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0121.388] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f6e4, cbMultiByte=-1, lpWideCharStr=0x18f4e4, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0121.388] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f6e4, cbMultiByte=-1, lpWideCharStr=0x18f4e4, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0121.388] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xd) returned 0x107f738 [0121.388] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x75820000 [0121.388] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x144) returned 0x107f750 [0121.395] LoadLibraryA (lpLibFileName="NTDLL.dll") returned 0x77650000 [0121.395] GetProcAddress (hModule=0x77650000, lpProcName="RtlAddVectoredExceptionHandler") returned 0x77673f90 [0121.396] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f738 | out: hHeap=0x1000000) returned 1 [0121.396] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xd) returned 0x107f738 [0121.396] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x75820000 [0121.396] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x144) returned 0x107f8a0 [0121.402] LoadLibraryA (lpLibFileName="NTDLL.dll") returned 0x77650000 [0121.402] GetProcAddress (hModule=0x77650000, lpProcName="RtlAddVectoredExceptionHandler") returned 0x77673f90 [0121.403] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f738 | out: hHeap=0x1000000) returned 1 [0121.403] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xa) returned 0x107f738 [0121.403] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77650000 [0121.403] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x40) returned 0x107f9f0 [0121.404] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f738 | out: hHeap=0x1000000) returned 1 [0121.404] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xb) returned 0x107f738 [0121.404] LoadLibraryA (lpLibFileName="user32.dll") returned 0x74ec0000 [0121.405] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x6c) returned 0x107fa38 [0121.405] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f738 | out: hHeap=0x1000000) returned 1 [0121.405] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xa) returned 0x107f738 [0121.405] LoadLibraryA (lpLibFileName="gdi32.dll") returned 0x74a60000 [0121.406] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x24) returned 0x107fab0 [0121.406] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f738 | out: hHeap=0x1000000) returned 1 [0121.406] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xd) returned 0x107f738 [0121.406] LoadLibraryA (lpLibFileName="netapi32.dll") returned 0x743a0000 [0121.413] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x18) returned 0x107fae0 [0121.413] LoadLibraryA (lpLibFileName="SRVCLI.dll") returned 0x6f9d0000 [0121.442] GetProcAddress (hModule=0x6f9d0000, lpProcName="NetShareEnum") returned 0x6f9d4140 [0121.443] LoadLibraryA (lpLibFileName="SAMCLI.dll") returned 0x6f9b0000 [0121.453] GetProcAddress (hModule=0x6f9b0000, lpProcName="NetUserEnum") returned 0x6f9bc010 [0121.453] LoadLibraryA (lpLibFileName="NETUTILS.dll") returned 0x6f9a0000 [0121.459] GetProcAddress (hModule=0x6f9a0000, lpProcName="NetApiBufferFree") returned 0x6f9a16d0 [0121.459] LoadLibraryA (lpLibFileName="LOGONCLI.dll") returned 0x6f970000 [0121.485] GetProcAddress (hModule=0x6f970000, lpProcName="NetGetDCName") returned 0x6f98de00 [0121.485] LoadLibraryA (lpLibFileName="WKSCLI.dll") returned 0x6f960000 [0121.497] GetProcAddress (hModule=0x6f960000, lpProcName="NetGetJoinInformation") returned 0x6f962e90 [0121.497] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f738 | out: hHeap=0x1000000) returned 1 [0121.497] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xd) returned 0x107f738 [0121.497] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77260000 [0121.497] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xd4) returned 0x107fb00 [0121.500] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f738 | out: hHeap=0x1000000) returned 1 [0121.500] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xc) returned 0x107f738 [0121.500] LoadLibraryA (lpLibFileName="shlwapi.dll") returned 0x75a40000 [0121.500] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x2c) returned 0x107fbe0 [0121.501] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f738 | out: hHeap=0x1000000) returned 1 [0121.501] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xc) returned 0x107f738 [0121.501] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75e00000 [0121.501] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x8) returned 0x107fc18 [0121.501] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f738 | out: hHeap=0x1000000) returned 1 [0121.501] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xc) returned 0x107f738 [0121.501] LoadLibraryA (lpLibFileName="userenv.dll") returned 0x6f940000 [0121.510] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x4) returned 0x107fc28 [0121.510] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f738 | out: hHeap=0x1000000) returned 1 [0121.510] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xb) returned 0x107f738 [0121.511] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x77200000 [0121.537] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x10) returned 0x107fc38 [0121.537] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f738 | out: hHeap=0x1000000) returned 1 [0121.537] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x20) returned 0x107fc50 [0121.538] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107fc50 | out: hHeap=0x1000000) returned 1 [0121.539] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x1ac4) returned 0x107fc50 [0121.539] GetCurrentProcessId () returned 0xfcc [0121.539] GetTickCount64 () returned 0x1d142f1 [0121.539] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1081294, nSize=0x105 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0121.539] GetCurrentProcess () returned 0xffffffff [0121.540] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18ee9c | out: TokenHandle=0x18ee9c*=0x1b4) returned 1 [0121.540] GetTokenInformation (in: TokenHandle=0x1b4, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18ee7c | out: TokenInformation=0x0, ReturnLength=0x18ee7c) returned 0 [0121.540] GetLastError () returned 0x7a [0121.540] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x24) returned 0x1081720 [0121.540] GetTokenInformation (in: TokenHandle=0x1b4, TokenInformationClass=0x1, TokenInformation=0x1081720, TokenInformationLength=0x24, ReturnLength=0x18ee8c | out: TokenInformation=0x1081720, ReturnLength=0x18ee8c) returned 1 [0121.540] CloseHandle (hObject=0x1b4) returned 1 [0121.540] AllocateAndInitializeSid (in: pIdentifierAuthority=0x18ee94, nSubAuthorityCount=0x1, nSubAuthority0=0x12, nSubAuthority1=0x0, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x18ee9c | out: pSid=0x18ee9c*=0xdfa050*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12)) returned 1 [0121.540] EqualSid (pSid1=0x1081728*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), pSid2=0xdfa050*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12)) returned 0 [0121.540] GetCurrentThread () returned 0xfffffffe [0121.540] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x8, OpenAsSelf=0, TokenHandle=0x18ee70 | out: TokenHandle=0x18ee70*=0x0) returned 0 [0121.540] GetLastError () returned 0x3f0 [0121.540] GetCurrentProcess () returned 0xffffffff [0121.540] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18ee70 | out: TokenHandle=0x18ee70*=0x1b4) returned 1 [0121.540] GetTokenInformation (in: TokenHandle=0x1b4, TokenInformationClass=0x2, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18ee68 | out: TokenInformation=0x0, ReturnLength=0x18ee68) returned 0 [0121.540] GetLastError () returned 0x7a [0121.540] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x140) returned 0x1081750 [0121.540] GetTokenInformation (in: TokenHandle=0x1b4, TokenInformationClass=0x2, TokenInformation=0x1081750, TokenInformationLength=0x140, ReturnLength=0x18ee8c | out: TokenInformation=0x1081750, ReturnLength=0x18ee8c) returned 1 [0121.541] AllocateAndInitializeSid (in: pIdentifierAuthority=0x18ee84, nSubAuthorityCount=0x2, nSubAuthority0=0x20, nSubAuthority1=0x220, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x18ee98 | out: pSid=0x18ee98*=0xdfa1e8*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0121.541] EqualSid (pSid1=0x10817c4*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), pSid2=0xdfa1e8*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 0 [0121.541] EqualSid (pSid1=0x10817e0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0), pSid2=0xdfa1e8*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 0 [0121.541] EqualSid (pSid1=0x10817ec*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x72), pSid2=0xdfa1e8*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 0 [0121.541] EqualSid (pSid1=0x10817f8*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0xdfa1e8*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0121.541] CloseHandle (hObject=0x1b4) returned 1 [0121.542] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1081750 | out: hHeap=0x1000000) returned 1 [0121.542] NetGetJoinInformation (in: lpServer=0x0, lpNameBuffer=0x18ee9c, BufferType=0x18ee98 | out: lpNameBuffer=0x18ee9c*="WORKGROUP", BufferType=0x18ee98) returned 0x0 [0121.587] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x14) returned 0x1081750 [0121.588] NetGetDCName (in: servername=0x0, domainname=0x0, bufptr=0x18ee9c | out: bufptr=0x18ee9c) returned 0x995 [0121.592] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x1081728*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), Name=0x107fd64, cchName=0x18f8fc, ReferencedDomainName=0x18f678, cchReferencedDomainName=0x18f900, peUse=0x18f8f8 | out: Name="RDhJ0CNFevzX", cchName=0x18f8fc, ReferencedDomainName="XC64ZB", cchReferencedDomainName=0x18f900, peUse=0x18f8f8) returned 1 [0121.594] GetSystemMetrics (nIndex=4096) returned 0 [0121.722] GetModuleFileNameW (in: hModule=0x10000000, lpFilename=0x107fe78, nSize=0x104 | out: lpFilename="") returned 0x0 [0121.722] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=must" [0121.722] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=must", pNumArgs=0x18ee94 | out: pNumArgs=0x18ee94) returned 0xe282d8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0121.722] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe") returned 40 [0121.722] GetComputerNameW (in: lpBuffer=0x18ea8c, nSize=0x18ec90 | out: lpBuffer="XC64ZB", nSize=0x18ec90) returned 1 [0121.722] GetNumberFormatA (in: Locale=0x7d3, dwFlags=0xb4, lpValue="electricmadness", lpFormat=0x0, lpNumberStr=0x18e60c, cchNumber=34 | out: lpNumberStr="\x8cê\x18") returned 0 [0121.722] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xa) returned 0x107f738 [0121.722] GetVolumeInformationW (in: lpRootPathName="c:\\\\", lpVolumeNameBuffer=0x18e68c, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x18ec94, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x18e88c, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x18ec94*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0121.722] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f738 | out: hHeap=0x1000000) returned 1 [0121.722] _vsnwprintf (in: _Buffer=0x18ecac, _BufferCount=0xfa, _Format="%u", _ArgList=0x18e67c | out: _Buffer="203980600") returned 9 [0121.723] lstrcatW (in: lpString1="XC64ZB203980600", lpString2="RDhJ0CNFevzX" | out: lpString1="XC64ZB203980600RDhJ0CNFevzX") returned="XC64ZB203980600RDhJ0CNFevzX" [0121.723] CharUpperBuffW (in: lpsz="XC64ZB203980600RDhJ0CNFevzX", cchLength=0x1b | out: lpsz="XC64ZB203980600RDHJ0CNFEVZX") returned 0x1b [0121.723] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x21) returned 0x1081770 [0121.723] lstrlenW (lpString="䉁䑃䙅ခ\x18醺") returned 7 [0121.723] lstrlenW (lpString="䉁䑃䙅䆫\x18큈") returned 7 [0121.723] lstrlenW (lpString="䉁䑃䙅䆫") returned 4 [0121.723] lstrlenW (lpString="䉁䑃䙅䆫") returned 4 [0121.723] lstrlenW (lpString="䉁䑃䙅䆫") returned 4 [0121.724] lstrlenW (lpString="䉁䑃䙅䆫") returned 4 [0121.724] lstrlenW (lpString="䉁䑃䙅䆫") returned 4 [0121.724] lstrlenW (lpString="䉁䑃䙅䆫") returned 4 [0121.724] lstrlenW (lpString="䉁䑃䙅䆫") returned 4 [0121.724] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1081770 | out: hHeap=0x1000000) returned 1 [0121.724] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x107fd00, cbMultiByte=-1, lpWideCharStr=0x107fd20, cchWideChar=32 | out: lpWideCharStr="fdircmne") returned 9 [0121.724] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x1b) returned 0x1081770 [0121.724] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xb) returned 0x107f738 [0121.725] lstrlenW (lpString="䉁䑃䙅ခ\x18醺") returned 7 [0121.725] lstrlenW (lpString="䉁䑃䙅ခ") returned 4 [0121.725] lstrlenW (lpString="䉁䑃䙅ခ") returned 4 [0121.725] lstrlenW (lpString="䉁䑃䙅ခ") returned 4 [0121.725] lstrlenW (lpString="䉁䑃䙅ခ") returned 4 [0121.725] lstrlenW (lpString="䉁䑃䙅ခ") returned 4 [0121.725] lstrlenW (lpString="䉁䑃䙅ခ") returned 4 [0121.725] lstrlenW (lpString="䉁䑃䙅ခ") returned 4 [0121.725] lstrlenW (lpString="䉁䑃䙅ခ") returned 4 [0121.725] lstrlenW (lpString="䉁䑃䙅ခ") returned 4 [0121.725] lstrlenW (lpString="䉁䑃䙅ခ") returned 4 [0121.725] lstrlenW (lpString="䉁䑃䙅ခ") returned 4 [0121.725] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1081770 | out: hHeap=0x1000000) returned 1 [0121.725] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f738 | out: hHeap=0x1000000) returned 1 [0121.725] GetCurrentProcess () returned 0xffffffff [0121.725] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18ee9c | out: TokenHandle=0x18ee9c*=0x1fc) returned 1 [0121.725] GetTokenInformation (in: TokenHandle=0x1fc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18ee7c | out: TokenInformation=0x0, ReturnLength=0x18ee7c) returned 0 [0121.725] GetLastError () returned 0x7a [0121.725] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x14) returned 0x1081770 [0121.725] GetTokenInformation (in: TokenHandle=0x1fc, TokenInformationClass=0x19, TokenInformation=0x1081770, TokenInformationLength=0x14, ReturnLength=0x18ee94 | out: TokenInformation=0x1081770, ReturnLength=0x18ee94) returned 1 [0121.725] GetSidSubAuthorityCount (pSid=0x1081778*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0x1081779 [0121.725] GetSidSubAuthority (pSid=0x1081778*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0x1081780 [0121.725] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1081770 | out: hHeap=0x1000000) returned 1 [0121.726] CloseHandle (hObject=0x1fc) returned 1 [0121.726] GetVersionExA (in: lpVersionInformation=0x107fc50*(dwOSVersionInfoSize=0x9c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x107fc50*(dwOSVersionInfoSize=0x9c, dwMajorVersion=0x6, dwMinorVersion=0x2, dwBuildNumber=0x23f0, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0121.726] GetCurrentProcess () returned 0xffffffff [0121.726] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x18ee9c | out: Wow64Process=0x18ee9c*=1) returned 1 [0121.726] GetWindowsDirectoryW (in: lpBuffer=0x1080c70, uSize=0x104 | out: lpBuffer="C:\\Windows") returned 0xa [0121.726] GetNumberFormatA (in: Locale=0x7d3, dwFlags=0xb4, lpValue="electricmadness", lpFormat=0x0, lpNumberStr=0x18ee34, cchNumber=34 | out: lpNumberStr="") returned 0 [0121.726] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x16) returned 0x1081770 [0121.726] GetEnvironmentVariableW (in: lpName="SystemRoot", lpBuffer=0x18f66c, nSize=0x104 | out: lpBuffer="") returned 0xa [0121.726] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1081770 | out: hHeap=0x1000000) returned 1 [0121.726] GetEnvironmentVariableW (in: lpName="USERPROFILE", lpBuffer=0x1081084, nSize=0x209 | out: lpBuffer="") returned 0x15 [0121.726] GetEnvironmentVariableW (in: lpName="TEMP", lpBuffer=0x1080e7a, nSize=0x20a | out: lpBuffer="") returned 0x24 [0121.726] GetEnvironmentVariableW (in: lpName="SystemDrive", lpBuffer=0x18f878, nSize=0x40 | out: lpBuffer="") returned 0x2 [0121.726] GetComputerNameW (in: lpBuffer=0x10815ec, nSize=0x18f900 | out: lpBuffer="XC64ZB", nSize=0x18f900) returned 1 [0121.726] lstrlenW (lpString="䉁䑃䙅睬ꂼე￾ÿ\x18䬇ခ\x18") returned 14 [0121.726] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0121.726] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0121.726] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0121.726] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0121.726] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0121.726] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0121.726] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0121.726] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0121.726] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0121.727] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0121.727] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0121.727] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0121.727] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0121.727] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0121.727] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0121.727] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0121.727] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0121.727] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0121.727] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0121.727] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0121.727] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0121.727] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0121.727] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0121.727] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0121.727] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0121.727] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0121.727] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0121.727] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0121.728] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0121.728] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0121.728] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0121.728] lstrlenW (lpString="䉁䑃䙅") returned 3 [0121.728] lstrlenW (lpString="䉁䑃䙅") returned 3 [0121.728] lstrlenW (lpString="䉁䑃䙅") returned 3 [0121.728] lstrlenW (lpString="䉁䑃䙅") returned 3 [0121.728] lstrlenW (lpString="䉁䑃䙅") returned 3 [0121.728] lstrlenW (lpString="䉁䑃䙅") returned 3 [0121.728] lstrlenW (lpString="䉁䑃䙅") returned 3 [0121.728] lstrlenW (lpString="䉁䑃䙅") returned 3 [0121.728] lstrlenW (lpString="䉁䑃䙅") returned 3 [0121.728] lstrlenW (lpString="䉁䑃䙅") returned 3 [0121.728] lstrlenW (lpString="䉁䑃䙅") returned 3 [0121.728] lstrlenW (lpString="䉁䑃䙅") returned 3 [0121.728] lstrlenW (lpString="䉁䑃䙅") returned 3 [0121.728] lstrlenW (lpString="䉁䑃䙅") returned 3 [0121.728] lstrlenW (lpString="䉁䑃䙅") returned 3 [0121.728] lstrlenW (lpString="䉁䑃䙅") returned 3 [0121.728] lstrlenW (lpString="䉁䑃䙅") returned 3 [0121.729] lstrlenW (lpString="䉁䑃䙅") returned 3 [0121.729] lstrlenW (lpString="䉁䑃䙅") returned 3 [0121.729] lstrlenW (lpString="䉁䑃䙅") returned 3 [0121.729] lstrlenW (lpString="䉁䑃䙅") returned 3 [0121.729] lstrlenW (lpString="䉁䑃䙅") returned 3 [0121.729] lstrlenW (lpString="䉁䑃䙅") returned 3 [0121.729] lstrlenW (lpString="䉁䑃䙅") returned 3 [0121.729] lstrlenW (lpString="䉁䑃䙅") returned 3 [0121.729] lstrlenW (lpString="䉁䑃䙅") returned 3 [0121.729] lstrlenW (lpString="䉁䑃䙅") returned 3 [0121.729] lstrlenW (lpString="䉁䑃䙅") returned 3 [0121.729] lstrlenW (lpString="䉁䑃䙅") returned 3 [0121.729] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x2d) returned 0x1081770 [0121.729] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xc) returned 0x107f738 [0121.729] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xd) returned 0x10817a8 [0121.729] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x13) returned 0x10817c0 [0121.729] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xd) returned 0x10817e0 [0121.731] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1081770 | out: hHeap=0x1000000) returned 1 [0121.734] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x26) returned 0x1081770 [0121.734] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xc) returned 0x10817f8 [0121.734] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xd) returned 0x1081810 [0121.734] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xc) returned 0x1081828 [0121.734] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xd) returned 0x1081840 [0121.735] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1081770 | out: hHeap=0x1000000) returned 1 [0121.735] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xc) returned 0x1081770 [0121.735] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x4) returned 0x1081788 [0121.735] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xc) returned 0x1081858 [0121.735] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1081770 | out: hHeap=0x1000000) returned 1 [0121.735] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xd) returned 0x1081770 [0121.735] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x4) returned 0x1081798 [0121.735] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xd) returned 0x1081870 [0121.735] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1081770 | out: hHeap=0x1000000) returned 1 [0121.735] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x14) returned 0x1081888 [0121.735] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x8) returned 0x1081770 [0121.735] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x8) returned 0x10818a8 [0121.735] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xc) returned 0x10818b8 [0121.735] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1081888 | out: hHeap=0x1000000) returned 1 [0121.735] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x12) returned 0x1081888 [0121.735] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x8) returned 0x10818d0 [0121.735] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x9) returned 0x10818e0 [0121.735] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x9) returned 0x10818f8 [0121.735] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1081888 | out: hHeap=0x1000000) returned 1 [0121.735] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x25) returned 0x1081910 [0121.735] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xc) returned 0x1081888 [0121.735] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xc) returned 0x1081940 [0121.735] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xb) returned 0x1081958 [0121.735] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xe) returned 0x1081970 [0121.736] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1081910 | out: hHeap=0x1000000) returned 1 [0121.736] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x53) returned 0x107f008 [0121.739] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x18) returned 0x1081910 [0121.739] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xd) returned 0x107f068 [0121.739] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xe) returned 0x107f0c0 [0121.739] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x10) returned 0x107f210 [0121.739] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xc) returned 0x107f120 [0121.739] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x10) returned 0x107f228 [0121.739] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xc) returned 0x107f1c8 [0121.740] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f008 | out: hHeap=0x1000000) returned 1 [0121.740] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x2f) returned 0x107f008 [0121.740] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xc) returned 0x107f258 [0121.740] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x15) returned 0x107f040 [0121.740] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xd) returned 0x107f240 [0121.740] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xd) returned 0x107f270 [0121.740] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f008 | out: hHeap=0x1000000) returned 1 [0121.741] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x3e) returned 0x107f288 [0121.741] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x10) returned 0x107f198 [0121.741] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xe) returned 0x107f0f0 [0121.741] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xd) returned 0x107f0a8 [0121.741] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x14) returned 0x107f008 [0121.741] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xf) returned 0x107f0d8 [0121.741] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f288 | out: hHeap=0x1000000) returned 1 [0121.741] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xf) returned 0x107f138 [0121.742] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x4) returned 0x1081930 [0121.742] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xf) returned 0x107f108 [0121.742] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f138 | out: hHeap=0x1000000) returned 1 [0121.742] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x9) returned 0x107f138 [0121.742] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x4) returned 0x107f028 [0121.742] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x9) returned 0x107f150 [0121.742] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f138 | out: hHeap=0x1000000) returned 1 [0121.742] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x22) returned 0x107f288 [0121.742] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xc) returned 0x107f138 [0121.742] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xa) returned 0x107f168 [0121.742] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xb) returned 0x107f1e0 [0121.742] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xd) returned 0x107f180 [0121.743] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f288 | out: hHeap=0x1000000) returned 1 [0121.743] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xe) returned 0x107f1b0 [0121.743] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x4) returned 0x107f288 [0121.743] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xe) returned 0x107f1f8 [0121.743] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f1b0 | out: hHeap=0x1000000) returned 1 [0121.743] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x1c) returned 0x107f298 [0121.743] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x8) returned 0x107f2c0 [0121.743] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x10) returned 0x107f1b0 [0121.743] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xc) returned 0x1000b58 [0121.743] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f298 | out: hHeap=0x1000000) returned 1 [0121.743] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x9) returned 0x10009f0 [0121.743] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x4) returned 0x107f298 [0121.743] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x9) returned 0x1000a38 [0121.743] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x10009f0 | out: hHeap=0x1000000) returned 1 [0121.743] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x2b) returned 0x107f2d0 [0121.743] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xc) returned 0x1000ac8 [0121.743] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xd) returned 0x10009a8 [0121.743] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x10) returned 0x1000b10 [0121.743] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xe) returned 0x1000b40 [0121.744] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f2d0 | out: hHeap=0x1000000) returned 1 [0121.744] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x72) returned 0x107f2d0 [0121.744] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x14) returned 0x107f350 [0121.744] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x18) returned 0x107f370 [0121.744] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x19) returned 0x107f390 [0121.744] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x12) returned 0x107f3b8 [0121.745] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x20) returned 0x107f3d8 [0121.745] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xf) returned 0x1000a50 [0121.745] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f2d0 | out: hHeap=0x1000000) returned 1 [0121.745] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x30) returned 0x107f2d0 [0121.745] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x8) returned 0x107f2a8 [0121.745] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x25) returned 0x107f308 [0121.745] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xb) returned 0x1000ae0 [0121.746] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f2d0 | out: hHeap=0x1000000) returned 1 [0121.746] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x2a) returned 0x107f2d0 [0121.746] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xc) returned 0x1000af8 [0121.746] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xd) returned 0x1000b28 [0121.746] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xc) returned 0x10008e8 [0121.746] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x11) returned 0x107f400 [0121.747] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f2d0 | out: hHeap=0x1000000) returned 1 [0121.747] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x2a) returned 0x107f2d0 [0121.747] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x8) returned 0x107f338 [0121.747] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x14) returned 0x107f420 [0121.747] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x16) returned 0x107f440 [0121.747] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f2d0 | out: hHeap=0x1000000) returned 1 [0121.747] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xa) returned 0x1000900 [0121.747] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x4) returned 0x107f2d0 [0121.747] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xa) returned 0x1000a08 [0121.748] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1000900 | out: hHeap=0x1000000) returned 1 [0121.748] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xd) returned 0x1000ba0 [0121.748] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x4) returned 0x107f2e0 [0121.748] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xd) returned 0x1000b70 [0121.748] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1000ba0 | out: hHeap=0x1000000) returned 1 [0121.748] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xb) returned 0x1000b88 [0121.748] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x4) returned 0x107f2f0 [0121.748] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xb) returned 0x1000ba0 [0121.748] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1000b88 | out: hHeap=0x1000000) returned 1 [0121.748] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x1f) returned 0x107f460 [0121.748] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x8) returned 0x1000e60 [0121.748] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xe) returned 0x1000b88 [0121.748] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x11) returned 0x107f488 [0121.748] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f460 | out: hHeap=0x1000000) returned 1 [0121.748] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1fc [0121.759] Process32First (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0121.760] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x20) returned 0x107f460 [0121.761] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f460 | out: hHeap=0x1000000) returned 1 [0121.761] Sleep (dwMilliseconds=0xa) [0121.863] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x77, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0121.864] Sleep (dwMilliseconds=0xa) [0121.966] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0121.967] Sleep (dwMilliseconds=0xa) [0122.062] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0122.063] Sleep (dwMilliseconds=0xa) [0122.132] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0122.133] Sleep (dwMilliseconds=0xa) [0122.164] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1b4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0122.166] Sleep (dwMilliseconds=0xa) [0122.203] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1b4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0122.204] Sleep (dwMilliseconds=0xa) [0122.236] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x214, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1bc, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0122.237] Sleep (dwMilliseconds=0xa) [0122.296] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x21c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1bc, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0122.297] Sleep (dwMilliseconds=0xa) [0122.395] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0122.396] Sleep (dwMilliseconds=0xa) [0122.534] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0122.535] Sleep (dwMilliseconds=0xa) [0122.648] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1fc, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0122.649] Sleep (dwMilliseconds=0xa) [0122.829] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0122.829] Sleep (dwMilliseconds=0xa) [0122.874] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x37c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0122.875] Sleep (dwMilliseconds=0xa) [0122.924] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0122.924] Sleep (dwMilliseconds=0xa) [0122.977] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0122.978] Sleep (dwMilliseconds=0xa) [0123.034] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0123.035] Sleep (dwMilliseconds=0xa) [0123.071] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0123.073] Sleep (dwMilliseconds=0xa) [0123.097] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0123.099] Sleep (dwMilliseconds=0xa) [0123.136] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0123.138] Sleep (dwMilliseconds=0xa) [0123.194] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x364, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0123.195] Sleep (dwMilliseconds=0xa) [0123.252] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x274, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0123.253] Sleep (dwMilliseconds=0xa) [0123.589] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x644, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0123.591] Sleep (dwMilliseconds=0xa) [0123.658] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x778, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2c, th32ParentProcessID=0x764, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0123.659] Sleep (dwMilliseconds=0xa) [0123.691] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x364, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0123.693] Sleep (dwMilliseconds=0xa) [0123.830] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x274, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0123.831] Sleep (dwMilliseconds=0xa) [0123.931] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x274, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0123.932] Sleep (dwMilliseconds=0xa) [0124.136] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x828, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.137] Sleep (dwMilliseconds=0xa) [0124.154] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x274, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0124.155] Sleep (dwMilliseconds=0xa) [0124.212] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x274, pcPriClassBase=8, dwFlags=0x0, szExeFile="ApplicationFrameHost.exe")) returned 1 [0124.213] Sleep (dwMilliseconds=0xa) [0124.292] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x274, pcPriClassBase=8, dwFlags=0x0, szExeFile="SystemSettings.exe")) returned 1 [0124.294] Sleep (dwMilliseconds=0xa) [0124.363] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x274, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0124.364] Sleep (dwMilliseconds=0xa) [0124.445] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x274, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0124.447] Sleep (dwMilliseconds=0xa) [0124.540] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0124.541] Sleep (dwMilliseconds=0xa) [0124.617] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0124.618] Sleep (dwMilliseconds=0xa) [0124.733] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="require-wife.exe")) returned 1 [0124.734] Sleep (dwMilliseconds=0xa) [0124.771] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="hold_just.exe")) returned 1 [0124.772] Sleep (dwMilliseconds=0xa) [0124.905] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="hear.exe")) returned 1 [0124.906] Sleep (dwMilliseconds=0xa) [0125.353] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="sourcecampaignmake.exe")) returned 1 [0125.354] Sleep (dwMilliseconds=0xa) [0125.687] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="natureinformationidea.exe")) returned 1 [0125.688] Sleep (dwMilliseconds=0xa) [0125.759] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="entire-oil-if.exe")) returned 1 [0125.760] Sleep (dwMilliseconds=0xa) [0125.837] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="him_between.exe")) returned 1 [0125.838] Sleep (dwMilliseconds=0xa) [0125.907] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="sort few.exe")) returned 1 [0125.908] Sleep (dwMilliseconds=0xa) [0125.946] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="involve_her_hundred.exe")) returned 1 [0125.946] Sleep (dwMilliseconds=0xa) [0125.987] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="page.exe")) returned 1 [0125.988] Sleep (dwMilliseconds=0xa) [0126.089] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe5c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="say glass.exe")) returned 1 [0126.090] Sleep (dwMilliseconds=0xa) [0126.202] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="hour.exe")) returned 1 [0126.203] Sleep (dwMilliseconds=0xa) [0126.305] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="red.exe")) returned 1 [0126.306] Sleep (dwMilliseconds=0xa) [0126.445] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="stockupon.exe")) returned 1 [0126.446] Sleep (dwMilliseconds=0xa) [0126.542] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="method.exe")) returned 1 [0126.544] Sleep (dwMilliseconds=0xa) [0126.649] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xea0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="huge-on-his.exe")) returned 1 [0126.650] Sleep (dwMilliseconds=0xa) [0126.765] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xeb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0126.766] Sleep (dwMilliseconds=0xa) [0126.877] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xec0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0126.878] Sleep (dwMilliseconds=0xa) [0127.021] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xec8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0127.022] Sleep (dwMilliseconds=0xa) [0127.178] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xed0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0127.179] Sleep (dwMilliseconds=0xa) [0127.226] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xedc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0127.227] Sleep (dwMilliseconds=0xa) [0127.328] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xef0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0127.330] Sleep (dwMilliseconds=0xa) [0127.539] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xef8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0127.540] Sleep (dwMilliseconds=0xa) [0127.838] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0127.840] Sleep (dwMilliseconds=0xa) [0128.057] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0128.058] Sleep (dwMilliseconds=0xa) [0128.234] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0128.236] Sleep (dwMilliseconds=0xa) [0128.340] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0128.341] Sleep (dwMilliseconds=0xa) [0128.446] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0128.447] Sleep (dwMilliseconds=0xa) [0128.524] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0128.525] Sleep (dwMilliseconds=0xa) [0128.682] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0128.684] Sleep (dwMilliseconds=0xa) [0128.835] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf5c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0128.837] Sleep (dwMilliseconds=0xa) [0128.927] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0128.928] Sleep (dwMilliseconds=0xa) [0129.021] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0129.022] Sleep (dwMilliseconds=0xa) [0129.253] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0129.255] Sleep (dwMilliseconds=0xa) [0129.316] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0129.317] Sleep (dwMilliseconds=0xa) [0129.390] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0129.392] Sleep (dwMilliseconds=0xa) [0129.448] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0129.450] Sleep (dwMilliseconds=0xa) [0129.532] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfa8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0129.534] Sleep (dwMilliseconds=0xa) [0129.644] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0129.645] Sleep (dwMilliseconds=0xa) [0129.768] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0129.769] Sleep (dwMilliseconds=0xa) [0129.850] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0129.851] Sleep (dwMilliseconds=0xa) [0130.030] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0130.032] Sleep (dwMilliseconds=0xa) [0130.104] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0130.105] Sleep (dwMilliseconds=0xa) [0130.173] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xff4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0130.175] Sleep (dwMilliseconds=0xa) [0130.281] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0130.282] Sleep (dwMilliseconds=0xa) [0130.468] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0130.470] Sleep (dwMilliseconds=0xa) [0130.849] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x100c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0130.850] Sleep (dwMilliseconds=0xa) [0131.770] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1014, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0131.772] Sleep (dwMilliseconds=0xa) [0131.980] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1028, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0131.982] Sleep (dwMilliseconds=0xa) [0132.184] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1030, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0132.186] Sleep (dwMilliseconds=0xa) [0132.417] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1040, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0132.418] Sleep (dwMilliseconds=0xa) [0132.633] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1048, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0132.635] Sleep (dwMilliseconds=0xa) [0132.827] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1054, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0132.828] Sleep (dwMilliseconds=0xa) [0132.982] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x105c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0132.984] Sleep (dwMilliseconds=0xa) [0133.189] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x106c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0133.190] Sleep (dwMilliseconds=0xa) [0133.411] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x107c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0133.413] Sleep (dwMilliseconds=0xa) [0133.630] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1084, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0133.631] Sleep (dwMilliseconds=0xa) [0133.778] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1094, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0133.782] Sleep (dwMilliseconds=0xa) [0133.881] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x109c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0133.882] Sleep (dwMilliseconds=0xa) [0134.004] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="assume-use.exe")) returned 1 [0134.005] Sleep (dwMilliseconds=0xa) [0134.158] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="soonfilmsuggest.exe")) returned 1 [0134.159] Sleep (dwMilliseconds=0xa) [0134.272] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1128, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0134.274] Sleep (dwMilliseconds=0xa) [0134.348] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x274, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0134.350] Sleep (dwMilliseconds=0xa) [0134.436] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x133c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x364, pcPriClassBase=6, dwFlags=0x0, szExeFile="msfeedssync.exe")) returned 1 [0134.438] Sleep (dwMilliseconds=0xa) [0134.674] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x111c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0134.676] Sleep (dwMilliseconds=0xa) [0134.829] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xcf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0134.831] Sleep (dwMilliseconds=0xa) [0134.931] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0134.932] Sleep (dwMilliseconds=0xa) [0135.058] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcf8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0135.061] Sleep (dwMilliseconds=0xa) [0135.135] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcf8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0135.137] Sleep (dwMilliseconds=0xa) [0135.188] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcf8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0135.190] Sleep (dwMilliseconds=0xa) [0135.247] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcf8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0135.248] Sleep (dwMilliseconds=0xa) [0135.341] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xcd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcf8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0135.342] Sleep (dwMilliseconds=0xa) [0135.406] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcf8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0135.407] Sleep (dwMilliseconds=0xa) [0135.495] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x130c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcf8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0135.496] Sleep (dwMilliseconds=0xa) [0135.581] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcf8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0135.583] Sleep (dwMilliseconds=0xa) [0135.677] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x0, th32ParentProcessID=0x5f0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0135.678] Sleep (dwMilliseconds=0xa) [0135.790] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x138c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x5f0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WerFault.exe")) returned 1 [0135.791] Sleep (dwMilliseconds=0xa) [0135.864] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcf8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0135.865] Sleep (dwMilliseconds=0xa) [0136.032] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcf8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0136.034] Sleep (dwMilliseconds=0xa) [0136.132] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1380, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x0, th32ParentProcessID=0x1368, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0136.133] Sleep (dwMilliseconds=0xa) [0136.177] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1368, pcPriClassBase=8, dwFlags=0x0, szExeFile="WerFault.exe")) returned 1 [0136.178] Sleep (dwMilliseconds=0xa) [0136.237] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcf8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0136.238] Sleep (dwMilliseconds=0xa) [0136.274] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x6a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x0, th32ParentProcessID=0xb70, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0136.275] Sleep (dwMilliseconds=0xa) [0136.300] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xb70, pcPriClassBase=8, dwFlags=0x0, szExeFile="WerFault.exe")) returned 1 [0136.301] Sleep (dwMilliseconds=0xa) [0136.351] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcf8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0136.352] Sleep (dwMilliseconds=0xa) [0136.386] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x0, th32ParentProcessID=0xc10, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0136.387] Sleep (dwMilliseconds=0xa) [0136.427] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0xc10, pcPriClassBase=8, dwFlags=0x0, szExeFile="WerFault.exe")) returned 1 [0136.428] Sleep (dwMilliseconds=0xa) [0136.453] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xbe0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcf8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0136.454] Sleep (dwMilliseconds=0xa) [0136.514] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcf8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0136.515] Sleep (dwMilliseconds=0xa) [0136.556] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xffc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcf8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0136.557] Sleep (dwMilliseconds=0xa) [0136.595] Process32Next (in: hSnapshot=0x1fc, lppe=0x18ebc0 | out: lppe=0x18ebc0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xffc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcf8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 0 [0136.596] CloseHandle (hObject=0x1fc) returned 1 [0136.597] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x10817a8 | out: hHeap=0x1000000) returned 1 [0136.597] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x10817c0 | out: hHeap=0x1000000) returned 1 [0136.597] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x10817e0 | out: hHeap=0x1000000) returned 1 [0136.597] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f738 | out: hHeap=0x1000000) returned 1 [0136.597] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1081810 | out: hHeap=0x1000000) returned 1 [0136.597] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1081828 | out: hHeap=0x1000000) returned 1 [0136.597] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1081840 | out: hHeap=0x1000000) returned 1 [0136.597] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x10817f8 | out: hHeap=0x1000000) returned 1 [0136.597] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1081858 | out: hHeap=0x1000000) returned 1 [0136.597] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1081788 | out: hHeap=0x1000000) returned 1 [0136.597] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1081870 | out: hHeap=0x1000000) returned 1 [0136.597] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1081798 | out: hHeap=0x1000000) returned 1 [0136.597] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x10818a8 | out: hHeap=0x1000000) returned 1 [0136.597] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x10818b8 | out: hHeap=0x1000000) returned 1 [0136.597] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1081770 | out: hHeap=0x1000000) returned 1 [0136.597] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x10818e0 | out: hHeap=0x1000000) returned 1 [0136.597] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x10818f8 | out: hHeap=0x1000000) returned 1 [0136.597] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x10818d0 | out: hHeap=0x1000000) returned 1 [0136.598] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1081940 | out: hHeap=0x1000000) returned 1 [0136.598] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1081958 | out: hHeap=0x1000000) returned 1 [0136.598] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1081970 | out: hHeap=0x1000000) returned 1 [0136.598] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1081888 | out: hHeap=0x1000000) returned 1 [0136.598] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f068 | out: hHeap=0x1000000) returned 1 [0136.598] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f0c0 | out: hHeap=0x1000000) returned 1 [0136.598] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f210 | out: hHeap=0x1000000) returned 1 [0136.598] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f120 | out: hHeap=0x1000000) returned 1 [0136.598] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f228 | out: hHeap=0x1000000) returned 1 [0136.598] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f1c8 | out: hHeap=0x1000000) returned 1 [0136.598] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1081910 | out: hHeap=0x1000000) returned 1 [0136.598] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f040 | out: hHeap=0x1000000) returned 1 [0136.598] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f240 | out: hHeap=0x1000000) returned 1 [0136.598] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f270 | out: hHeap=0x1000000) returned 1 [0136.598] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f258 | out: hHeap=0x1000000) returned 1 [0136.598] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f0f0 | out: hHeap=0x1000000) returned 1 [0136.599] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f0a8 | out: hHeap=0x1000000) returned 1 [0136.599] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f008 | out: hHeap=0x1000000) returned 1 [0136.599] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f0d8 | out: hHeap=0x1000000) returned 1 [0136.599] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f198 | out: hHeap=0x1000000) returned 1 [0136.599] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f108 | out: hHeap=0x1000000) returned 1 [0136.599] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1081930 | out: hHeap=0x1000000) returned 1 [0136.599] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f150 | out: hHeap=0x1000000) returned 1 [0136.599] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f028 | out: hHeap=0x1000000) returned 1 [0136.599] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f168 | out: hHeap=0x1000000) returned 1 [0136.599] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f1e0 | out: hHeap=0x1000000) returned 1 [0136.599] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f180 | out: hHeap=0x1000000) returned 1 [0136.599] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f138 | out: hHeap=0x1000000) returned 1 [0136.599] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f1f8 | out: hHeap=0x1000000) returned 1 [0136.599] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f288 | out: hHeap=0x1000000) returned 1 [0136.599] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f1b0 | out: hHeap=0x1000000) returned 1 [0136.599] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1000b58 | out: hHeap=0x1000000) returned 1 [0136.599] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f2c0 | out: hHeap=0x1000000) returned 1 [0136.599] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1000a38 | out: hHeap=0x1000000) returned 1 [0136.600] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f298 | out: hHeap=0x1000000) returned 1 [0136.600] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x10009a8 | out: hHeap=0x1000000) returned 1 [0136.600] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1000b10 | out: hHeap=0x1000000) returned 1 [0136.600] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1000b40 | out: hHeap=0x1000000) returned 1 [0136.600] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1000ac8 | out: hHeap=0x1000000) returned 1 [0136.600] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f370 | out: hHeap=0x1000000) returned 1 [0136.600] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f390 | out: hHeap=0x1000000) returned 1 [0136.600] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f3b8 | out: hHeap=0x1000000) returned 1 [0136.601] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f3d8 | out: hHeap=0x1000000) returned 1 [0136.601] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1000a50 | out: hHeap=0x1000000) returned 1 [0136.601] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f350 | out: hHeap=0x1000000) returned 1 [0136.602] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f308 | out: hHeap=0x1000000) returned 1 [0136.602] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1000ae0 | out: hHeap=0x1000000) returned 1 [0136.602] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f2a8 | out: hHeap=0x1000000) returned 1 [0136.602] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1000b28 | out: hHeap=0x1000000) returned 1 [0136.602] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x10008e8 | out: hHeap=0x1000000) returned 1 [0136.602] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f400 | out: hHeap=0x1000000) returned 1 [0136.602] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1000af8 | out: hHeap=0x1000000) returned 1 [0136.602] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f420 | out: hHeap=0x1000000) returned 1 [0136.602] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f440 | out: hHeap=0x1000000) returned 1 [0136.602] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f338 | out: hHeap=0x1000000) returned 1 [0136.602] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1000a08 | out: hHeap=0x1000000) returned 1 [0136.602] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f2d0 | out: hHeap=0x1000000) returned 1 [0136.602] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1000b70 | out: hHeap=0x1000000) returned 1 [0136.602] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f2e0 | out: hHeap=0x1000000) returned 1 [0136.602] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1000ba0 | out: hHeap=0x1000000) returned 1 [0136.602] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f2f0 | out: hHeap=0x1000000) returned 1 [0136.602] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1000b88 | out: hHeap=0x1000000) returned 1 [0136.603] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f488 | out: hHeap=0x1000000) returned 1 [0136.603] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1000e60 | out: hHeap=0x1000000) returned 1 [0136.603] lstrlenW (lpString="䉁䑃䙅Ňခx") returned 7 [0136.603] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0xc) returned 0x1000978 [0136.603] GetNumberFormatA (in: Locale=0x7d3, dwFlags=0xb4, lpValue="electricmadness", lpFormat=0x0, lpNumberStr=0x18f620, cchNumber=34 | out: lpNumberStr="è\x07Î") returned 0 [0136.604] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x42) returned 0x107f008 [0136.604] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%\\SysWOW64\\wermgr.exe", lpDst=0x18f6a0, nSize=0x104 | out: lpDst="C:\\Windows\\SysWOW64\\wermgr.exe") returned 0x1f [0136.604] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f008 | out: hHeap=0x1000000) returned 1 [0136.604] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x3e) returned 0x107f008 [0136.604] GetNumberFormatA (in: Locale=0x7d3, dwFlags=0xb4, lpValue="electricmadness", lpFormat=0x0, lpNumberStr=0x18f620, cchNumber=34 | out: lpNumberStr="<") returned 0 [0136.604] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x5a) returned 0x1000eb0 [0136.604] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%\\SysWOW64\\backgroundTaskHost.exe", lpDst=0x18f6a0, nSize=0x104 | out: lpDst="C:\\Windows\\SysWOW64\\backgroundTaskHost.exe") returned 0x2b [0136.605] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1000eb0 | out: hHeap=0x1000000) returned 1 [0136.605] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x56) returned 0x1000eb0 [0136.605] GetNumberFormatA (in: Locale=0x7d3, dwFlags=0xb4, lpValue="electricmadness", lpFormat=0x0, lpNumberStr=0x18f620, cchNumber=34 | out: lpNumberStr="T") returned 0 [0136.605] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x42) returned 0x1000f10 [0136.605] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%\\SysWOW64\\dxdiag.exe", lpDst=0x18f6a0, nSize=0x104 | out: lpDst="C:\\Windows\\SysWOW64\\dxdiag.exe") returned 0x1f [0136.606] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1000f10 | out: hHeap=0x1000000) returned 1 [0136.606] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x3e) returned 0x1000f10 [0136.606] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="C:\\Windows\\SysWOW64\\wermgr.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18f880*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f8d8 | out: lpCommandLine="C:\\Windows\\SysWOW64\\wermgr.exe", lpProcessInformation=0x18f8d8*(hProcess=0x200, hThread=0x1fc, dwProcessId=0x1334, dwThreadId=0x1348)) returned 1 [0136.721] NtAllocateVirtualMemory (in: ProcessHandle=0x200, BaseAddress=0x18f5bc*=0x0, ZeroBits=0x0, RegionSize=0x18f5b4*=0x24000, AllocationType=0x3000, Protect=0x40 | out: BaseAddress=0x18f5bc*=0x4950000, RegionSize=0x18f5b4*=0x24000) returned 0x0 [0136.723] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x1ac6) returned 0x10848b8 [0136.723] NtAllocateVirtualMemory (in: ProcessHandle=0x200, BaseAddress=0x18f580*=0x0, ZeroBits=0x0, RegionSize=0x18f590*=0x1ac4, AllocationType=0x3000, Protect=0x4 | out: BaseAddress=0x18f580*=0x4980000, RegionSize=0x18f590*=0x2000) returned 0x0 [0136.723] NtWriteVirtualMemory (in: ProcessHandle=0x200, BaseAddress=0x4980000, Buffer=0x10848b8*, NumberOfBytesToWrite=0x1ac4, NumberOfBytesWritten=0x18f57c | out: Buffer=0x10848b8*, NumberOfBytesWritten=0x18f57c*=0x1ac4) returned 0x0 [0136.725] NtProtectVirtualMemory (in: ProcessHandle=0x200, BaseAddress=0x18f580*=0x4980000, NumberOfBytesToProtect=0x18f590, NewAccessProtection=0x4, OldAccessProtection=0x18f578 | out: BaseAddress=0x18f580*=0x4980000, NumberOfBytesToProtect=0x18f590, OldAccessProtection=0x18f578*=0x4) returned 0x0 [0136.726] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x10848b8 | out: hHeap=0x1000000) returned 1 [0136.726] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x24002) returned 0x1000f58 [0136.729] NtWriteVirtualMemory (in: ProcessHandle=0x200, BaseAddress=0x4950000, Buffer=0x1000f58*, NumberOfBytesToWrite=0x24000, NumberOfBytesWritten=0x18f5a4 | out: Buffer=0x1000f58*, NumberOfBytesWritten=0x18f5a4*=0x24000) returned 0x0 [0136.795] NtProtectVirtualMemory (in: ProcessHandle=0x200, BaseAddress=0x18f554*=0x4950000, NumberOfBytesToProtect=0x18f56c, NewAccessProtection=0x4, OldAccessProtection=0x18f560 | out: BaseAddress=0x18f554*=0x4950000, NumberOfBytesToProtect=0x18f56c, OldAccessProtection=0x18f560*=0x40) returned 0x0 [0136.820] NtProtectVirtualMemory (in: ProcessHandle=0x200, BaseAddress=0x18f548*=0x4951000, NumberOfBytesToProtect=0x18f56c, NewAccessProtection=0x20, OldAccessProtection=0x18f560 | out: BaseAddress=0x18f548*=0x4951000, NumberOfBytesToProtect=0x18f56c, OldAccessProtection=0x18f560*=0x40) returned 0x0 [0136.877] NtProtectVirtualMemory (in: ProcessHandle=0x200, BaseAddress=0x18f548*=0x496a000, NumberOfBytesToProtect=0x18f56c, NewAccessProtection=0x4, OldAccessProtection=0x18f560 | out: BaseAddress=0x18f548*=0x496a000, NumberOfBytesToProtect=0x18f56c, OldAccessProtection=0x18f560*=0x40) returned 0x0 [0136.908] NtProtectVirtualMemory (in: ProcessHandle=0x200, BaseAddress=0x18f548*=0x496f000, NumberOfBytesToProtect=0x18f56c, NewAccessProtection=0x4, OldAccessProtection=0x18f560 | out: BaseAddress=0x18f548*=0x496f000, NumberOfBytesToProtect=0x18f56c, OldAccessProtection=0x18f560*=0x40) returned 0x0 [0136.920] NtProtectVirtualMemory (in: ProcessHandle=0x200, BaseAddress=0x18f548*=0x4972000, NumberOfBytesToProtect=0x18f56c, NewAccessProtection=0x2, OldAccessProtection=0x18f560 | out: BaseAddress=0x18f548*=0x4972000, NumberOfBytesToProtect=0x18f56c, OldAccessProtection=0x18f560*=0x40) returned 0x0 [0136.955] NtProtectVirtualMemory (in: ProcessHandle=0x200, BaseAddress=0x18f548*=0x4973000, NumberOfBytesToProtect=0x18f56c, NewAccessProtection=0x2, OldAccessProtection=0x18f560 | out: BaseAddress=0x18f548*=0x4973000, NumberOfBytesToProtect=0x18f56c, OldAccessProtection=0x18f560*=0x40) returned 0x0 [0136.959] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1000f58 | out: hHeap=0x1000000) returned 1 [0136.959] GetThreadContext (in: hThread=0x1fc, lpContext=0x18f5d4 | out: lpContext=0x18f5d4*(ContextFlags=0x10002, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x29e000, Edx=0x0, Ecx=0x0, Eax=0x919700, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0136.971] NtProtectVirtualMemory (in: ProcessHandle=0x200, BaseAddress=0x18f8a8*=0x919700, NumberOfBytesToProtect=0x18f8b8, NewAccessProtection=0x4, OldAccessProtection=0x18f8ac | out: BaseAddress=0x18f8a8*=0x919000, NumberOfBytesToProtect=0x18f8b8, OldAccessProtection=0x18f8ac*=0x20) returned 0x0 [0136.975] NtWriteVirtualMemory (in: ProcessHandle=0x200, BaseAddress=0x919700, Buffer=0x18f8b0*, NumberOfBytesToWrite=0x5, NumberOfBytesWritten=0x18f8b8 | out: Buffer=0x18f8b0*, NumberOfBytesWritten=0x18f8b8*=0x5) returned 0x0 [0137.007] NtProtectVirtualMemory (in: ProcessHandle=0x200, BaseAddress=0x18f8a0*=0x919700, NumberOfBytesToProtect=0x18f8b8, NewAccessProtection=0x20, OldAccessProtection=0x18f8a4 | out: BaseAddress=0x18f8a0*=0x919000, NumberOfBytesToProtect=0x18f8b8, OldAccessProtection=0x18f8a4*=0x4) returned 0x0 [0145.347] lstrlenW (lpString="䉁䑃䙅") returned 3 [0145.347] lstrlenW (lpString="䉁䑃䙅") returned 3 [0145.347] lstrlenW (lpString="䉁䑃䙅") returned 3 [0145.347] lstrlenW (lpString="䉁䑃䙅") returned 3 [0145.347] lstrlenW (lpString="䉁䑃䙅") returned 3 [0145.348] lstrlenW (lpString="䉁䑃䙅") returned 3 [0145.348] lstrlenW (lpString="䉁䑃䙅") returned 3 [0145.348] lstrlenW (lpString="䉁䑃䙅") returned 3 [0145.348] lstrlenW (lpString="䉁䑃䙅") returned 3 [0145.348] lstrlenW (lpString="䉁䑃䙅") returned 3 [0145.348] lstrlenW (lpString="䉁䑃䙅") returned 3 [0145.348] lstrlenW (lpString="䉁䑃䙅") returned 3 [0145.348] lstrlenW (lpString="䉁䑃䙅") returned 3 [0145.348] lstrlenW (lpString="䉁䑃䙅") returned 3 [0145.348] lstrlenW (lpString="䉁䑃䙅") returned 3 [0145.348] lstrlenW (lpString="䉁䑃䙅") returned 3 [0145.349] RtlAllocateHeap (HeapHandle=0x1000000, Flags=0x8, Size=0x47) returned 0x1081770 [0145.349] _vsnprintf (in: _DstBuf=0x18f89c, _MaxCount=0x28, _Format="{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}", _ArgList=0x18ee40 | out: _DstBuf="{A310C111-CEDF-4B1D-9A50-2B2447874BB3}") returned 38 [0145.351] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1081770 | out: hHeap=0x1000000) returned 1 [0145.351] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName="{A310C111-CEDF-4B1D-9A50-2B2447874BB3}") returned 0x208 [0145.351] GetLastError () returned 0x0 [0145.351] NtResumeThread (in: ThreadHandle=0x1fc, SuspendCount=0x0 | out: SuspendCount=0x0) returned 0x0 [0145.363] WaitForSingleObject (hHandle=0x208, dwMilliseconds=0x2710) returned 0x0 [0147.430] CloseHandle (hObject=0x208) returned 1 [0147.431] CloseHandle (hObject=0x1fc) returned 1 [0147.431] CloseHandle (hObject=0x200) returned 1 [0147.432] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x107f008 | out: hHeap=0x1000000) returned 1 [0147.433] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1000eb0 | out: hHeap=0x1000000) returned 1 [0147.433] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1000f10 | out: hHeap=0x1000000) returned 1 [0147.433] HeapFree (in: hHeap=0x1000000, dwFlags=0x0, lpMem=0x1000978 | out: hHeap=0x1000000) returned 1 [0147.434] ExitProcess (uExitCode=0x0) [0147.435] HeapFree (in: hHeap=0xdf0000, dwFlags=0x0, lpMem=0xe00958 | out: hHeap=0xdf0000) returned 1 Thread: id = 283 os_tid = 0xfe8 Process: id = "142" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x51f7c000" os_pid = "0xffc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_addProvider /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9657 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9658 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9659 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 9660 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 9661 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 9662 start_va = 0x6e0000 end_va = 0x6e1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 9663 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 9664 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 9665 start_va = 0x7ee40000 end_va = 0x7ee62fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ee40000" filename = "" Region: id = 9666 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9667 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 9668 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9669 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 9670 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 9671 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 9672 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 9677 start_va = 0x400000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 9678 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 9679 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 9680 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 9681 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 9682 start_va = 0x6f0000 end_va = 0x95ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 9683 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 9684 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 9685 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9686 start_va = 0x7ed40000 end_va = 0x7ee3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed40000" filename = "" Region: id = 9687 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9688 start_va = 0x540000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 9689 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 9690 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 9691 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 9692 start_va = 0x550000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 9693 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 9694 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 9695 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 9696 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 9697 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 9698 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 9699 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 9700 start_va = 0x6e0000 end_va = 0x6e3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 9701 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 9702 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 9703 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 9704 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 9712 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 9713 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 9714 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 9715 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 9716 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 9717 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 9718 start_va = 0x6f0000 end_va = 0x719fff monitored = 0 entry_point = 0x6f5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 9719 start_va = 0x860000 end_va = 0x95ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 9720 start_va = 0x960000 end_va = 0xae7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000960000" filename = "" Region: id = 9721 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 9723 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 9724 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 9725 start_va = 0x6f0000 end_va = 0x76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 9726 start_va = 0xaf0000 end_va = 0xc70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000af0000" filename = "" Region: id = 9727 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 9730 start_va = 0x770000 end_va = 0x800fff monitored = 0 entry_point = 0x7a8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 9734 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 9735 start_va = 0x6f0000 end_va = 0x6f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 9736 start_va = 0x760000 end_va = 0x76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 9737 start_va = 0x700000 end_va = 0x700fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 9738 start_va = 0x700000 end_va = 0x707fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 9747 start_va = 0x700000 end_va = 0x700fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 9748 start_va = 0x710000 end_va = 0x711fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 9749 start_va = 0x700000 end_va = 0x700fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 9750 start_va = 0x710000 end_va = 0x710fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 9751 start_va = 0x700000 end_va = 0x700fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 9752 start_va = 0x710000 end_va = 0x710fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Thread: id = 284 os_tid = 0x1004 [0121.983] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0121.983] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0121.984] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0121.984] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0121.984] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0121.984] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0121.985] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0121.985] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0121.985] GetProcessHeap () returned 0x860000 [0121.985] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0121.986] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0121.986] GetLastError () returned 0x7e [0121.986] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0121.986] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0121.986] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x364) returned 0x870a50 [0121.986] SetLastError (dwErrCode=0x7e) [0121.986] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0xe00) returned 0x870dc0 [0121.988] GetStartupInfoW (in: lpStartupInfo=0x18f7d4 | out: lpStartupInfo=0x18f7d4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0121.988] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0121.988] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0121.988] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0121.989] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_addProvider /fn_args=\"0\"" [0121.989] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_addProvider /fn_args=\"0\"" [0121.989] GetACP () returned 0x4e4 [0121.989] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x0, Size=0x220) returned 0x871bc8 [0121.989] IsValidCodePage (CodePage=0x4e4) returned 1 [0121.989] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f7f4 | out: lpCPInfo=0x18f7f4) returned 1 [0121.989] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f0bc | out: lpCPInfo=0x18f0bc) returned 1 [0121.989] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6d0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0121.989] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6d0, cbMultiByte=256, lpWideCharStr=0x18ee58, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0121.989] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f0d0 | out: lpCharType=0x18f0d0) returned 1 [0121.989] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6d0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0121.989] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6d0, cbMultiByte=256, lpWideCharStr=0x18ee18, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0121.989] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0121.990] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0121.990] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0121.990] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ec08, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0121.990] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f5d0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿV\x16\x15\x1d\x0cø\x18", lpUsedDefaultChar=0x0) returned 256 [0121.990] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6d0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0121.990] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6d0, cbMultiByte=256, lpWideCharStr=0x18ee28, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0121.990] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0121.990] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ec18, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0121.990] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f4d0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿV\x16\x15\x1d\x0cø\x18", lpUsedDefaultChar=0x0) returned 256 [0121.990] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x0, Size=0x80) returned 0x863858 [0121.990] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0121.990] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x17a) returned 0x871df0 [0121.990] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0121.990] GetLastError () returned 0x0 [0121.990] SetLastError (dwErrCode=0x0) [0121.990] GetEnvironmentStringsW () returned 0x871f78* [0121.991] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x0, Size=0xa8c) returned 0x872a10 [0121.991] FreeEnvironmentStringsW (penv=0x871f78) returned 1 [0121.991] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x90) returned 0x864548 [0121.991] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x3e) returned 0x86ad00 [0121.991] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x5c) returned 0x868820 [0121.991] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x6e) returned 0x864610 [0121.991] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x78) returned 0x8734d0 [0121.991] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x62) returned 0x8649e0 [0121.991] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x28) returned 0x863d78 [0121.992] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x48) returned 0x863fc8 [0121.992] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x1a) returned 0x860570 [0121.992] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x3a) returned 0x86afd0 [0121.992] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x62) returned 0x863bd8 [0121.992] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x2a) returned 0x868468 [0121.992] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x2e) returned 0x8684a0 [0121.992] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x1c) returned 0x863da8 [0121.992] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x144) returned 0x869c98 [0121.992] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x7c) returned 0x868080 [0121.992] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x36) returned 0x86e1e0 [0121.992] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x3a) returned 0x86a9a0 [0121.992] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x90) returned 0x864380 [0121.992] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x24) returned 0x8638f8 [0121.992] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x30) returned 0x8684d8 [0121.992] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x36) returned 0x86e320 [0121.992] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x48) returned 0x8628f0 [0121.992] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x52) returned 0x8604b8 [0121.992] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x3c) returned 0x86af88 [0121.992] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0xd6) returned 0x869e58 [0121.992] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x2e) returned 0x868548 [0121.992] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x1e) returned 0x862940 [0121.992] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x2c) returned 0x868580 [0121.992] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x54) returned 0x863df0 [0121.992] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x52) returned 0x864050 [0121.992] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x24) returned 0x863e50 [0121.992] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x42) returned 0x8640b0 [0121.993] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x2c) returned 0x8685b8 [0121.993] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x44) returned 0x869f88 [0121.993] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x24) returned 0x863928 [0121.993] HeapFree (in: hHeap=0x860000, dwFlags=0x0, lpMem=0x872a10 | out: hHeap=0x860000) returned 1 [0121.993] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x8, Size=0x800) returned 0x871f78 [0121.994] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0121.994] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0121.994] GetStartupInfoW (in: lpStartupInfo=0x18f838 | out: lpStartupInfo=0x18f838*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0121.994] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_addProvider /fn_args=\"0\"" [0121.994] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_addProvider /fn_args=\"0\"", pNumArgs=0x18f824 | out: pNumArgs=0x18f824) returned 0x872bc8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0121.994] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0122.012] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x0, Size=0x1000) returned 0x8744b0 [0122.012] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x0, Size=0x28) returned 0x86a6d0 [0122.012] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_addProvider", cchWideChar=-1, lpMultiByteStr=0x86a6d0, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_addProvider", lpUsedDefaultChar=0x0) returned 20 [0122.012] GetLastError () returned 0x0 [0122.012] SetLastError (dwErrCode=0x0) [0122.013] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_addProviderW") returned 0x0 [0122.013] GetLastError () returned 0x7f [0122.013] SetLastError (dwErrCode=0x7f) [0122.013] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_addProviderA") returned 0x0 [0122.013] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_addProvider") returned 0x647cb3e5 [0122.013] RtlAllocateHeap (HeapHandle=0x860000, Flags=0x0, Size=0x4) returned 0x863800 [0122.013] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x863800, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0122.013] GetActiveWindow () returned 0x0 [0122.014] GetLastError () returned 0x7f [0122.014] SetLastError (dwErrCode=0x7f) Thread: id = 286 os_tid = 0x101c Process: id = "143" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x51fee000" os_pid = "0x1024" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "142" os_parent_pid = "0xffc" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_addProvider /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "144" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x73697000" os_pid = "0x1038" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_create /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9771 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9772 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9773 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 9774 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 9775 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 9776 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 9777 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 9778 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 9779 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 9780 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 9781 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 9782 start_va = 0x7ec70000 end_va = 0x7ec92fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ec70000" filename = "" Region: id = 9783 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9784 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 9785 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9786 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 9790 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 9791 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 9792 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 9793 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 9794 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 9800 start_va = 0x600000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 9803 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 9804 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 9805 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9806 start_va = 0x7eb70000 end_va = 0x7ec6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eb70000" filename = "" Region: id = 9807 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9808 start_va = 0x5f0000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 9809 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 9810 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 9811 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 9812 start_va = 0x4c0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 9813 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 9814 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 9815 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 9816 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 9817 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 9818 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 9820 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 9821 start_va = 0x5c0000 end_va = 0x5c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 9822 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 9823 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 9824 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 9825 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 9826 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 9827 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 9828 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 9829 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 9830 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 9831 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 9832 start_va = 0x600000 end_va = 0x629fff monitored = 0 entry_point = 0x605680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 9833 start_va = 0x760000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 9834 start_va = 0x860000 end_va = 0x9e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000860000" filename = "" Region: id = 9835 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 9837 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 9838 start_va = 0x5d0000 end_va = 0x5d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 9839 start_va = 0x600000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 9840 start_va = 0x9f0000 end_va = 0xb70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 9841 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 9842 start_va = 0x600000 end_va = 0x690fff monitored = 0 entry_point = 0x638cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 9843 start_va = 0x6c0000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 9845 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 9846 start_va = 0x5e0000 end_va = 0x5e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 9847 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 9848 start_va = 0x600000 end_va = 0x607fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 9850 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 9851 start_va = 0x610000 end_va = 0x611fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 9854 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 9855 start_va = 0x610000 end_va = 0x610fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 9856 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 9857 start_va = 0x610000 end_va = 0x610fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Thread: id = 290 os_tid = 0x103c [0122.850] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0122.850] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0122.850] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0122.850] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0122.851] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0122.851] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0122.851] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0122.851] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0122.852] GetProcessHeap () returned 0x760000 [0122.852] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0122.852] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0122.852] GetLastError () returned 0x7e [0122.852] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0122.852] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0122.852] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x364) returned 0x770a28 [0122.853] SetLastError (dwErrCode=0x7e) [0122.853] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xe00) returned 0x770d98 [0122.854] GetStartupInfoW (in: lpStartupInfo=0x18f9f8 | out: lpStartupInfo=0x18f9f8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0122.854] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0122.854] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0122.854] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0122.854] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_create /fn_args=\"0\"" [0122.854] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_create /fn_args=\"0\"" [0122.854] GetACP () returned 0x4e4 [0122.854] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x220) returned 0x771ba0 [0122.855] IsValidCodePage (CodePage=0x4e4) returned 1 [0122.855] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fa18 | out: lpCPInfo=0x18fa18) returned 1 [0122.855] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f2e0 | out: lpCPInfo=0x18f2e0) returned 1 [0122.855] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8f4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0122.855] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8f4, cbMultiByte=256, lpWideCharStr=0x18f088, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0122.855] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f2f4 | out: lpCharType=0x18f2f4) returned 1 [0122.855] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8f4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0122.855] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8f4, cbMultiByte=256, lpWideCharStr=0x18f038, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0122.855] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0122.855] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0122.855] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0122.855] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ee28, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0122.855] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f7f4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ¡ÁüÓ0ú\x18", lpUsedDefaultChar=0x0) returned 256 [0122.855] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8f4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0122.855] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8f4, cbMultiByte=256, lpWideCharStr=0x18f058, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0122.855] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0122.875] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ee48, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0122.876] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f6f4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ¡ÁüÓ0ú\x18", lpUsedDefaultChar=0x0) returned 256 [0122.876] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x80) returned 0x763868 [0122.876] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0122.876] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x188) returned 0x771dc8 [0122.876] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0122.876] GetLastError () returned 0x0 [0122.876] SetLastError (dwErrCode=0x0) [0122.876] GetEnvironmentStringsW () returned 0x771f58* [0122.876] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0xa8c) returned 0x7729f0 [0122.876] FreeEnvironmentStringsW (penv=0x771f58) returned 1 [0122.876] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x90) returned 0x764558 [0122.876] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x3e) returned 0x76ad68 [0122.877] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x5c) returned 0x768a58 [0122.877] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x6e) returned 0x764850 [0122.877] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x78) returned 0x773bb0 [0122.877] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x62) returned 0x763fd8 [0122.877] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x28) returned 0x769e30 [0122.877] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x48) returned 0x763d88 [0122.877] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x1a) returned 0x764620 [0122.877] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x3a) returned 0x76ac00 [0122.877] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x62) returned 0x7647c0 [0122.877] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x2a) returned 0x7687b8 [0122.877] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x2e) returned 0x768860 [0122.877] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x1c) returned 0x764648 [0122.877] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x144) returned 0x769c70 [0122.877] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x7c) returned 0x7682b8 [0122.877] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x36) returned 0x76e2f8 [0122.877] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x3a) returned 0x76aed0 [0122.877] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x90) returned 0x76a280 [0122.877] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x24) returned 0x763be8 [0122.877] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x30) returned 0x7686a0 [0122.877] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x36) returned 0x76e638 [0122.877] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x48) returned 0x763908 [0122.877] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x52) returned 0x762900 [0122.877] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x3c) returned 0x76ac90 [0122.877] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xd6) returned 0x7604a0 [0122.877] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x2e) returned 0x7686d8 [0122.877] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x1e) returned 0x760580 [0122.877] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x2c) returned 0x768898 [0122.878] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x54) returned 0x764390 [0122.878] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x52) returned 0x763e00 [0122.878] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x24) returned 0x7643f0 [0122.878] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x42) returned 0x764060 [0122.878] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x2c) returned 0x768978 [0122.878] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x44) returned 0x7640b0 [0122.878] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x24) returned 0x763e60 [0122.878] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x7729f0 | out: hHeap=0x760000) returned 1 [0122.878] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x800) returned 0x771f58 [0122.878] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0122.878] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0122.878] GetStartupInfoW (in: lpStartupInfo=0x18fa5c | out: lpStartupInfo=0x18fa5c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0122.878] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_create /fn_args=\"0\"" [0122.879] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_create /fn_args=\"0\"", pNumArgs=0x18fa48 | out: pNumArgs=0x18fa48) returned 0x772ba8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0122.879] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0122.881] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x1000) returned 0x774490 [0122.881] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x36) returned 0x76e4b8 [0122.882] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_create", cchWideChar=-1, lpMultiByteStr=0x76e4b8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_create", lpUsedDefaultChar=0x0) returned 27 [0122.882] GetLastError () returned 0x0 [0122.882] SetLastError (dwErrCode=0x0) [0122.882] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_createW") returned 0x0 [0122.882] GetLastError () returned 0x7f [0122.882] SetLastError (dwErrCode=0x7f) [0122.882] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_createA") returned 0x0 [0122.882] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_create") returned 0x647c7d14 [0122.882] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x4) returned 0x764100 [0122.882] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x764100, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0122.882] GetActiveWindow () returned 0x0 [0122.886] GetLastError () returned 0x7f [0122.886] SetLastError (dwErrCode=0x7f) Thread: id = 292 os_tid = 0x1064 Process: id = "145" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x51db5000" os_pid = "0x1068" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "144" os_parent_pid = "0x1038" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_create /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "146" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x51daf000" os_pid = "0x1074" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decrypt /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9864 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9865 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9866 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 9867 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 9868 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 9869 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 9870 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 9871 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 9872 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 9873 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 9874 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 9875 start_va = 0x7ee00000 end_va = 0x7ee22fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ee00000" filename = "" Region: id = 9876 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9877 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 9878 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9879 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 9885 start_va = 0x400000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 9886 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 9887 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 9888 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 9889 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 9890 start_va = 0x4e0000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 9892 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 9893 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 9894 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9895 start_va = 0x7ed00000 end_va = 0x7edfffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed00000" filename = "" Region: id = 9896 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9897 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 9898 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 9899 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 9900 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 9901 start_va = 0x4e0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 9902 start_va = 0x650000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 9903 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 9904 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 9908 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 9909 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 9910 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 9911 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 9912 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 9913 start_va = 0x4c0000 end_va = 0x4c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 9914 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 9915 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 9916 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 9917 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 9918 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 9919 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 9920 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 9921 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 9922 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 9923 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 9925 start_va = 0x5e0000 end_va = 0x609fff monitored = 0 entry_point = 0x5e5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 9926 start_va = 0x750000 end_va = 0x8d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 9927 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 9929 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 9930 start_va = 0x5e0000 end_va = 0x5e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 9931 start_va = 0x8e0000 end_va = 0xa60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 9932 start_va = 0xa70000 end_va = 0xc5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 9933 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 9934 start_va = 0xa70000 end_va = 0xb00fff monitored = 0 entry_point = 0xaa8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 9935 start_va = 0xc50000 end_va = 0xc5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 9937 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 9938 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 9939 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 9940 start_va = 0x600000 end_va = 0x607fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 9958 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 9959 start_va = 0x610000 end_va = 0x611fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 9960 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 9961 start_va = 0x610000 end_va = 0x610fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 9971 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 9972 start_va = 0x610000 end_va = 0x610fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Thread: id = 293 os_tid = 0x1078 [0123.745] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0123.745] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0123.745] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0123.746] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0123.746] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0123.746] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0123.747] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0123.748] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0123.748] GetProcessHeap () returned 0x650000 [0123.748] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0123.748] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0123.748] GetLastError () returned 0x7e [0123.748] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0123.749] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0123.749] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x364) returned 0x6609a0 [0123.749] SetLastError (dwErrCode=0x7e) [0123.749] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xe00) returned 0x660d10 [0123.751] GetStartupInfoW (in: lpStartupInfo=0x18fa0c | out: lpStartupInfo=0x18fa0c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0123.751] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0123.751] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0123.751] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0123.751] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decrypt /fn_args=\"0\"" [0123.751] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decrypt /fn_args=\"0\"" [0123.751] GetACP () returned 0x4e4 [0123.751] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x220) returned 0x661b18 [0123.751] IsValidCodePage (CodePage=0x4e4) returned 1 [0123.751] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fa2c | out: lpCPInfo=0x18fa2c) returned 1 [0123.752] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f2f4 | out: lpCPInfo=0x18f2f4) returned 1 [0123.752] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f908, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0123.752] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f908, cbMultiByte=256, lpWideCharStr=0x18f098, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0123.752] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f308 | out: lpCharType=0x18f308) returned 1 [0123.752] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f908, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0123.752] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f908, cbMultiByte=256, lpWideCharStr=0x18f048, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0123.752] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0123.752] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0123.752] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0123.752] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ee38, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0123.752] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f808, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ%­!øDú\x18", lpUsedDefaultChar=0x0) returned 256 [0123.752] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f908, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0123.752] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f908, cbMultiByte=256, lpWideCharStr=0x18f068, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0123.752] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0123.753] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ee58, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0123.753] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f708, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ%­!øDú\x18", lpUsedDefaultChar=0x0) returned 256 [0123.753] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x80) returned 0x653870 [0123.753] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0123.753] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x18a) returned 0x661d40 [0123.753] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0123.753] GetLastError () returned 0x0 [0123.753] SetLastError (dwErrCode=0x0) [0123.753] GetEnvironmentStringsW () returned 0x661ed8* [0123.753] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0xa8c) returned 0x662970 [0123.754] FreeEnvironmentStringsW (penv=0x661ed8) returned 1 [0123.754] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x90) returned 0x6547c8 [0123.754] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x3e) returned 0x65ad68 [0123.754] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x5c) returned 0x658aa0 [0123.754] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x6e) returned 0x654890 [0123.754] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x78) returned 0x663db0 [0123.754] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x62) returned 0x654c60 [0123.754] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x28) returned 0x653d90 [0123.754] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x48) returned 0x654248 [0123.754] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x1a) returned 0x650570 [0123.754] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x3a) returned 0x65b038 [0123.754] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x62) returned 0x653bf0 [0123.754] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x2a) returned 0x6589f8 [0123.754] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x2e) returned 0x658988 [0123.754] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x1c) returned 0x653dc0 [0123.754] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x144) returned 0x659cb8 [0123.754] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x7c) returned 0x658300 [0123.755] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x36) returned 0x65e430 [0123.755] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x3a) returned 0x65afa8 [0123.755] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x90) returned 0x654600 [0123.755] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x24) returned 0x653910 [0123.755] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x30) returned 0x6588a8 [0123.755] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x36) returned 0x65e4f0 [0123.755] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x48) returned 0x652900 [0123.755] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x52) returned 0x6504b8 [0123.755] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x3c) returned 0x65acd8 [0123.755] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xd6) returned 0x659e78 [0123.755] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x2e) returned 0x658918 [0123.755] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x1e) returned 0x652950 [0123.755] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x2c) returned 0x6586b0 [0123.755] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x54) returned 0x653e08 [0123.755] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x52) returned 0x6542d0 [0123.755] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x24) returned 0x653e68 [0123.755] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x42) returned 0x654330 [0123.755] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x2c) returned 0x6589c0 [0123.755] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x44) returned 0x659fa8 [0123.755] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x24) returned 0x653940 [0123.757] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x662970 | out: hHeap=0x650000) returned 1 [0123.757] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x800) returned 0x661ed8 [0123.757] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0123.757] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0123.757] GetStartupInfoW (in: lpStartupInfo=0x18fa70 | out: lpStartupInfo=0x18fa70*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0123.757] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decrypt /fn_args=\"0\"" [0123.757] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decrypt /fn_args=\"0\"", pNumArgs=0x18fa5c | out: pNumArgs=0x18fa5c) returned 0x662b28*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0123.758] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0123.834] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x1000) returned 0x664410 [0123.834] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x38) returned 0x65e4b0 [0123.834] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_decrypt", cchWideChar=-1, lpMultiByteStr=0x65e4b0, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_decrypt", lpUsedDefaultChar=0x0) returned 28 [0123.835] GetLastError () returned 0x0 [0123.835] SetLastError (dwErrCode=0x0) [0123.835] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_decryptW") returned 0x0 [0123.835] GetLastError () returned 0x7f [0123.835] SetLastError (dwErrCode=0x7f) [0123.835] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_decryptA") returned 0x0 [0123.835] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_decrypt") returned 0x647c7430 [0123.835] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x4) returned 0x653818 [0123.835] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x653818, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0123.836] GetActiveWindow () returned 0x0 [0123.861] GetLastError () returned 0x7f [0123.861] SetLastError (dwErrCode=0x7f) Thread: id = 295 os_tid = 0x10d4 Process: id = "147" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x18fc9000" os_pid = "0x10d8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decryptAny /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 9941 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 9942 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 9943 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 9944 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 9945 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 9946 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 9947 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 9948 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 9949 start_va = 0xe90000 end_va = 0xe91fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e90000" filename = "" Region: id = 9950 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 9951 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 9952 start_va = 0x7f810000 end_va = 0x7f832fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f810000" filename = "" Region: id = 9953 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 9954 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 9955 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9956 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 9962 start_va = 0x400000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 9963 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 9964 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 9965 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 9966 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 9967 start_va = 0xea0000 end_va = 0x100ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 9968 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 9969 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 9974 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 9975 start_va = 0x7f710000 end_va = 0x7f80ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f710000" filename = "" Region: id = 9976 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 9977 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 9978 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 9979 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 9980 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 9981 start_va = 0x560000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 9982 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 9983 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 9984 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 9985 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 9986 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 9987 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 9988 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 9989 start_va = 0xe90000 end_va = 0xe93fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e90000" filename = "" Region: id = 9990 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 9992 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 9993 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 9994 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 9995 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 9996 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 9997 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 9998 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 9999 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 10000 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 10001 start_va = 0x660000 end_va = 0x7e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 10002 start_va = 0xea0000 end_va = 0xec9fff monitored = 0 entry_point = 0xea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 10003 start_va = 0xf10000 end_va = 0x100ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f10000" filename = "" Region: id = 10004 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 10028 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 10029 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 10030 start_va = 0x7f0000 end_va = 0x970fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 10031 start_va = 0x1010000 end_va = 0x112ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001010000" filename = "" Region: id = 10032 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 10033 start_va = 0x1010000 end_va = 0x10a0fff monitored = 0 entry_point = 0x1048cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 10034 start_va = 0x1120000 end_va = 0x112ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001120000" filename = "" Region: id = 10043 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 10044 start_va = 0xea0000 end_va = 0xea0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 10045 start_va = 0xeb0000 end_va = 0xeb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000eb0000" filename = "" Region: id = 10046 start_va = 0xeb0000 end_va = 0xeb7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000eb0000" filename = "" Region: id = 10063 start_va = 0xeb0000 end_va = 0xeb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 10064 start_va = 0xec0000 end_va = 0xec1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ec0000" filename = "" Region: id = 10065 start_va = 0xeb0000 end_va = 0xeb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 10066 start_va = 0xec0000 end_va = 0xec0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ec0000" filename = "" Region: id = 10087 start_va = 0xeb0000 end_va = 0xeb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000eb0000" filename = "" Region: id = 10088 start_va = 0xec0000 end_va = 0xec0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ec0000" filename = "" Thread: id = 296 os_tid = 0x1090 [0124.314] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0124.314] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0124.314] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0124.314] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0124.314] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0124.314] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0124.315] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0124.315] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0124.315] GetProcessHeap () returned 0xf10000 [0124.315] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0124.316] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0124.316] GetLastError () returned 0x7e [0124.316] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0124.316] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0124.316] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x364) returned 0xf209a0 [0124.316] SetLastError (dwErrCode=0x7e) [0124.316] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0xe00) returned 0xf20d10 [0124.318] GetStartupInfoW (in: lpStartupInfo=0x18fc9c | out: lpStartupInfo=0x18fc9c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0124.318] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0124.318] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0124.318] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0124.318] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decryptAny /fn_args=\"0\"" [0124.318] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decryptAny /fn_args=\"0\"" [0124.318] GetACP () returned 0x4e4 [0124.318] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x0, Size=0x220) returned 0xf21b18 [0124.318] IsValidCodePage (CodePage=0x4e4) returned 1 [0124.318] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fcbc | out: lpCPInfo=0x18fcbc) returned 1 [0124.318] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f584 | out: lpCPInfo=0x18f584) returned 1 [0124.318] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb98, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0124.318] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb98, cbMultiByte=256, lpWideCharStr=0x18f328, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0124.318] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f598 | out: lpCharType=0x18f598) returned 1 [0124.318] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb98, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0124.318] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb98, cbMultiByte=256, lpWideCharStr=0x18f2d8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0124.319] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0124.319] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0124.319] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0124.319] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f0c8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0124.319] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fa98, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿZ\x92¹\x97Ôü\x18", lpUsedDefaultChar=0x0) returned 256 [0124.319] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb98, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0124.319] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb98, cbMultiByte=256, lpWideCharStr=0x18f2f8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0124.319] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0124.319] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f0e8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0124.319] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f998, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿZ\x92¹\x97Ôü\x18", lpUsedDefaultChar=0x0) returned 256 [0124.319] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x0, Size=0x80) returned 0xf13878 [0124.319] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0124.319] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x190) returned 0xf21d40 [0124.319] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0124.319] GetLastError () returned 0x0 [0124.319] SetLastError (dwErrCode=0x0) [0124.319] GetEnvironmentStringsW () returned 0xf21ed8* [0124.320] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x0, Size=0xa8c) returned 0xf22970 [0124.320] FreeEnvironmentStringsW (penv=0xf21ed8) returned 1 [0124.320] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x90) returned 0xf14568 [0124.320] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x3e) returned 0xf1abb8 [0124.320] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x5c) returned 0xf18aa0 [0124.320] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x6e) returned 0xf14630 [0124.320] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x78) returned 0xf241b0 [0124.320] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x62) returned 0xf14a00 [0124.320] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x28) returned 0xf13d98 [0124.320] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x48) returned 0xf13fe8 [0124.320] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x1a) returned 0xf10570 [0124.320] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x3a) returned 0xf1aff0 [0124.320] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x62) returned 0xf13bf8 [0124.320] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x2a) returned 0xf18758 [0124.320] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x2e) returned 0xf186b0 [0124.320] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x1c) returned 0xf13dc8 [0124.320] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x144) returned 0xf19cb8 [0124.320] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x7c) returned 0xf180a0 [0124.321] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x36) returned 0xf1e030 [0124.321] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x3a) returned 0xf1aae0 [0124.321] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x90) returned 0xf143a0 [0124.321] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x24) returned 0xf13918 [0124.321] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x30) returned 0xf18950 [0124.321] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x36) returned 0xf1e470 [0124.321] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x48) returned 0xf12908 [0124.321] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x52) returned 0xf104b8 [0124.321] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x3c) returned 0xf1b158 [0124.321] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0xd6) returned 0xf19e78 [0124.321] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x2e) returned 0xf18790 [0124.321] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x1e) returned 0xf12958 [0124.321] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x2c) returned 0xf187c8 [0124.321] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x54) returned 0xf13e10 [0124.321] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x52) returned 0xf14070 [0124.321] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x24) returned 0xf13e70 [0124.321] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x42) returned 0xf140d0 [0124.321] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x2c) returned 0xf18988 [0124.321] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x44) returned 0xf19fa8 [0124.321] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x24) returned 0xf13948 [0124.322] HeapFree (in: hHeap=0xf10000, dwFlags=0x0, lpMem=0xf22970 | out: hHeap=0xf10000) returned 1 [0124.322] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x800) returned 0xf21ed8 [0124.322] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0124.322] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0124.322] GetStartupInfoW (in: lpStartupInfo=0x18fd00 | out: lpStartupInfo=0x18fd00*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0124.322] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decryptAny /fn_args=\"0\"" [0124.322] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decryptAny /fn_args=\"0\"", pNumArgs=0x18fcec | out: pNumArgs=0x18fcec) returned 0xf22b28*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0124.323] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0124.366] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x0, Size=0x1000) returned 0xf24410 [0124.366] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x0, Size=0x3e) returned 0xf1ac00 [0124.366] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_decryptAny", cchWideChar=-1, lpMultiByteStr=0xf1ac00, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_decryptAny", lpUsedDefaultChar=0x0) returned 31 [0124.366] GetLastError () returned 0x0 [0124.366] SetLastError (dwErrCode=0x0) [0124.367] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_decryptAnyW") returned 0x0 [0124.367] GetLastError () returned 0x7f [0124.367] SetLastError (dwErrCode=0x7f) [0124.367] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_decryptAnyA") returned 0x0 [0124.367] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_decryptAny") returned 0x647c7a5d [0124.367] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x0, Size=0x4) returned 0xf13820 [0124.367] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0xf13820, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0124.367] GetActiveWindow () returned 0x0 [0124.368] GetLastError () returned 0x7f [0124.368] SetLastError (dwErrCode=0x7f) Thread: id = 298 os_tid = 0x10bc Process: id = "148" image_name = "werfault.exe" filename = "c:\\windows\\syswow64\\werfault.exe" page_root = "0x51ac5000" os_pid = "0x10c0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "146" os_parent_pid = "0x1074" cmd_line = "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 4212 -s 364" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10005 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10006 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10007 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 10008 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 10009 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 10010 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 10011 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 10012 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 10013 start_va = 0x4e0000 end_va = 0x4e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 10014 start_va = 0x10e0000 end_va = 0x1122fff monitored = 0 entry_point = 0x1100f50 region_type = mapped_file name = "werfault.exe" filename = "\\Windows\\SysWOW64\\WerFault.exe" (normalized: "c:\\windows\\syswow64\\werfault.exe") Region: id = 10015 start_va = 0x1130000 end_va = 0x512ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 10016 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 10017 start_va = 0x7f090000 end_va = 0x7f0b2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f090000" filename = "" Region: id = 10018 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10019 start_va = 0x7fff0000 end_va = 0x7dfb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 10020 start_va = 0x7dfb201b0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfb201b0000" filename = "" Region: id = 10021 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10022 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 10023 start_va = 0x100000 end_va = 0x1affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 10024 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 10025 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 10026 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 10035 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 10036 start_va = 0x4f0000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 10037 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 10038 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 10039 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10040 start_va = 0x7ef90000 end_va = 0x7f08ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ef90000" filename = "" Region: id = 10041 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10047 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 10048 start_va = 0x100000 end_va = 0x13ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 10049 start_va = 0x140000 end_va = 0x17ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 10050 start_va = 0x1a0000 end_va = 0x1affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 10051 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 10052 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 10053 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 10054 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 10055 start_va = 0x4e0000 end_va = 0x4e3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 10056 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 10057 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 10058 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 10059 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 10060 start_va = 0x6fb30000 end_va = 0x6fbb6fff monitored = 0 entry_point = 0x6fb9dbc0 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\SysWOW64\\wer.dll" (normalized: "c:\\windows\\syswow64\\wer.dll") Region: id = 10061 start_va = 0x6fbc0000 end_va = 0x6fcfefff monitored = 0 entry_point = 0x6fbed880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 10067 start_va = 0x6fb00000 end_va = 0x6fb21fff monitored = 0 entry_point = 0x6fb091f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 10068 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 10069 start_va = 0x6faa0000 end_va = 0x6faf3fff monitored = 0 entry_point = 0x6fad10d0 region_type = mapped_file name = "faultrep.dll" filename = "\\Windows\\SysWOW64\\Faultrep.dll" (normalized: "c:\\windows\\syswow64\\faultrep.dll") Region: id = 10070 start_va = 0x6fa70000 end_va = 0x6fa90fff monitored = 0 entry_point = 0x6fa8a910 region_type = mapped_file name = "dbgcore.dll" filename = "\\Windows\\SysWOW64\\dbgcore.dll" (normalized: "c:\\windows\\syswow64\\dbgcore.dll") Region: id = 10071 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 10072 start_va = 0x4f0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 10073 start_va = 0x610000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 10074 start_va = 0x4f0000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 10075 start_va = 0x5d0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 10076 start_va = 0x4f0000 end_va = 0x4f3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 10077 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 10078 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 10079 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 10080 start_va = 0x500000 end_va = 0x529fff monitored = 0 entry_point = 0x505680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 10081 start_va = 0x710000 end_va = 0x897fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 10082 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 10083 start_va = 0x8a0000 end_va = 0xa20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 10084 start_va = 0x5130000 end_va = 0x652ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005130000" filename = "" Region: id = 10085 start_va = 0x500000 end_va = 0x503fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werfault.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\WerFault.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werfault.exe.mui") Region: id = 10089 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 10090 start_va = 0x180000 end_va = 0x180fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 10091 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 10092 start_va = 0xa30000 end_va = 0xbeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 10098 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 10099 start_va = 0x520000 end_va = 0x520fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 10100 start_va = 0x530000 end_va = 0x530fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 10101 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 10102 start_va = 0x530000 end_va = 0x530fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 10103 start_va = 0x6530000 end_va = 0x6d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006530000" filename = "" Region: id = 10104 start_va = 0x530000 end_va = 0x536fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 10105 start_va = 0x530000 end_va = 0x536fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 10106 start_va = 0x530000 end_va = 0x536fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 10107 start_va = 0x530000 end_va = 0x536fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 10108 start_va = 0x530000 end_va = 0x536fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 10109 start_va = 0x530000 end_va = 0x536fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 10110 start_va = 0x530000 end_va = 0x536fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 10111 start_va = 0x530000 end_va = 0x536fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 10112 start_va = 0x530000 end_va = 0x536fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 10113 start_va = 0x530000 end_va = 0x536fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 10114 start_va = 0x530000 end_va = 0x536fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 10115 start_va = 0x530000 end_va = 0x536fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 10116 start_va = 0x530000 end_va = 0x536fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 10117 start_va = 0x530000 end_va = 0x536fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 10118 start_va = 0x530000 end_va = 0x536fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 10119 start_va = 0x530000 end_va = 0x536fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 10120 start_va = 0x530000 end_va = 0x536fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 10121 start_va = 0x530000 end_va = 0x536fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 10122 start_va = 0x530000 end_va = 0x536fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 10123 start_va = 0x530000 end_va = 0x536fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 10124 start_va = 0x530000 end_va = 0x536fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 10125 start_va = 0x530000 end_va = 0x536fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 10126 start_va = 0x530000 end_va = 0x536fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 10127 start_va = 0x530000 end_va = 0x536fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 10128 start_va = 0x530000 end_va = 0x536fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 10129 start_va = 0x530000 end_va = 0x536fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 10133 start_va = 0x530000 end_va = 0x536fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 10135 start_va = 0x1b0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 10136 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 10137 start_va = 0xa30000 end_va = 0xaaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 10138 start_va = 0xbe0000 end_va = 0xbeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000be0000" filename = "" Region: id = 10143 start_va = 0x530000 end_va = 0x531fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "faultrep.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\faultrep.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\faultrep.dll.mui") Region: id = 10144 start_va = 0x540000 end_va = 0x540fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 10186 start_va = 0x6ef60000 end_va = 0x6f37dfff monitored = 0 entry_point = 0x6f05ee80 region_type = mapped_file name = "dbgeng.dll" filename = "\\Windows\\SysWOW64\\dbgeng.dll" (normalized: "c:\\windows\\syswow64\\dbgeng.dll") Region: id = 10187 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 10188 start_va = 0x6f750000 end_va = 0x6f7bffff monitored = 0 entry_point = 0x6f7a4b90 region_type = mapped_file name = "dbgmodel.dll" filename = "\\Windows\\SysWOW64\\DbgModel.dll" (normalized: "c:\\windows\\syswow64\\dbgmodel.dll") Region: id = 10189 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 10190 start_va = 0xab0000 end_va = 0xb99fff monitored = 0 entry_point = 0xaed650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 10205 start_va = 0x70050000 end_va = 0x70059fff monitored = 0 entry_point = 0x70053200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 10206 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 10207 start_va = 0x6f5d0000 end_va = 0x6f5d7fff monitored = 0 entry_point = 0x6f5d17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 10220 start_va = 0xab0000 end_va = 0xbaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 10221 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 10222 start_va = 0xbf0000 end_va = 0xf26fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 10223 start_va = 0x540000 end_va = 0x541fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 10224 start_va = 0x540000 end_va = 0x543fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 10225 start_va = 0x540000 end_va = 0x545fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 10226 start_va = 0x540000 end_va = 0x547fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 10227 start_va = 0xf30000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 10249 start_va = 0x540000 end_va = 0x549fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 10250 start_va = 0x540000 end_va = 0x54bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 10251 start_va = 0x540000 end_va = 0x54dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 10252 start_va = 0x540000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 10253 start_va = 0x560000 end_va = 0x571fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 10254 start_va = 0x560000 end_va = 0x573fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 10255 start_va = 0x560000 end_va = 0x575fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 10256 start_va = 0x560000 end_va = 0x577fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 10257 start_va = 0x560000 end_va = 0x579fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 10258 start_va = 0x560000 end_va = 0x57bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 10259 start_va = 0x560000 end_va = 0x57dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 10260 start_va = 0x560000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 10272 start_va = 0x6530000 end_va = 0x660ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 10318 start_va = 0x6610000 end_va = 0x66dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006610000" filename = "" Region: id = 10319 start_va = 0x66e0000 end_va = 0x6795fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000066e0000" filename = "" Region: id = 10333 start_va = 0x1030000 end_va = 0x10d5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001030000" filename = "" Region: id = 10397 start_va = 0x540000 end_va = 0x540fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 10398 start_va = 0x560000 end_va = 0x562fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wer.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wer.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wer.dll.mui") Region: id = 10399 start_va = 0x570000 end_va = 0x573fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 10400 start_va = 0x6610000 end_va = 0x6e0ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006610000" filename = "" Region: id = 10401 start_va = 0x580000 end_va = 0x586fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 10402 start_va = 0x580000 end_va = 0x586fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 10403 start_va = 0x580000 end_va = 0x586fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 10404 start_va = 0x580000 end_va = 0x586fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 10405 start_va = 0x580000 end_va = 0x586fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 10406 start_va = 0x580000 end_va = 0x586fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 10415 start_va = 0x580000 end_va = 0x586fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 10416 start_va = 0x580000 end_va = 0x586fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 10417 start_va = 0x580000 end_va = 0x586fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 10418 start_va = 0x580000 end_va = 0x586fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 10419 start_va = 0x580000 end_va = 0x586fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 10420 start_va = 0x580000 end_va = 0x586fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 10421 start_va = 0x580000 end_va = 0x586fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 10422 start_va = 0x580000 end_va = 0x586fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 10423 start_va = 0x580000 end_va = 0x586fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 10424 start_va = 0x580000 end_va = 0x586fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 10425 start_va = 0x580000 end_va = 0x586fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 10426 start_va = 0x580000 end_va = 0x586fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 10427 start_va = 0x580000 end_va = 0x586fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 10428 start_va = 0x580000 end_va = 0x586fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 10429 start_va = 0x580000 end_va = 0x586fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 10430 start_va = 0x580000 end_va = 0x586fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 10431 start_va = 0x6610000 end_va = 0x670ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006610000" filename = "" Region: id = 10447 start_va = 0x580000 end_va = 0x586fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 10448 start_va = 0x580000 end_va = 0x586fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 10449 start_va = 0x580000 end_va = 0x586fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 10450 start_va = 0x580000 end_va = 0x586fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 10451 start_va = 0x580000 end_va = 0x586fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 10452 start_va = 0x6fa00000 end_va = 0x6fa63fff monitored = 0 entry_point = 0x6fa3e270 region_type = mapped_file name = "werui.dll" filename = "\\Windows\\SysWOW64\\werui.dll" (normalized: "c:\\windows\\syswow64\\werui.dll") Region: id = 10453 start_va = 0x190000 end_va = 0x191fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 10454 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 10455 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 10456 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 10457 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 10458 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 10477 start_va = 0x731b0000 end_va = 0x733befff monitored = 0 entry_point = 0x7325b0a0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 10478 start_va = 0x6f460000 end_va = 0x6f5c6fff monitored = 0 entry_point = 0x6f4db9d0 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\SysWOW64\\dui70.dll" (normalized: "c:\\windows\\syswow64\\dui70.dll") Region: id = 10479 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 10480 start_va = 0x6f430000 end_va = 0x6f457fff monitored = 0 entry_point = 0x6f437820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 10481 start_va = 0x580000 end_va = 0x580fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 10482 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 10483 start_va = 0x580000 end_va = 0x580fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 10484 start_va = 0x759b0000 end_va = 0x75a33fff monitored = 0 entry_point = 0x759d6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 10485 start_va = 0x590000 end_va = 0x590fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 10486 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 11127 start_va = 0x1030000 end_va = 0x106ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001030000" filename = "" Region: id = 11128 start_va = 0x1070000 end_va = 0x10affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001070000" filename = "" Region: id = 11129 start_va = 0x6710000 end_va = 0x674ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006710000" filename = "" Region: id = 11130 start_va = 0x6750000 end_va = 0x678ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006750000" filename = "" Region: id = 11131 start_va = 0x6790000 end_va = 0x67cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006790000" filename = "" Region: id = 11132 start_va = 0x67d0000 end_va = 0x680ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000067d0000" filename = "" Region: id = 11133 start_va = 0x6f930000 end_va = 0x6f938fff monitored = 0 entry_point = 0x6f933830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 11590 start_va = 0x580000 end_va = 0x580fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 11591 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 11818 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 11922 start_va = 0x580000 end_va = 0x584fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werui.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\werui.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werui.dll.mui") Region: id = 11923 start_va = 0x5a0000 end_va = 0x5a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 11924 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 12021 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 12219 start_va = 0x6810000 end_va = 0x684ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006810000" filename = "" Region: id = 12220 start_va = 0x6850000 end_va = 0x688ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006850000" filename = "" Region: id = 12234 start_va = 0x5a0000 end_va = 0x5a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 12235 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 12324 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 12467 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 12468 start_va = 0x6f8c0000 end_va = 0x6f93afff monitored = 0 entry_point = 0x6f8e4d80 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\SysWOW64\\duser.dll" (normalized: "c:\\windows\\syswow64\\duser.dll") Region: id = 12472 start_va = 0x6890000 end_va = 0x68cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006890000" filename = "" Region: id = 12473 start_va = 0x68d0000 end_va = 0x690ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000068d0000" filename = "" Region: id = 12474 start_va = 0x6f830000 end_va = 0x6f8b0fff monitored = 0 entry_point = 0x6f836310 region_type = mapped_file name = "riched20.dll" filename = "\\Windows\\SysWOW64\\riched20.dll" (normalized: "c:\\windows\\syswow64\\riched20.dll") Region: id = 12475 start_va = 0x6f810000 end_va = 0x6f825fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 12476 start_va = 0x6f7d0000 end_va = 0x6f800fff monitored = 0 entry_point = 0x6f7e22d0 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\SysWOW64\\msls31.dll" (normalized: "c:\\windows\\syswow64\\msls31.dll") Region: id = 12478 start_va = 0x5a0000 end_va = 0x5a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 12479 start_va = 0x6910000 end_va = 0x69cbfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006910000" filename = "" Region: id = 12480 start_va = 0x5a0000 end_va = 0x5a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 12481 start_va = 0x74230000 end_va = 0x7424cfff monitored = 0 entry_point = 0x74233b10 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 12482 start_va = 0x5b0000 end_va = 0x5b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 12483 start_va = 0x5c0000 end_va = 0x5c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 12484 start_va = 0x5e0000 end_va = 0x5e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 12485 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 12492 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "duser.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\duser.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\duser.dll.mui") Region: id = 12493 start_va = 0x6f7c0000 end_va = 0x6f7ccfff monitored = 0 entry_point = 0x6f7c7d80 region_type = mapped_file name = "atlthunk.dll" filename = "\\Windows\\SysWOW64\\atlthunk.dll" (normalized: "c:\\windows\\syswow64\\atlthunk.dll") Region: id = 12494 start_va = 0x600000 end_va = 0x602fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui") Region: id = 12495 start_va = 0x1f0000 end_va = 0x1f2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 12496 start_va = 0x69d0000 end_va = 0x6ec1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000069d0000" filename = "" Region: id = 12497 start_va = 0x6ed0000 end_va = 0x7f0ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 12498 start_va = 0x7f10000 end_va = 0x7f51fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007f10000" filename = "" Region: id = 12582 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 12583 start_va = 0x77500000 end_va = 0x7761efff monitored = 0 entry_point = 0x77545980 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Thread: id = 299 os_tid = 0xc64 Thread: id = 300 os_tid = 0xc74 Thread: id = 302 os_tid = 0xc70 Thread: id = 330 os_tid = 0x120c Thread: id = 333 os_tid = 0xb30 Thread: id = 336 os_tid = 0xdc4 Thread: id = 380 os_tid = 0xcb0 Thread: id = 390 os_tid = 0x7e8 Process: id = "149" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6e178000" os_pid = "0xc80" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "147" os_parent_pid = "0x10d8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decryptAny /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "150" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x21321000" os_pid = "0x10b8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "146" os_parent_pid = "0x1074" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decrypt /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "151" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x51be0000" os_pid = "0xce8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_deserializeCertificateId /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10145 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10146 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10147 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 10148 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 10149 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 10150 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 10151 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 10152 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 10153 start_va = 0xea0000 end_va = 0xea1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 10154 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 10155 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 10156 start_va = 0x7fc40000 end_va = 0x7fc62fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fc40000" filename = "" Region: id = 10157 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10158 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 10159 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10160 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 10208 start_va = 0x400000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 10209 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 10210 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 10211 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 10212 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 10213 start_va = 0xeb0000 end_va = 0x114ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 10214 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 10215 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 10228 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10229 start_va = 0x7fb40000 end_va = 0x7fc3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fb40000" filename = "" Region: id = 10230 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10231 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 10232 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 10233 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 10234 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 10235 start_va = 0x4e0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 10236 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 10237 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 10238 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 10239 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 10240 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 10241 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 10242 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 10243 start_va = 0xea0000 end_va = 0xea3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 10244 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 10245 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 10246 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 10247 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 10261 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 10262 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 10263 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 10264 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 10265 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 10266 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 10267 start_va = 0x5e0000 end_va = 0x767fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 10268 start_va = 0xeb0000 end_va = 0xed9fff monitored = 0 entry_point = 0xeb5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 10269 start_va = 0x1050000 end_va = 0x114ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 10270 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 10275 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 10276 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 10277 start_va = 0x770000 end_va = 0x8f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 10278 start_va = 0xeb0000 end_va = 0xfcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 10279 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 10280 start_va = 0xeb0000 end_va = 0xf40fff monitored = 0 entry_point = 0xee8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 10281 start_va = 0xfc0000 end_va = 0xfcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fc0000" filename = "" Region: id = 10283 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 10284 start_va = 0xeb0000 end_va = 0xeb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 10285 start_va = 0xec0000 end_va = 0xec0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ec0000" filename = "" Region: id = 10286 start_va = 0xec0000 end_va = 0xec7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ec0000" filename = "" Region: id = 10288 start_va = 0xec0000 end_va = 0xec0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ec0000" filename = "" Region: id = 10289 start_va = 0xed0000 end_va = 0xed1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ed0000" filename = "" Region: id = 10290 start_va = 0xec0000 end_va = 0xec0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ec0000" filename = "" Region: id = 10292 start_va = 0xed0000 end_va = 0xed0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ed0000" filename = "" Region: id = 10293 start_va = 0xec0000 end_va = 0xec0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ec0000" filename = "" Region: id = 10294 start_va = 0xed0000 end_va = 0xed0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ed0000" filename = "" Thread: id = 305 os_tid = 0xca0 [0125.822] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0125.822] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0125.822] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0125.822] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0125.823] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0125.823] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0125.823] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0125.823] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0125.824] GetProcessHeap () returned 0x1050000 [0125.824] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0125.824] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0125.824] GetLastError () returned 0x7e [0125.824] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0125.824] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0125.824] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x364) returned 0x1060aa0 [0125.825] SetLastError (dwErrCode=0x7e) [0125.825] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0xe00) returned 0x1060e10 [0125.826] GetStartupInfoW (in: lpStartupInfo=0x18fa54 | out: lpStartupInfo=0x18fa54*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0125.826] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0125.826] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0125.826] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0125.826] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_deserializeCertificateId /fn_args=\"0\"" [0125.826] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_deserializeCertificateId /fn_args=\"0\"" [0125.826] GetACP () returned 0x4e4 [0125.826] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x0, Size=0x220) returned 0x1061c18 [0125.827] IsValidCodePage (CodePage=0x4e4) returned 1 [0125.827] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fa74 | out: lpCPInfo=0x18fa74) returned 1 [0125.827] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f33c | out: lpCPInfo=0x18f33c) returned 1 [0125.827] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f950, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0125.827] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f950, cbMultiByte=256, lpWideCharStr=0x18f0d8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0125.827] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f350 | out: lpCharType=0x18f350) returned 1 [0125.827] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f950, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0125.827] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f950, cbMultiByte=256, lpWideCharStr=0x18f098, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0125.827] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0125.827] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0125.827] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0125.827] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ee88, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0125.827] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f850, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿH\x84\x9eg\x8cú\x18", lpUsedDefaultChar=0x0) returned 256 [0125.827] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f950, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0125.827] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f950, cbMultiByte=256, lpWideCharStr=0x18f0a8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0125.827] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0125.827] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ee98, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0125.827] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f750, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿH\x84\x9eg\x8cú\x18", lpUsedDefaultChar=0x0) returned 256 [0125.828] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x0, Size=0x80) returned 0x10538a8 [0125.828] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0125.828] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x1ac) returned 0x1061e40 [0125.828] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0125.828] GetLastError () returned 0x0 [0125.828] SetLastError (dwErrCode=0x0) [0125.828] GetEnvironmentStringsW () returned 0x1061ff8* [0125.828] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x0, Size=0xa8c) returned 0x1062a90 [0125.828] FreeEnvironmentStringsW (penv=0x1061ff8) returned 1 [0125.828] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x90) returned 0x1054598 [0125.828] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x3e) returned 0x105ae70 [0125.828] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x5c) returned 0x1058870 [0125.828] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x6e) returned 0x1054660 [0125.828] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x78) returned 0x1063d50 [0125.829] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x62) returned 0x1054a30 [0125.829] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x28) returned 0x1053dc8 [0125.829] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x48) returned 0x1054018 [0125.829] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x1a) returned 0x1050570 [0125.829] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x3a) returned 0x105ab58 [0125.829] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x62) returned 0x1053c28 [0125.829] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x2a) returned 0x10585d0 [0125.829] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x2e) returned 0x1058560 [0125.829] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x1c) returned 0x1053df8 [0125.829] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x144) returned 0x1059ce8 [0125.829] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x7c) returned 0x10580d0 [0125.829] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x36) returned 0x105e5f0 [0125.829] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x3a) returned 0x105af90 [0125.829] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x90) returned 0x10543d0 [0125.829] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x24) returned 0x1053948 [0125.829] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x30) returned 0x1058608 [0125.829] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x36) returned 0x105e430 [0125.829] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x48) returned 0x1052928 [0125.829] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x52) returned 0x10504b8 [0125.829] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x3c) returned 0x105aac8 [0125.829] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0xd6) returned 0x1059ea8 [0125.829] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x2e) returned 0x1058640 [0125.829] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x1e) returned 0x1052978 [0125.829] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x2c) returned 0x10586e8 [0125.829] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x54) returned 0x1053e40 [0125.829] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x52) returned 0x10540a0 [0125.829] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x24) returned 0x1053ea0 [0125.829] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x42) returned 0x1054100 [0125.829] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x2c) returned 0x1058678 [0125.829] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x44) returned 0x1059fd8 [0125.829] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x24) returned 0x1053978 [0125.831] HeapFree (in: hHeap=0x1050000, dwFlags=0x0, lpMem=0x1062a90 | out: hHeap=0x1050000) returned 1 [0125.831] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x8, Size=0x800) returned 0x1061ff8 [0125.831] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0125.832] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0125.832] GetStartupInfoW (in: lpStartupInfo=0x18fab8 | out: lpStartupInfo=0x18fab8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0125.832] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_deserializeCertificateId /fn_args=\"0\"" [0125.832] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_deserializeCertificateId /fn_args=\"0\"", pNumArgs=0x18faa4 | out: pNumArgs=0x18faa4) returned 0x1062c48*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0125.843] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0125.846] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x0, Size=0x1000) returned 0x1064530 [0125.846] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x0, Size=0x5a) returned 0x105a720 [0125.846] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_deserializeCertificateId", cchWideChar=-1, lpMultiByteStr=0x105a720, cbMultiByte=90, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_deserializeCertificateId", lpUsedDefaultChar=0x0) returned 45 [0125.846] GetLastError () returned 0x0 [0125.846] SetLastError (dwErrCode=0x0) [0125.846] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_deserializeCertificateIdW") returned 0x0 [0125.846] GetLastError () returned 0x7f [0125.846] SetLastError (dwErrCode=0x7f) [0125.847] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_deserializeCertificateIdA") returned 0x0 [0125.847] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_deserializeCertificateId") returned 0x647cddbf [0125.847] RtlAllocateHeap (HeapHandle=0x1050000, Flags=0x0, Size=0x4) returned 0x1053850 [0125.847] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x1053850, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0125.847] GetActiveWindow () returned 0x0 [0125.848] GetLastError () returned 0x7f [0125.848] SetLastError (dwErrCode=0x7f) Thread: id = 307 os_tid = 0x1130 Process: id = "152" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x514f6000" os_pid = "0x3a8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_duplicateCertificateId /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10295 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10296 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10297 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 10298 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 10299 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 10300 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 10301 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 10302 start_va = 0x1f0000 end_va = 0x1f1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 10303 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 10304 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 10305 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 10306 start_va = 0x7f2d0000 end_va = 0x7f2f2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f2d0000" filename = "" Region: id = 10307 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10308 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 10309 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10310 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 10313 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 10314 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 10315 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 10316 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 10317 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 10321 start_va = 0x480000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 10322 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 10323 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 10324 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10325 start_va = 0x7f1d0000 end_va = 0x7f2cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f1d0000" filename = "" Region: id = 10326 start_va = 0x480000 end_va = 0x53dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10327 start_va = 0x5b0000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 10328 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 10329 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 10330 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 10331 start_va = 0x6b0000 end_va = 0x7affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 10332 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 10335 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 10336 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 10337 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 10338 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 10339 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 10340 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 10341 start_va = 0x400000 end_va = 0x403fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 10342 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 10343 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 10344 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 10345 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 10346 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 10347 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 10348 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 10349 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 10350 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 10351 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 10352 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 10354 start_va = 0x410000 end_va = 0x439fff monitored = 0 entry_point = 0x415680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 10355 start_va = 0x7b0000 end_va = 0x937fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007b0000" filename = "" Region: id = 10356 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 10357 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 10358 start_va = 0x410000 end_va = 0x410fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 10359 start_va = 0x940000 end_va = 0xac0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 10360 start_va = 0xad0000 end_va = 0xbdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 10361 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 10362 start_va = 0xad0000 end_va = 0xb60fff monitored = 0 entry_point = 0xb08cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 10363 start_va = 0xbd0000 end_va = 0xbdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bd0000" filename = "" Region: id = 10365 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 10366 start_va = 0x420000 end_va = 0x420fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 10367 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 10368 start_va = 0x430000 end_va = 0x437fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 10370 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 10371 start_va = 0x440000 end_va = 0x441fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 10372 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 10373 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 10395 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 10396 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Thread: id = 308 os_tid = 0xdd0 [0126.337] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0126.337] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0126.337] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0126.337] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0126.338] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0126.338] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0126.338] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0126.338] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0126.339] GetProcessHeap () returned 0x5b0000 [0126.339] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0126.339] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0126.339] GetLastError () returned 0x7e [0126.339] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0126.339] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0126.339] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x364) returned 0x5c0a90 [0126.340] SetLastError (dwErrCode=0x7e) [0126.340] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0xe00) returned 0x5c0e00 [0126.341] GetStartupInfoW (in: lpStartupInfo=0x18fe24 | out: lpStartupInfo=0x18fe24*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0126.341] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0126.341] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0126.341] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0126.341] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_duplicateCertificateId /fn_args=\"0\"" [0126.341] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_duplicateCertificateId /fn_args=\"0\"" [0126.341] GetACP () returned 0x4e4 [0126.341] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x0, Size=0x220) returned 0x5c1c08 [0126.341] IsValidCodePage (CodePage=0x4e4) returned 1 [0126.342] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fe44 | out: lpCPInfo=0x18fe44) returned 1 [0126.342] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f70c | out: lpCPInfo=0x18f70c) returned 1 [0126.342] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd20, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0126.342] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd20, cbMultiByte=256, lpWideCharStr=0x18f4a8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0126.342] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f720 | out: lpCharType=0x18f720) returned 1 [0126.342] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd20, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0126.342] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd20, cbMultiByte=256, lpWideCharStr=0x18f468, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0126.342] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0126.342] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0126.342] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0126.342] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f258, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0126.342] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fc20, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ;Ì¡:\\þ\x18", lpUsedDefaultChar=0x0) returned 256 [0126.342] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd20, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0126.342] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd20, cbMultiByte=256, lpWideCharStr=0x18f478, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0126.342] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0126.342] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f268, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0126.342] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fb20, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ;Ì¡:\\þ\x18", lpUsedDefaultChar=0x0) returned 256 [0126.342] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x0, Size=0x80) returned 0x5b3898 [0126.343] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0126.343] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x1a8) returned 0x5c1e30 [0126.343] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0126.343] GetLastError () returned 0x0 [0126.343] SetLastError (dwErrCode=0x0) [0126.343] GetEnvironmentStringsW () returned 0x5c1fe8* [0126.343] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x0, Size=0xa8c) returned 0x5c2a80 [0126.343] FreeEnvironmentStringsW (penv=0x5c1fe8) returned 1 [0126.343] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x90) returned 0x5b47e8 [0126.343] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x3e) returned 0x5bb010 [0126.343] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x5c) returned 0x5b8ac0 [0126.343] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x6e) returned 0x5b48b0 [0126.343] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x78) returned 0x5c4340 [0126.344] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x62) returned 0x5b4c80 [0126.344] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x28) returned 0x5b4018 [0126.344] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x48) returned 0x5b4268 [0126.344] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x1a) returned 0x5b0570 [0126.344] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x3a) returned 0x5bac20 [0126.344] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x62) returned 0x5b3c18 [0126.344] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x2a) returned 0x5b8778 [0126.344] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x2e) returned 0x5b89a8 [0126.344] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x1c) returned 0x5b4048 [0126.344] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x144) returned 0x5b9cd8 [0126.344] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x7c) returned 0x5b8320 [0126.344] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x36) returned 0x5be0a0 [0126.344] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x3a) returned 0x5bab90 [0126.344] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x90) returned 0x5b4620 [0126.344] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x24) returned 0x5b3938 [0126.344] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x30) returned 0x5b87b0 [0126.344] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x36) returned 0x5be520 [0126.344] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x48) returned 0x5b2920 [0126.344] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x52) returned 0x5b04b8 [0126.344] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x3c) returned 0x5baf80 [0126.344] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0xd6) returned 0x5b9e98 [0126.344] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x2e) returned 0x5b8a18 [0126.344] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x1e) returned 0x5b2970 [0126.344] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x2c) returned 0x5b8858 [0126.344] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x54) returned 0x5b4090 [0126.344] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x52) returned 0x5b42f0 [0126.344] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x24) returned 0x5b40f0 [0126.344] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x42) returned 0x5b4350 [0126.344] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x2c) returned 0x5b8970 [0126.344] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x44) returned 0x5b9fc8 [0126.344] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x24) returned 0x5b3968 [0126.345] HeapFree (in: hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5c2a80 | out: hHeap=0x5b0000) returned 1 [0126.345] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x8, Size=0x800) returned 0x5c1fe8 [0126.345] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0126.345] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0126.345] GetStartupInfoW (in: lpStartupInfo=0x18fe88 | out: lpStartupInfo=0x18fe88*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0126.345] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_duplicateCertificateId /fn_args=\"0\"" [0126.345] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_duplicateCertificateId /fn_args=\"0\"", pNumArgs=0x18fe74 | out: pNumArgs=0x18fe74) returned 0x5c2c38*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0126.346] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0126.449] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x0, Size=0x1000) returned 0x5c4520 [0126.449] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x0, Size=0x56) returned 0x5ba710 [0126.449] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_duplicateCertificateId", cchWideChar=-1, lpMultiByteStr=0x5ba710, cbMultiByte=86, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_duplicateCertificateId", lpUsedDefaultChar=0x0) returned 43 [0126.449] GetLastError () returned 0x0 [0126.449] SetLastError (dwErrCode=0x0) [0126.449] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_duplicateCertificateIdW") returned 0x0 [0126.449] GetLastError () returned 0x7f [0126.449] SetLastError (dwErrCode=0x7f) [0126.449] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_duplicateCertificateIdA") returned 0x0 [0126.449] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_duplicateCertificateId") returned 0x647c6aee [0126.449] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0x0, Size=0x4) returned 0x5b3840 [0126.449] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x5b3840, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0126.450] GetActiveWindow () returned 0x0 [0126.450] GetLastError () returned 0x7f [0126.450] SetLastError (dwErrCode=0x7f) Thread: id = 310 os_tid = 0xb9c Process: id = "153" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x517f4000" os_pid = "0xca4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "151" os_parent_pid = "0xce8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_deserializeCertificateId /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "154" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x5160b000" os_pid = "0xb68" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureCertificateAccess /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10376 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10377 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10378 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 10379 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 10380 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 10381 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 10382 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 10383 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 10384 start_va = 0xf60000 end_va = 0xf61fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f60000" filename = "" Region: id = 10385 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 10386 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 10387 start_va = 0x7e620000 end_va = 0x7e642fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e620000" filename = "" Region: id = 10388 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10389 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 10390 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10391 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 10407 start_va = 0x400000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 10408 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 10409 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 10410 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 10411 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 10412 start_va = 0xf70000 end_va = 0x11effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f70000" filename = "" Region: id = 10413 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 10432 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 10433 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10434 start_va = 0x7e520000 end_va = 0x7e61ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e520000" filename = "" Region: id = 10435 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10436 start_va = 0x560000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 10437 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 10438 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 10439 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 10440 start_va = 0x570000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 10441 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 10442 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 10443 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 10444 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 10445 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 10459 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 10460 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 10461 start_va = 0xf60000 end_va = 0xf63fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f60000" filename = "" Region: id = 10462 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 10463 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 10464 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 10465 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 10466 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 10467 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 10468 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 10469 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 10470 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 10471 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 10472 start_va = 0x670000 end_va = 0x7f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 10473 start_va = 0xf70000 end_va = 0xf99fff monitored = 0 entry_point = 0xf75680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 10474 start_va = 0x10f0000 end_va = 0x11effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010f0000" filename = "" Region: id = 10475 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 10487 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 10488 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 10489 start_va = 0x800000 end_va = 0x980fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 10490 start_va = 0xf70000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f70000" filename = "" Region: id = 10491 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 10492 start_va = 0xf70000 end_va = 0x1000fff monitored = 0 entry_point = 0xfa8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 10493 start_va = 0x1030000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001030000" filename = "" Region: id = 10495 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 10496 start_va = 0xf70000 end_va = 0xf70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f70000" filename = "" Region: id = 10497 start_va = 0xf80000 end_va = 0xf80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f80000" filename = "" Region: id = 10498 start_va = 0xf80000 end_va = 0xf87fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f80000" filename = "" Region: id = 10500 start_va = 0xf80000 end_va = 0xf80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f80000" filename = "" Region: id = 10501 start_va = 0xf90000 end_va = 0xf91fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f90000" filename = "" Region: id = 10502 start_va = 0xf80000 end_va = 0xf80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f80000" filename = "" Region: id = 10503 start_va = 0xf90000 end_va = 0xf90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f90000" filename = "" Region: id = 10504 start_va = 0xf80000 end_va = 0xf80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f80000" filename = "" Region: id = 10505 start_va = 0xf90000 end_va = 0xf90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Thread: id = 311 os_tid = 0xd4c [0127.165] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0127.166] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0127.166] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0127.166] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0127.166] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0127.166] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0127.167] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0127.167] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0127.167] GetProcessHeap () returned 0x10f0000 [0127.167] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0127.168] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0127.168] GetLastError () returned 0x7e [0127.168] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0127.168] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0127.168] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x364) returned 0x1100a98 [0127.168] SetLastError (dwErrCode=0x7e) [0127.168] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0xe00) returned 0x1100e08 [0127.170] GetStartupInfoW (in: lpStartupInfo=0x18fa1c | out: lpStartupInfo=0x18fa1c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0127.171] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0127.171] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0127.171] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0127.171] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureCertificateAccess /fn_args=\"0\"" [0127.171] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureCertificateAccess /fn_args=\"0\"" [0127.171] GetACP () returned 0x4e4 [0127.171] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x0, Size=0x220) returned 0x1101c10 [0127.171] IsValidCodePage (CodePage=0x4e4) returned 1 [0127.171] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fa3c | out: lpCPInfo=0x18fa3c) returned 1 [0127.171] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f304 | out: lpCPInfo=0x18f304) returned 1 [0127.171] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f918, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0127.171] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f918, cbMultiByte=256, lpWideCharStr=0x18f0a8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0127.171] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f318 | out: lpCharType=0x18f318) returned 1 [0127.171] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f918, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0127.171] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f918, cbMultiByte=256, lpWideCharStr=0x18f058, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0127.171] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0127.172] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0127.172] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0127.172] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ee48, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0127.172] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f818, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ¨\x0b\x17{Tú\x18", lpUsedDefaultChar=0x0) returned 256 [0127.172] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f918, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0127.172] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f918, cbMultiByte=256, lpWideCharStr=0x18f078, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0127.172] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0127.172] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ee68, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0127.172] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f718, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ¨\x0b\x17{Tú\x18", lpUsedDefaultChar=0x0) returned 256 [0127.172] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x0, Size=0x80) returned 0x10f38a0 [0127.172] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0127.172] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x1aa) returned 0x1101e38 [0127.173] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0127.173] GetLastError () returned 0x0 [0127.173] SetLastError (dwErrCode=0x0) [0127.173] GetEnvironmentStringsW () returned 0x1101ff0* [0127.173] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x0, Size=0xa8c) returned 0x1102a88 [0127.173] FreeEnvironmentStringsW (penv=0x1101ff0) returned 1 [0127.173] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x90) returned 0x10f4590 [0127.173] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x3e) returned 0x10fae20 [0127.173] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x5c) returned 0x10f8ac8 [0127.173] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x6e) returned 0x10f4658 [0127.173] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x78) returned 0x11037c8 [0127.173] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x62) returned 0x10f4c88 [0127.173] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x28) returned 0x10f3dc0 [0127.173] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x48) returned 0x10f4010 [0127.174] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x1a) returned 0x10f0570 [0127.174] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x3a) returned 0x10faf88 [0127.174] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x62) returned 0x10f3c20 [0127.174] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x2a) returned 0x10f8940 [0127.174] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x2e) returned 0x10f87f0 [0127.174] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x1c) returned 0x10f3df0 [0127.174] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x144) returned 0x10f9ce0 [0127.174] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x7c) returned 0x10f8328 [0127.174] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x36) returned 0x10fe268 [0127.174] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x3a) returned 0x10faef8 [0127.174] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x90) returned 0x10f43c8 [0127.174] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x24) returned 0x10f3940 [0127.174] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x30) returned 0x10f8898 [0127.174] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x36) returned 0x10fe3a8 [0127.174] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x48) returned 0x10f2920 [0127.174] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x52) returned 0x10f04b8 [0127.174] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x3c) returned 0x10fae68 [0127.174] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0xd6) returned 0x10f9ea0 [0127.174] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x2e) returned 0x10f86a0 [0127.174] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x1e) returned 0x10f2970 [0127.174] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x2c) returned 0x10f86d8 [0127.174] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x54) returned 0x10f3e38 [0127.174] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x52) returned 0x10f4098 [0127.174] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x24) returned 0x10f3e98 [0127.174] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x42) returned 0x10f40f8 [0127.174] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x2c) returned 0x10f8710 [0127.175] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x44) returned 0x10f9fd0 [0127.175] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x24) returned 0x10f3970 [0127.175] HeapFree (in: hHeap=0x10f0000, dwFlags=0x0, lpMem=0x1102a88 | out: hHeap=0x10f0000) returned 1 [0127.175] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x8, Size=0x800) returned 0x1101ff0 [0127.175] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0127.175] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0127.176] GetStartupInfoW (in: lpStartupInfo=0x18fa80 | out: lpStartupInfo=0x18fa80*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0127.176] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureCertificateAccess /fn_args=\"0\"" [0127.176] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureCertificateAccess /fn_args=\"0\"", pNumArgs=0x18fa6c | out: pNumArgs=0x18fa6c) returned 0x1102c40*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0127.182] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0127.185] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x0, Size=0x1000) returned 0x1104528 [0127.185] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x0, Size=0x58) returned 0x10fa718 [0127.185] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_ensureCertificateAccess", cchWideChar=-1, lpMultiByteStr=0x10fa718, cbMultiByte=88, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_ensureCertificateAccess", lpUsedDefaultChar=0x0) returned 44 [0127.185] GetLastError () returned 0x0 [0127.185] SetLastError (dwErrCode=0x0) [0127.186] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_ensureCertificateAccessW") returned 0x0 [0127.186] GetLastError () returned 0x7f [0127.186] SetLastError (dwErrCode=0x7f) [0127.186] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_ensureCertificateAccessA") returned 0x0 [0127.186] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_ensureCertificateAccess") returned 0x647c84a4 [0127.186] RtlAllocateHeap (HeapHandle=0x10f0000, Flags=0x0, Size=0x4) returned 0x10f3848 [0127.186] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x10f3848, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0127.186] GetActiveWindow () returned 0x0 [0127.187] GetLastError () returned 0x7f [0127.187] SetLastError (dwErrCode=0x7f) Thread: id = 313 os_tid = 0x49c Process: id = "155" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6395b000" os_pid = "0x414" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "152" os_parent_pid = "0x3a8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_duplicateCertificateId /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "156" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x51520000" os_pid = "0xa68" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureKeyAccess /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10506 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10507 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10508 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 10509 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 10510 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 10511 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 10512 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 10513 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 10514 start_va = 0x4f0000 end_va = 0x4f1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 10515 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 10516 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 10517 start_va = 0x7e540000 end_va = 0x7e562fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e540000" filename = "" Region: id = 10518 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10519 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 10520 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10521 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 10527 start_va = 0x400000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 10528 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 10529 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 10530 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 10531 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 10532 start_va = 0x500000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 10533 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 10534 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 10548 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10549 start_va = 0x7e440000 end_va = 0x7e53ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e440000" filename = "" Region: id = 10550 start_va = 0x450000 end_va = 0x50dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10551 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 10552 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 10553 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 10554 start_va = 0x610000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 10555 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 10556 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 10557 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 10558 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 10559 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 10560 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 10561 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 10562 start_va = 0x710000 end_va = 0x713fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 10563 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 10571 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 10572 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 10573 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 10575 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 10576 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 10577 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 10578 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 10579 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 10580 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 10581 start_va = 0x720000 end_va = 0x8a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 10582 start_va = 0x8b0000 end_va = 0x8d9fff monitored = 0 entry_point = 0x8b5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 10583 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 10584 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 10585 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 10586 start_va = 0x440000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 10587 start_va = 0x8b0000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 10588 start_va = 0xa40000 end_va = 0xbcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 10589 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 10590 start_va = 0xa40000 end_va = 0xad0fff monitored = 0 entry_point = 0xa78cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 10591 start_va = 0xbc0000 end_va = 0xbcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bc0000" filename = "" Region: id = 10594 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 10595 start_va = 0xa40000 end_va = 0xa40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 10596 start_va = 0xa50000 end_va = 0xa50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a50000" filename = "" Region: id = 10597 start_va = 0xa50000 end_va = 0xa57fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a50000" filename = "" Region: id = 10603 start_va = 0xa50000 end_va = 0xa50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 10604 start_va = 0xa60000 end_va = 0xa61fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a60000" filename = "" Region: id = 10605 start_va = 0xa50000 end_va = 0xa50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 10606 start_va = 0xa60000 end_va = 0xa60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a60000" filename = "" Region: id = 10607 start_va = 0xa50000 end_va = 0xa50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a50000" filename = "" Region: id = 10608 start_va = 0xa60000 end_va = 0xa60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Thread: id = 314 os_tid = 0x13f8 [0127.925] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0127.925] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0127.925] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0127.925] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0127.926] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0127.926] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0127.926] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0128.060] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0128.060] GetProcessHeap () returned 0x510000 [0128.060] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0128.061] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0128.061] GetLastError () returned 0x7e [0128.061] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0128.061] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0128.061] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x364) returned 0x520a80 [0128.061] SetLastError (dwErrCode=0x7e) [0128.061] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0xe00) returned 0x520df0 [0128.063] GetStartupInfoW (in: lpStartupInfo=0x18f760 | out: lpStartupInfo=0x18f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0128.063] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0128.063] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0128.063] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0128.063] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureKeyAccess /fn_args=\"0\"" [0128.063] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureKeyAccess /fn_args=\"0\"" [0128.063] GetACP () returned 0x4e4 [0128.063] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x220) returned 0x521bf8 [0128.063] IsValidCodePage (CodePage=0x4e4) returned 1 [0128.063] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f780 | out: lpCPInfo=0x18f780) returned 1 [0128.063] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f048 | out: lpCPInfo=0x18f048) returned 1 [0128.063] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f65c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0128.063] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f65c, cbMultiByte=256, lpWideCharStr=0x18ede8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0128.063] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f05c | out: lpCharType=0x18f05c) returned 1 [0128.063] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f65c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0128.063] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f65c, cbMultiByte=256, lpWideCharStr=0x18ed98, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0128.064] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0128.064] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0128.064] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0128.064] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18eb88, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0128.064] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f55c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ]Y ´\x98÷\x18", lpUsedDefaultChar=0x0) returned 256 [0128.064] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f65c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0128.064] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f65c, cbMultiByte=256, lpWideCharStr=0x18edb8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0128.064] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0128.064] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18eba8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0128.064] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f45c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ]Y ´\x98÷\x18", lpUsedDefaultChar=0x0) returned 256 [0128.064] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x80) returned 0x513888 [0128.064] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0128.064] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x19a) returned 0x521e20 [0128.064] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0128.064] GetLastError () returned 0x0 [0128.064] SetLastError (dwErrCode=0x0) [0128.064] GetEnvironmentStringsW () returned 0x521fc8* [0128.065] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0xa8c) returned 0x522a60 [0128.065] FreeEnvironmentStringsW (penv=0x521fc8) returned 1 [0128.065] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x90) returned 0x514578 [0128.065] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x3e) returned 0x51b000 [0128.065] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x5c) returned 0x518850 [0128.065] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x6e) returned 0x514640 [0128.065] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x78) returned 0x5241a0 [0128.065] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x62) returned 0x514a10 [0128.065] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x28) returned 0x513da8 [0128.065] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x48) returned 0x513ff8 [0128.065] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x1a) returned 0x510570 [0128.065] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x3a) returned 0x51ac58 [0128.065] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x62) returned 0x513c08 [0128.065] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x2a) returned 0x518770 [0128.065] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x2e) returned 0x518428 [0128.065] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x1c) returned 0x513dd8 [0128.065] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x144) returned 0x519cc8 [0128.065] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x7c) returned 0x5180b0 [0128.066] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x36) returned 0x51e190 [0128.066] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x3a) returned 0x51ae98 [0128.066] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x90) returned 0x5143b0 [0128.066] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x24) returned 0x513928 [0128.066] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x30) returned 0x518700 [0128.066] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x36) returned 0x51e0d0 [0128.066] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x48) returned 0x512910 [0128.066] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x52) returned 0x5104b8 [0128.066] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x3c) returned 0x51aee0 [0128.066] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0xd6) returned 0x519e88 [0128.066] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x2e) returned 0x518738 [0128.066] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x1e) returned 0x512960 [0128.066] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x2c) returned 0x518498 [0128.066] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x54) returned 0x513e20 [0128.066] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x52) returned 0x514080 [0128.066] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x24) returned 0x513e80 [0128.066] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x42) returned 0x5140e0 [0128.066] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x2c) returned 0x518508 [0128.066] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x44) returned 0x519fb8 [0128.066] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x24) returned 0x513958 [0128.067] HeapFree (in: hHeap=0x510000, dwFlags=0x0, lpMem=0x522a60 | out: hHeap=0x510000) returned 1 [0128.069] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x800) returned 0x521fc8 [0128.069] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0128.069] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0128.070] GetStartupInfoW (in: lpStartupInfo=0x18f7c4 | out: lpStartupInfo=0x18f7c4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0128.070] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureKeyAccess /fn_args=\"0\"" [0128.070] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureKeyAccess /fn_args=\"0\"", pNumArgs=0x18f7b0 | out: pNumArgs=0x18f7b0) returned 0x522c18*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0128.070] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0128.073] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x1000) returned 0x524500 [0128.073] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x48) returned 0x51a700 [0128.073] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_ensureKeyAccess", cchWideChar=-1, lpMultiByteStr=0x51a700, cbMultiByte=72, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_ensureKeyAccess", lpUsedDefaultChar=0x0) returned 36 [0128.073] GetLastError () returned 0x0 [0128.073] SetLastError (dwErrCode=0x0) [0128.073] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_ensureKeyAccessW") returned 0x0 [0128.073] GetLastError () returned 0x7f [0128.073] SetLastError (dwErrCode=0x7f) [0128.073] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_ensureKeyAccessA") returned 0x0 [0128.073] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_ensureKeyAccess") returned 0x647c86f6 [0128.073] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x4) returned 0x513830 [0128.073] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x513830, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0128.073] GetActiveWindow () returned 0x0 [0128.075] GetLastError () returned 0x7f [0128.075] SetLastError (dwErrCode=0x7f) Thread: id = 317 os_tid = 0xdac Process: id = "157" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x28b95000" os_pid = "0xcbc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "154" os_parent_pid = "0xb68" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureCertificateAccess /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "158" image_name = "werfault.exe" filename = "c:\\windows\\syswow64\\werfault.exe" page_root = "0x285cc000" os_pid = "0x1150" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "156" os_parent_pid = "0xa68" cmd_line = "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 2664 -s 364" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10629 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10630 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10631 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 10632 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 10633 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 10634 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 10635 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 10636 start_va = 0x110000 end_va = 0x110fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 10637 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 10638 start_va = 0x10e0000 end_va = 0x1122fff monitored = 0 entry_point = 0x1100f50 region_type = mapped_file name = "werfault.exe" filename = "\\Windows\\SysWOW64\\WerFault.exe" (normalized: "c:\\windows\\syswow64\\werfault.exe") Region: id = 10639 start_va = 0x1130000 end_va = 0x512ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 10640 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 10641 start_va = 0x7f030000 end_va = 0x7f052fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f030000" filename = "" Region: id = 10642 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10643 start_va = 0x7fff0000 end_va = 0x7dfb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 10644 start_va = 0x7dfb201b0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfb201b0000" filename = "" Region: id = 10645 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10646 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 10647 start_va = 0x400000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 10648 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 10649 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 10650 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 10660 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 10661 start_va = 0x570000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 10662 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 10663 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 10664 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10665 start_va = 0x7ef30000 end_va = 0x7f02ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ef30000" filename = "" Region: id = 10666 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10689 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 10690 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 10691 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 10692 start_va = 0x560000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 10693 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 10694 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 10695 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 10696 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 10697 start_va = 0x440000 end_va = 0x443fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 10698 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 10699 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 10700 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 10701 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 10702 start_va = 0x6fb30000 end_va = 0x6fbb6fff monitored = 0 entry_point = 0x6fb9dbc0 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\SysWOW64\\wer.dll" (normalized: "c:\\windows\\syswow64\\wer.dll") Region: id = 10703 start_va = 0x6fbc0000 end_va = 0x6fcfefff monitored = 0 entry_point = 0x6fbed880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 10704 start_va = 0x6fb00000 end_va = 0x6fb21fff monitored = 0 entry_point = 0x6fb091f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 10722 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 10723 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 10724 start_va = 0x6faa0000 end_va = 0x6faf3fff monitored = 0 entry_point = 0x6fad10d0 region_type = mapped_file name = "faultrep.dll" filename = "\\Windows\\SysWOW64\\Faultrep.dll" (normalized: "c:\\windows\\syswow64\\faultrep.dll") Region: id = 10725 start_va = 0x6fa70000 end_va = 0x6fa90fff monitored = 0 entry_point = 0x6fa8a910 region_type = mapped_file name = "dbgcore.dll" filename = "\\Windows\\SysWOW64\\dbgcore.dll" (normalized: "c:\\windows\\syswow64\\dbgcore.dll") Region: id = 10727 start_va = 0x7a0000 end_va = 0x8fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 10728 start_va = 0x450000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 10729 start_va = 0x450000 end_va = 0x453fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 10730 start_va = 0x510000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 10731 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 10732 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 10733 start_va = 0x460000 end_va = 0x489fff monitored = 0 entry_point = 0x465680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 10734 start_va = 0x900000 end_va = 0xa87fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000900000" filename = "" Region: id = 10735 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 10736 start_va = 0xa90000 end_va = 0xc10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a90000" filename = "" Region: id = 10737 start_va = 0x5130000 end_va = 0x652ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005130000" filename = "" Region: id = 10738 start_va = 0x460000 end_va = 0x463fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werfault.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\WerFault.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werfault.exe.mui") Region: id = 10745 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 10746 start_va = 0x470000 end_va = 0x470fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 10747 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 10748 start_va = 0x570000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 10749 start_va = 0x6a0000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 10758 start_va = 0x480000 end_va = 0x480fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 10759 start_va = 0x490000 end_va = 0x490fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 10760 start_va = 0x4a0000 end_va = 0x4a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 10761 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 10762 start_va = 0x4a0000 end_va = 0x4a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 10763 start_va = 0x6530000 end_va = 0x6d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006530000" filename = "" Region: id = 10764 start_va = 0x4a0000 end_va = 0x4a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 10765 start_va = 0x4a0000 end_va = 0x4a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 10767 start_va = 0x4a0000 end_va = 0x4a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 10768 start_va = 0x4a0000 end_va = 0x4a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 10769 start_va = 0x4a0000 end_va = 0x4a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 10770 start_va = 0x4a0000 end_va = 0x4a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 10771 start_va = 0x4a0000 end_va = 0x4a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 10772 start_va = 0x4a0000 end_va = 0x4a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 10773 start_va = 0x4a0000 end_va = 0x4a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 10774 start_va = 0x4a0000 end_va = 0x4a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 10775 start_va = 0x4a0000 end_va = 0x4a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 10776 start_va = 0x4a0000 end_va = 0x4a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 10777 start_va = 0x4a0000 end_va = 0x4a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 10778 start_va = 0x4a0000 end_va = 0x4a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 10779 start_va = 0x4a0000 end_va = 0x4a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 10780 start_va = 0x4a0000 end_va = 0x4a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 10781 start_va = 0x4a0000 end_va = 0x4a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 10782 start_va = 0x4a0000 end_va = 0x4a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 10783 start_va = 0x4a0000 end_va = 0x4a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 10784 start_va = 0x4a0000 end_va = 0x4a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 10785 start_va = 0x4a0000 end_va = 0x4a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 10786 start_va = 0x4a0000 end_va = 0x4a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 10787 start_va = 0x4a0000 end_va = 0x4a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 10788 start_va = 0x4a0000 end_va = 0x4a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 10789 start_va = 0x4a0000 end_va = 0x4a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 10790 start_va = 0x4a0000 end_va = 0x4a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 10791 start_va = 0x4a0000 end_va = 0x4a6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 10814 start_va = 0x4a0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 10815 start_va = 0x520000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 10816 start_va = 0x570000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 10817 start_va = 0x650000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 10838 start_va = 0x4a0000 end_va = 0x4a1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "faultrep.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\faultrep.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\faultrep.dll.mui") Region: id = 10839 start_va = 0x4b0000 end_va = 0x4b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 10840 start_va = 0x6ef60000 end_va = 0x6f37dfff monitored = 0 entry_point = 0x6f05ee80 region_type = mapped_file name = "dbgeng.dll" filename = "\\Windows\\SysWOW64\\dbgeng.dll" (normalized: "c:\\windows\\syswow64\\dbgeng.dll") Region: id = 10841 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 10842 start_va = 0x6f750000 end_va = 0x6f7bffff monitored = 0 entry_point = 0x6f7a4b90 region_type = mapped_file name = "dbgmodel.dll" filename = "\\Windows\\SysWOW64\\DbgModel.dll" (normalized: "c:\\windows\\syswow64\\dbgmodel.dll") Region: id = 10843 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 10844 start_va = 0x7a0000 end_va = 0x889fff monitored = 0 entry_point = 0x7dd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 10845 start_va = 0x8f0000 end_va = 0x8fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 10857 start_va = 0x70050000 end_va = 0x70059fff monitored = 0 entry_point = 0x70053200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 10858 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 10859 start_va = 0x6f5d0000 end_va = 0x6f5d7fff monitored = 0 entry_point = 0x6f5d17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 10860 start_va = 0x7a0000 end_va = 0x89ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 10861 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 10891 start_va = 0xc20000 end_va = 0xf56fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 10892 start_va = 0x4b0000 end_va = 0x4b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 10893 start_va = 0x4b0000 end_va = 0x4b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 10894 start_va = 0x4b0000 end_va = 0x4b5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 10895 start_va = 0x4b0000 end_va = 0x4b7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 10896 start_va = 0xf60000 end_va = 0x105ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f60000" filename = "" Region: id = 10897 start_va = 0x4b0000 end_va = 0x4b9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 10898 start_va = 0x4b0000 end_va = 0x4bbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 10899 start_va = 0x4b0000 end_va = 0x4bdfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 10900 start_va = 0x4b0000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 10901 start_va = 0x4b0000 end_va = 0x4c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 10902 start_va = 0x4b0000 end_va = 0x4c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 10903 start_va = 0x4b0000 end_va = 0x4c5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 10904 start_va = 0x4b0000 end_va = 0x4c7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 10905 start_va = 0x4b0000 end_va = 0x4c9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 10906 start_va = 0x4b0000 end_va = 0x4cbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 10907 start_va = 0x4b0000 end_va = 0x4cdfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 10908 start_va = 0x4b0000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 10922 start_va = 0x6530000 end_va = 0x660ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 11012 start_va = 0x6610000 end_va = 0x66dbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006610000" filename = "" Region: id = 11037 start_va = 0x66e0000 end_va = 0x678bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000066e0000" filename = "" Region: id = 11068 start_va = 0x6790000 end_va = 0x683cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006790000" filename = "" Region: id = 11211 start_va = 0x4b0000 end_va = 0x4b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 11212 start_va = 0x4c0000 end_va = 0x4c2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wer.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wer.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wer.dll.mui") Region: id = 11213 start_va = 0x4d0000 end_va = 0x4d3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 11214 start_va = 0x6610000 end_va = 0x6e0ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006610000" filename = "" Region: id = 11215 start_va = 0x4e0000 end_va = 0x4e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 11216 start_va = 0x4e0000 end_va = 0x4e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 11217 start_va = 0x4e0000 end_va = 0x4e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 11218 start_va = 0x4e0000 end_va = 0x4e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 11219 start_va = 0x4e0000 end_va = 0x4e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 11220 start_va = 0x4e0000 end_va = 0x4e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 11221 start_va = 0x4e0000 end_va = 0x4e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 11222 start_va = 0x4e0000 end_va = 0x4e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 11223 start_va = 0x4e0000 end_va = 0x4e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 11238 start_va = 0x4e0000 end_va = 0x4e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 11239 start_va = 0x4e0000 end_va = 0x4e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 11240 start_va = 0x4e0000 end_va = 0x4e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 11241 start_va = 0x4e0000 end_va = 0x4e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 11242 start_va = 0x4e0000 end_va = 0x4e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 11243 start_va = 0x4e0000 end_va = 0x4e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 11244 start_va = 0x4e0000 end_va = 0x4e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 11245 start_va = 0x4e0000 end_va = 0x4e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 11246 start_va = 0x4e0000 end_va = 0x4e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 11247 start_va = 0x4e0000 end_va = 0x4e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 11248 start_va = 0x4e0000 end_va = 0x4e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 11249 start_va = 0x4e0000 end_va = 0x4e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 11250 start_va = 0x4e0000 end_va = 0x4e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 11276 start_va = 0x6610000 end_va = 0x670ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006610000" filename = "" Region: id = 11277 start_va = 0x4e0000 end_va = 0x4e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 11278 start_va = 0x4e0000 end_va = 0x4e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 11279 start_va = 0x4e0000 end_va = 0x4e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 11280 start_va = 0x4e0000 end_va = 0x4e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 11281 start_va = 0x4e0000 end_va = 0x4e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 11282 start_va = 0x6fa00000 end_va = 0x6fa63fff monitored = 0 entry_point = 0x6fa3e270 region_type = mapped_file name = "werui.dll" filename = "\\Windows\\SysWOW64\\werui.dll" (normalized: "c:\\windows\\syswow64\\werui.dll") Region: id = 11283 start_va = 0x4e0000 end_va = 0x4e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 11284 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 11285 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 11286 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 11296 start_va = 0x731b0000 end_va = 0x733befff monitored = 0 entry_point = 0x7325b0a0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 11297 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 11298 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 11299 start_va = 0x6f460000 end_va = 0x6f5c6fff monitored = 0 entry_point = 0x6f4db9d0 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\SysWOW64\\dui70.dll" (normalized: "c:\\windows\\syswow64\\dui70.dll") Region: id = 11300 start_va = 0x4f0000 end_va = 0x4f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 11301 start_va = 0x6f430000 end_va = 0x6f457fff monitored = 0 entry_point = 0x6f437820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 11302 start_va = 0x500000 end_va = 0x500fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 11303 start_va = 0x520000 end_va = 0x521fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 11309 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 11338 start_va = 0x759b0000 end_va = 0x75a33fff monitored = 0 entry_point = 0x759d6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 11339 start_va = 0x530000 end_va = 0x530fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 11340 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 11941 start_va = 0x5f0000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 11942 start_va = 0x660000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 11943 start_va = 0x8a0000 end_va = 0x8dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 11944 start_va = 0x1060000 end_va = 0x109ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001060000" filename = "" Region: id = 11945 start_va = 0x10a0000 end_va = 0x10dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010a0000" filename = "" Region: id = 11946 start_va = 0x6710000 end_va = 0x674ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006710000" filename = "" Region: id = 11947 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 12050 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 12051 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 12191 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 12321 start_va = 0x500000 end_va = 0x504fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werui.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\werui.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werui.dll.mui") Region: id = 12322 start_va = 0x540000 end_va = 0x540fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 12323 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 12429 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 12578 start_va = 0x6750000 end_va = 0x678ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006750000" filename = "" Region: id = 12579 start_va = 0x6790000 end_va = 0x67cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006790000" filename = "" Region: id = 12580 start_va = 0x540000 end_va = 0x540fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 12581 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 12836 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 13009 start_va = 0x540000 end_va = 0x541fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 13010 start_va = 0x6f850000 end_va = 0x6f8cafff monitored = 0 entry_point = 0x6f874d80 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\SysWOW64\\duser.dll" (normalized: "c:\\windows\\syswow64\\duser.dll") Region: id = 13023 start_va = 0x67d0000 end_va = 0x680ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000067d0000" filename = "" Region: id = 13024 start_va = 0x6810000 end_va = 0x684ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006810000" filename = "" Region: id = 13025 start_va = 0x6f7c0000 end_va = 0x6f840fff monitored = 0 entry_point = 0x6f7c6310 region_type = mapped_file name = "riched20.dll" filename = "\\Windows\\SysWOW64\\riched20.dll" (normalized: "c:\\windows\\syswow64\\riched20.dll") Region: id = 13026 start_va = 0x6f7a0000 end_va = 0x6f7b5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 13027 start_va = 0x6f760000 end_va = 0x6f790fff monitored = 0 entry_point = 0x6f7722d0 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\SysWOW64\\msls31.dll" (normalized: "c:\\windows\\syswow64\\msls31.dll") Region: id = 13033 start_va = 0x550000 end_va = 0x550fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 13034 start_va = 0x6850000 end_va = 0x690bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006850000" filename = "" Region: id = 13035 start_va = 0x550000 end_va = 0x553fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 13036 start_va = 0x74230000 end_va = 0x7424cfff monitored = 0 entry_point = 0x74233b10 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 13037 start_va = 0x630000 end_va = 0x633fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 13038 start_va = 0x640000 end_va = 0x640fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 13039 start_va = 0x8e0000 end_va = 0x8e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 13040 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 13052 start_va = 0x6910000 end_va = 0x6910fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "duser.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\duser.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\duser.dll.mui") Region: id = 13053 start_va = 0x6f930000 end_va = 0x6f93cfff monitored = 0 entry_point = 0x6f937d80 region_type = mapped_file name = "atlthunk.dll" filename = "\\Windows\\SysWOW64\\atlthunk.dll" (normalized: "c:\\windows\\syswow64\\atlthunk.dll") Region: id = 13054 start_va = 0x6920000 end_va = 0x6922fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui") Region: id = 13055 start_va = 0x6940000 end_va = 0x6942fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006940000" filename = "" Region: id = 13056 start_va = 0x6950000 end_va = 0x6e41fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006950000" filename = "" Region: id = 13073 start_va = 0x6e50000 end_va = 0x7e8ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 13074 start_va = 0x7e90000 end_va = 0x7ed1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007e90000" filename = "" Region: id = 13107 start_va = 0x6930000 end_va = 0x6930fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006930000" filename = "" Region: id = 13108 start_va = 0x77500000 end_va = 0x7761efff monitored = 0 entry_point = 0x77545980 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Thread: id = 318 os_tid = 0x13ec Thread: id = 322 os_tid = 0x1338 Thread: id = 324 os_tid = 0xda4 Thread: id = 358 os_tid = 0x1110 Thread: id = 360 os_tid = 0x1214 Thread: id = 361 os_tid = 0x1148 Thread: id = 394 os_tid = 0x11cc Thread: id = 412 os_tid = 0x960 Process: id = "159" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x51338000" os_pid = "0xcc4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumCertificateIds /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10610 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10611 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10612 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 10613 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 10614 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 10615 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 10616 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 10617 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 10618 start_va = 0xcb0000 end_va = 0xcb1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 10619 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 10620 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 10621 start_va = 0x7f950000 end_va = 0x7f972fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f950000" filename = "" Region: id = 10622 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10623 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 10624 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10625 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 10651 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 10652 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 10653 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 10654 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 10655 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 10656 start_va = 0xcc0000 end_va = 0xe1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 10657 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 10658 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 10669 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10670 start_va = 0x7f850000 end_va = 0x7f94ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f850000" filename = "" Region: id = 10671 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10672 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 10673 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 10674 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 10675 start_va = 0x500000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 10676 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 10677 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 10678 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 10679 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 10680 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 10681 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 10682 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 10683 start_va = 0xcb0000 end_va = 0xcb3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 10684 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 10685 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 10686 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 10687 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 10705 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 10706 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 10707 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 10708 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 10709 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 10710 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 10711 start_va = 0x600000 end_va = 0x787fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 10712 start_va = 0xcc0000 end_va = 0xce9fff monitored = 0 entry_point = 0xcc5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 10713 start_va = 0xd20000 end_va = 0xe1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 10714 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 10715 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 10716 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 10717 start_va = 0x1f0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 10718 start_va = 0x790000 end_va = 0x910fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 10719 start_va = 0xcc0000 end_va = 0xcdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 10720 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 10721 start_va = 0xe20000 end_va = 0xeb0fff monitored = 0 entry_point = 0xe58cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 10739 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 10741 start_va = 0xcc0000 end_va = 0xcc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 10742 start_va = 0xcd0000 end_va = 0xcdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 10743 start_va = 0xce0000 end_va = 0xce0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 10744 start_va = 0xce0000 end_va = 0xce7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 10751 start_va = 0xce0000 end_va = 0xce0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 10752 start_va = 0xcf0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10753 start_va = 0xce0000 end_va = 0xce0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 10754 start_va = 0xcf0000 end_va = 0xcf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 10756 start_va = 0xce0000 end_va = 0xce0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 10757 start_va = 0xcf0000 end_va = 0xcf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Thread: id = 319 os_tid = 0xd78 [0128.822] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0128.822] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0128.822] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0128.822] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0128.822] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0128.822] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0128.823] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0128.823] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0128.823] GetProcessHeap () returned 0xd20000 [0128.823] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0128.824] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0128.824] GetLastError () returned 0x7e [0128.824] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0128.824] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0128.824] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x364) returned 0xd30a88 [0128.824] SetLastError (dwErrCode=0x7e) [0128.824] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0xe00) returned 0xd30df8 [0128.915] GetStartupInfoW (in: lpStartupInfo=0x18f7b0 | out: lpStartupInfo=0x18f7b0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0128.916] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0128.916] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0128.916] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0128.916] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumCertificateIds /fn_args=\"0\"" [0128.916] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumCertificateIds /fn_args=\"0\"" [0128.916] GetACP () returned 0x4e4 [0128.916] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x0, Size=0x220) returned 0xd31c00 [0128.916] IsValidCodePage (CodePage=0x4e4) returned 1 [0128.916] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f7d0 | out: lpCPInfo=0x18f7d0) returned 1 [0128.916] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f098 | out: lpCPInfo=0x18f098) returned 1 [0128.916] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6ac, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0128.916] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6ac, cbMultiByte=256, lpWideCharStr=0x18ee38, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0128.916] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f0ac | out: lpCharType=0x18f0ac) returned 1 [0128.916] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6ac, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0128.916] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6ac, cbMultiByte=256, lpWideCharStr=0x18ede8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0128.916] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0128.917] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0128.917] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0128.917] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ebd8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0128.917] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f5ac, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x11R1\x9aè÷\x18", lpUsedDefaultChar=0x0) returned 256 [0128.917] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6ac, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0128.917] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6ac, cbMultiByte=256, lpWideCharStr=0x18ee08, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0128.917] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0128.917] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ebf8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0128.917] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f4ac, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x11R1\x9aè÷\x18", lpUsedDefaultChar=0x0) returned 256 [0128.917] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x0, Size=0x80) returned 0xd23890 [0128.917] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0128.917] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x1a0) returned 0xd31e28 [0128.917] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0128.917] GetLastError () returned 0x0 [0128.917] SetLastError (dwErrCode=0x0) [0128.918] GetEnvironmentStringsW () returned 0xd31fd0* [0128.918] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x0, Size=0xa8c) returned 0xd32a68 [0128.918] FreeEnvironmentStringsW (penv=0xd31fd0) returned 1 [0128.918] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x90) returned 0xd24580 [0128.918] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x3e) returned 0xd2ab40 [0128.918] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x5c) returned 0xd28858 [0128.918] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x6e) returned 0xd24648 [0128.918] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x78) returned 0xd33aa8 [0128.919] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x62) returned 0xd24a18 [0128.919] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x28) returned 0xd23db0 [0128.919] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x48) returned 0xd24000 [0128.919] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x1a) returned 0xd20570 [0128.919] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x3a) returned 0xd2aaf8 [0128.919] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x62) returned 0xd23c10 [0128.919] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x2a) returned 0xd28778 [0128.919] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x2e) returned 0xd287b0 [0128.919] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x1c) returned 0xd23de0 [0128.919] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x144) returned 0xd29cd0 [0128.920] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x7c) returned 0xd280b8 [0128.920] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x36) returned 0xd2dfd8 [0128.920] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x3a) returned 0xd2b0e0 [0128.920] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x90) returned 0xd243b8 [0128.920] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x24) returned 0xd23930 [0128.920] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x30) returned 0xd28430 [0128.920] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x36) returned 0xd2e5d8 [0128.920] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x48) returned 0xd22918 [0128.920] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x52) returned 0xd204b8 [0128.920] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x3c) returned 0xd2aee8 [0128.920] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0xd6) returned 0xd29e90 [0128.920] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x2e) returned 0xd284d8 [0128.920] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x1e) returned 0xd22968 [0128.920] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x2c) returned 0xd285f0 [0128.920] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x54) returned 0xd23e28 [0128.920] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x52) returned 0xd24088 [0128.920] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x24) returned 0xd23e88 [0128.920] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x42) returned 0xd240e8 [0128.920] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x2c) returned 0xd28548 [0128.920] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x44) returned 0xd29fc0 [0128.920] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x24) returned 0xd23960 [0128.921] HeapFree (in: hHeap=0xd20000, dwFlags=0x0, lpMem=0xd32a68 | out: hHeap=0xd20000) returned 1 [0128.921] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x8, Size=0x800) returned 0xd31fd0 [0128.921] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0128.921] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0128.921] GetStartupInfoW (in: lpStartupInfo=0x18f814 | out: lpStartupInfo=0x18f814*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0128.922] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumCertificateIds /fn_args=\"0\"" [0128.922] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumCertificateIds /fn_args=\"0\"", pNumArgs=0x18f800 | out: pNumArgs=0x18f800) returned 0xd32c20*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0128.922] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0128.925] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x0, Size=0x1000) returned 0xd34508 [0128.925] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x0, Size=0x4e) returned 0xd2a708 [0128.925] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_enumCertificateIds", cchWideChar=-1, lpMultiByteStr=0xd2a708, cbMultiByte=78, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_enumCertificateIds", lpUsedDefaultChar=0x0) returned 39 [0128.925] GetLastError () returned 0x0 [0128.926] SetLastError (dwErrCode=0x0) [0128.926] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_enumCertificateIdsW") returned 0x0 [0128.926] GetLastError () returned 0x7f [0128.926] SetLastError (dwErrCode=0x7f) [0128.926] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_enumCertificateIdsA") returned 0x0 [0128.926] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_enumCertificateIds") returned 0x647c9404 [0128.926] RtlAllocateHeap (HeapHandle=0xd20000, Flags=0x0, Size=0x4) returned 0xd23838 [0128.926] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0xd23838, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0128.926] GetActiveWindow () returned 0x0 [0128.933] GetLastError () returned 0x7f [0128.933] SetLastError (dwErrCode=0x7f) Thread: id = 321 os_tid = 0x7a0 Process: id = "160" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x51656000" os_pid = "0xda0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "156" os_parent_pid = "0xa68" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureKeyAccess /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "161" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x51000000" os_pid = "0x1354" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "159" os_parent_pid = "0xcc4" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumCertificateIds /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "162" image_name = "werfault.exe" filename = "c:\\windows\\syswow64\\werfault.exe" page_root = "0x6b4d2000" os_pid = "0xd9c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "159" os_parent_pid = "0xcc4" cmd_line = "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 3268 -s 364" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10792 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10793 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10794 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 10795 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 10796 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 10797 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 10798 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 10799 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 10800 start_va = 0x9e0000 end_va = 0x9e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 10801 start_va = 0x10e0000 end_va = 0x1122fff monitored = 0 entry_point = 0x1100f50 region_type = mapped_file name = "werfault.exe" filename = "\\Windows\\SysWOW64\\WerFault.exe" (normalized: "c:\\windows\\syswow64\\werfault.exe") Region: id = 10802 start_va = 0x1130000 end_va = 0x512ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 10803 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 10804 start_va = 0x7fb90000 end_va = 0x7fbb2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fb90000" filename = "" Region: id = 10805 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10806 start_va = 0x7fff0000 end_va = 0x7dfb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 10807 start_va = 0x7dfb201b0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfb201b0000" filename = "" Region: id = 10808 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10809 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 10810 start_va = 0x100000 end_va = 0x15ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 10811 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 10812 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 10818 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 10819 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 10820 start_va = 0x9f0000 end_va = 0xbfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 10821 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 10822 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 10824 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10825 start_va = 0x7fa90000 end_va = 0x7fb8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fa90000" filename = "" Region: id = 10826 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10827 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 10828 start_va = 0x100000 end_va = 0x13ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 10829 start_va = 0x150000 end_va = 0x15ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 10830 start_va = 0x160000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 10831 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 10832 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 10833 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 10834 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 10835 start_va = 0x9e0000 end_va = 0x9e3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 10836 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 10837 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 10846 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 10847 start_va = 0x6fb30000 end_va = 0x6fbb6fff monitored = 0 entry_point = 0x6fb9dbc0 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\SysWOW64\\wer.dll" (normalized: "c:\\windows\\syswow64\\wer.dll") Region: id = 10848 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 10850 start_va = 0x6fbc0000 end_va = 0x6fcfefff monitored = 0 entry_point = 0x6fbed880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 10851 start_va = 0x6fb00000 end_va = 0x6fb21fff monitored = 0 entry_point = 0x6fb091f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 10852 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 10853 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 10854 start_va = 0x6faa0000 end_va = 0x6faf3fff monitored = 0 entry_point = 0x6fad10d0 region_type = mapped_file name = "faultrep.dll" filename = "\\Windows\\SysWOW64\\Faultrep.dll" (normalized: "c:\\windows\\syswow64\\faultrep.dll") Region: id = 10855 start_va = 0x6fa70000 end_va = 0x6fa90fff monitored = 0 entry_point = 0x6fa8a910 region_type = mapped_file name = "dbgcore.dll" filename = "\\Windows\\SysWOW64\\dbgcore.dll" (normalized: "c:\\windows\\syswow64\\dbgcore.dll") Region: id = 10856 start_va = 0xc00000 end_va = 0xd2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 10879 start_va = 0x9f0000 end_va = 0xa4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 10880 start_va = 0xb00000 end_va = 0xbfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 10881 start_va = 0x9f0000 end_va = 0x9f3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 10882 start_va = 0xa40000 end_va = 0xa4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 10883 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 10884 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 10885 start_va = 0x4c0000 end_va = 0x647fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 10886 start_va = 0xa00000 end_va = 0xa29fff monitored = 0 entry_point = 0xa05680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 10887 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 10888 start_va = 0x650000 end_va = 0x7d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 10889 start_va = 0xa00000 end_va = 0xa03fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werfault.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\WerFault.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werfault.exe.mui") Region: id = 10890 start_va = 0x5130000 end_va = 0x652ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005130000" filename = "" Region: id = 10918 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 10919 start_va = 0x140000 end_va = 0x140fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 10920 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 10921 start_va = 0xd30000 end_va = 0xf0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d30000" filename = "" Region: id = 10960 start_va = 0xa10000 end_va = 0xa10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a10000" filename = "" Region: id = 10961 start_va = 0xa20000 end_va = 0xa20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Region: id = 10962 start_va = 0xa30000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 10963 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 10964 start_va = 0xa30000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 10965 start_va = 0x6530000 end_va = 0x6d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006530000" filename = "" Region: id = 10966 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 10967 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 10968 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 10969 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 10970 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 10971 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 10972 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 10978 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 10979 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 10980 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 10981 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 10982 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 10983 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 10984 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 10985 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 10986 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 10987 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 10988 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 10989 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 10990 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 10991 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 10992 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 10993 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 10994 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 10995 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 10996 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 10997 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 11003 start_va = 0x1a0000 end_va = 0x1dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 11004 start_va = 0x7e0000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 11005 start_va = 0xa50000 end_va = 0xacffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 11011 start_va = 0xa30000 end_va = 0xa31fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "faultrep.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\faultrep.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\faultrep.dll.mui") Region: id = 11030 start_va = 0xad0000 end_va = 0xad0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 11031 start_va = 0x6ef60000 end_va = 0x6f37dfff monitored = 0 entry_point = 0x6f05ee80 region_type = mapped_file name = "dbgeng.dll" filename = "\\Windows\\SysWOW64\\dbgeng.dll" (normalized: "c:\\windows\\syswow64\\dbgeng.dll") Region: id = 11032 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 11033 start_va = 0x6f750000 end_va = 0x6f7bffff monitored = 0 entry_point = 0x6f7a4b90 region_type = mapped_file name = "dbgmodel.dll" filename = "\\Windows\\SysWOW64\\DbgModel.dll" (normalized: "c:\\windows\\syswow64\\dbgmodel.dll") Region: id = 11034 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 11035 start_va = 0xc00000 end_va = 0xce9fff monitored = 0 entry_point = 0xc3d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 11036 start_va = 0xd20000 end_va = 0xd2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 11063 start_va = 0x70050000 end_va = 0x70059fff monitored = 0 entry_point = 0x70053200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 11064 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 11065 start_va = 0x6f5d0000 end_va = 0x6f5d7fff monitored = 0 entry_point = 0x6f5d17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 11066 start_va = 0xc00000 end_va = 0xcfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 11067 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 11094 start_va = 0x6530000 end_va = 0x6866fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 11095 start_va = 0xad0000 end_va = 0xad1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 11096 start_va = 0xad0000 end_va = 0xad3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 11097 start_va = 0xad0000 end_va = 0xad5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 11098 start_va = 0xad0000 end_va = 0xad7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 11099 start_va = 0x7e0000 end_va = 0x8dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 11100 start_va = 0xad0000 end_va = 0xad9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 11101 start_va = 0xad0000 end_va = 0xadbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 11102 start_va = 0xad0000 end_va = 0xaddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 11103 start_va = 0xad0000 end_va = 0xadffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 11104 start_va = 0xad0000 end_va = 0xae1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 11105 start_va = 0xad0000 end_va = 0xae3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 11106 start_va = 0xad0000 end_va = 0xae5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 11107 start_va = 0xad0000 end_va = 0xae7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 11108 start_va = 0xad0000 end_va = 0xae9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 11109 start_va = 0xad0000 end_va = 0xaebfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 11110 start_va = 0xad0000 end_va = 0xaedfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 11111 start_va = 0xad0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 11189 start_va = 0xd30000 end_va = 0xe0ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 11190 start_va = 0xf00000 end_va = 0xf0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 11336 start_va = 0xe10000 end_va = 0xedbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Region: id = 11359 start_va = 0xf10000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f10000" filename = "" Region: id = 11375 start_va = 0xfd0000 end_va = 0x1074fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fd0000" filename = "" Region: id = 11441 start_va = 0xad0000 end_va = 0xad0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 11442 start_va = 0xae0000 end_va = 0xae2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wer.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wer.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wer.dll.mui") Region: id = 11443 start_va = 0xaf0000 end_va = 0xaf3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 11444 start_va = 0x6870000 end_va = 0x706ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006870000" filename = "" Region: id = 11445 start_va = 0xd00000 end_va = 0xd06fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 11446 start_va = 0xd00000 end_va = 0xd06fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 11447 start_va = 0xd00000 end_va = 0xd06fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 11479 start_va = 0xd00000 end_va = 0xd06fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 11480 start_va = 0xd00000 end_va = 0xd06fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 11481 start_va = 0xd00000 end_va = 0xd06fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 11482 start_va = 0xd00000 end_va = 0xd06fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 11483 start_va = 0xd00000 end_va = 0xd06fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 11484 start_va = 0xd00000 end_va = 0xd06fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 11485 start_va = 0xd00000 end_va = 0xd06fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 11486 start_va = 0xd00000 end_va = 0xd06fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 11487 start_va = 0xd00000 end_va = 0xd06fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 11488 start_va = 0xd00000 end_va = 0xd06fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 11489 start_va = 0xd00000 end_va = 0xd06fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 11490 start_va = 0xd00000 end_va = 0xd06fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 11491 start_va = 0xd00000 end_va = 0xd06fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 11492 start_va = 0xd00000 end_va = 0xd06fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 11493 start_va = 0xd00000 end_va = 0xd06fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 11494 start_va = 0xd00000 end_va = 0xd06fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 11517 start_va = 0xd00000 end_va = 0xd06fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 11518 start_va = 0xd00000 end_va = 0xd06fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 11519 start_va = 0xd00000 end_va = 0xd06fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 11520 start_va = 0xf10000 end_va = 0x100ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f10000" filename = "" Region: id = 11521 start_va = 0xd00000 end_va = 0xd06fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 11522 start_va = 0xd00000 end_va = 0xd06fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 11523 start_va = 0xd00000 end_va = 0xd06fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 11524 start_va = 0xd00000 end_va = 0xd06fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 11525 start_va = 0xd00000 end_va = 0xd06fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 11538 start_va = 0x6fa00000 end_va = 0x6fa63fff monitored = 0 entry_point = 0x6fa3e270 region_type = mapped_file name = "werui.dll" filename = "\\Windows\\SysWOW64\\werui.dll" (normalized: "c:\\windows\\syswow64\\werui.dll") Region: id = 11539 start_va = 0x1a0000 end_va = 0x1a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 11540 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 11541 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 11542 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 11543 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 11549 start_va = 0x731b0000 end_va = 0x733befff monitored = 0 entry_point = 0x7325b0a0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 11550 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 11551 start_va = 0x6f460000 end_va = 0x6f5c6fff monitored = 0 entry_point = 0x6f4db9d0 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\SysWOW64\\dui70.dll" (normalized: "c:\\windows\\syswow64\\dui70.dll") Region: id = 11552 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 11553 start_va = 0x6f430000 end_va = 0x6f457fff monitored = 0 entry_point = 0x6f437820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 11562 start_va = 0x8e0000 end_va = 0x91ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008e0000" filename = "" Region: id = 11563 start_va = 0x920000 end_va = 0x95ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000920000" filename = "" Region: id = 11564 start_va = 0xd00000 end_va = 0xd00fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 11565 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 11566 start_va = 0xd00000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 11567 start_va = 0x759b0000 end_va = 0x75a33fff monitored = 0 entry_point = 0x759d6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 11568 start_va = 0xd10000 end_va = 0xd10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 11569 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 12030 start_va = 0x960000 end_va = 0x99ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Region: id = 12031 start_va = 0x9a0000 end_va = 0x9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 12032 start_va = 0xe10000 end_va = 0xe4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Region: id = 12033 start_va = 0xe50000 end_va = 0xe8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e50000" filename = "" Region: id = 12034 start_va = 0xe90000 end_va = 0xecffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e90000" filename = "" Region: id = 12035 start_va = 0x1010000 end_va = 0x104ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001010000" filename = "" Region: id = 12036 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 12232 start_va = 0xd00000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 12233 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 12320 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 12418 start_va = 0xd00000 end_va = 0xd04fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werui.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\werui.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werui.dll.mui") Region: id = 12419 start_va = 0xed0000 end_va = 0xed0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ed0000" filename = "" Region: id = 12420 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 12577 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 12829 start_va = 0x1050000 end_va = 0x108ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 12830 start_va = 0x1090000 end_va = 0x10cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 12837 start_va = 0xed0000 end_va = 0xed0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ed0000" filename = "" Region: id = 12838 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 12986 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 13236 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 13237 start_va = 0x6f840000 end_va = 0x6f8bafff monitored = 0 entry_point = 0x6f864d80 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\SysWOW64\\duser.dll" (normalized: "c:\\windows\\syswow64\\duser.dll") Region: id = 13259 start_va = 0x6870000 end_va = 0x68affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006870000" filename = "" Region: id = 13260 start_va = 0x68b0000 end_va = 0x68effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000068b0000" filename = "" Region: id = 13261 start_va = 0x6f7b0000 end_va = 0x6f830fff monitored = 0 entry_point = 0x6f7b6310 region_type = mapped_file name = "riched20.dll" filename = "\\Windows\\SysWOW64\\riched20.dll" (normalized: "c:\\windows\\syswow64\\riched20.dll") Region: id = 13262 start_va = 0x6f790000 end_va = 0x6f7a5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 13263 start_va = 0x6f750000 end_va = 0x6f780fff monitored = 0 entry_point = 0x6f7622d0 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\SysWOW64\\msls31.dll" (normalized: "c:\\windows\\syswow64\\msls31.dll") Region: id = 13268 start_va = 0xed0000 end_va = 0xed0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ed0000" filename = "" Region: id = 13269 start_va = 0x68f0000 end_va = 0x69abfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000068f0000" filename = "" Region: id = 13270 start_va = 0xed0000 end_va = 0xed3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ed0000" filename = "" Region: id = 13271 start_va = 0x74230000 end_va = 0x7424cfff monitored = 0 entry_point = 0x74233b10 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 13272 start_va = 0xee0000 end_va = 0xee3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 13273 start_va = 0xef0000 end_va = 0xef0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ef0000" filename = "" Region: id = 13274 start_va = 0x10d0000 end_va = 0x10d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010d0000" filename = "" Region: id = 13275 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 13276 start_va = 0x69b0000 end_va = 0x69b0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "duser.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\duser.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\duser.dll.mui") Region: id = 13277 start_va = 0x6f740000 end_va = 0x6f74cfff monitored = 0 entry_point = 0x6f747d80 region_type = mapped_file name = "atlthunk.dll" filename = "\\Windows\\SysWOW64\\atlthunk.dll" (normalized: "c:\\windows\\syswow64\\atlthunk.dll") Region: id = 13278 start_va = 0x69c0000 end_va = 0x69c2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui") Region: id = 13279 start_va = 0x1f0000 end_va = 0x1f2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 13280 start_va = 0x69d0000 end_va = 0x6ec1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000069d0000" filename = "" Region: id = 13281 start_va = 0x6ed0000 end_va = 0x7f0ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 13295 start_va = 0x7f10000 end_va = 0x7f51fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007f10000" filename = "" Region: id = 13341 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 13342 start_va = 0x77500000 end_va = 0x7761efff monitored = 0 entry_point = 0x77545980 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Thread: id = 323 os_tid = 0xcb8 Thread: id = 325 os_tid = 0xda8 Thread: id = 329 os_tid = 0xccc Thread: id = 348 os_tid = 0x8e4 Thread: id = 362 os_tid = 0x123c Thread: id = 364 os_tid = 0x1300 Thread: id = 366 os_tid = 0x131c Thread: id = 404 os_tid = 0x132c Thread: id = 419 os_tid = 0x12b8 Process: id = "163" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x5114d000" os_pid = "0x114c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumTokenCertificateIds /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 10862 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 10863 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 10864 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 10865 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 10866 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 10867 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 10868 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 10869 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 10870 start_va = 0xb80000 end_va = 0xb81fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 10871 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 10872 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 10873 start_va = 0x7eab0000 end_va = 0x7ead2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eab0000" filename = "" Region: id = 10874 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 10875 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 10876 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10877 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 10909 start_va = 0x400000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 10910 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 10911 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 10912 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 10913 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 10914 start_va = 0xb90000 end_va = 0xd6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 10915 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 10916 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 10923 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 10924 start_va = 0x7e9b0000 end_va = 0x7eaaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e9b0000" filename = "" Region: id = 10925 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 10926 start_va = 0x530000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 10927 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 10928 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 10929 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 10930 start_va = 0x540000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 10931 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 10932 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 10933 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 10934 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 10935 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 10936 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 10937 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 10938 start_va = 0xb80000 end_va = 0xb83fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 10939 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 10940 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 10941 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 10942 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 10944 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 10945 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 10946 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 10947 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 10948 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 10949 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 10950 start_va = 0x640000 end_va = 0x7c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 10951 start_va = 0xb90000 end_va = 0xbb9fff monitored = 0 entry_point = 0xb95680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 10952 start_va = 0xc70000 end_va = 0xd6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c70000" filename = "" Region: id = 10953 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 10954 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 10955 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 10956 start_va = 0x7d0000 end_va = 0x950fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 10957 start_va = 0xd70000 end_va = 0xe5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d70000" filename = "" Region: id = 10958 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 10959 start_va = 0xb90000 end_va = 0xc20fff monitored = 0 entry_point = 0xbc8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 10974 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 10975 start_va = 0xb90000 end_va = 0xb90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 10976 start_va = 0xba0000 end_va = 0xba0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 10977 start_va = 0xba0000 end_va = 0xba7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 10999 start_va = 0xba0000 end_va = 0xba0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 11000 start_va = 0xbb0000 end_va = 0xbb1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bb0000" filename = "" Region: id = 11001 start_va = 0xba0000 end_va = 0xba0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 11002 start_va = 0xbb0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bb0000" filename = "" Region: id = 11009 start_va = 0xba0000 end_va = 0xba0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 11010 start_va = 0xbb0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bb0000" filename = "" Thread: id = 326 os_tid = 0xd38 [0130.034] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0130.034] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0130.034] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0130.034] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0130.034] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0130.034] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0130.035] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0130.035] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0130.035] GetProcessHeap () returned 0xc70000 [0130.035] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0130.036] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0130.036] GetLastError () returned 0x7e [0130.036] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0130.036] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0130.036] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x364) returned 0xc80a98 [0130.036] SetLastError (dwErrCode=0x7e) [0130.036] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0xe00) returned 0xc80e08 [0130.038] GetStartupInfoW (in: lpStartupInfo=0x18fd44 | out: lpStartupInfo=0x18fd44*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0130.038] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0130.038] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0130.038] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0130.038] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumTokenCertificateIds /fn_args=\"0\"" [0130.038] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumTokenCertificateIds /fn_args=\"0\"" [0130.038] GetACP () returned 0x4e4 [0130.038] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x0, Size=0x220) returned 0xc81c10 [0130.038] IsValidCodePage (CodePage=0x4e4) returned 1 [0130.038] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fd64 | out: lpCPInfo=0x18fd64) returned 1 [0130.038] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f62c | out: lpCPInfo=0x18f62c) returned 1 [0130.038] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc40, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0130.039] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc40, cbMultiByte=256, lpWideCharStr=0x18f3c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0130.039] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f640 | out: lpCharType=0x18f640) returned 1 [0130.039] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc40, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0130.039] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc40, cbMultiByte=256, lpWideCharStr=0x18f388, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0130.039] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0130.039] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0130.039] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0130.039] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f178, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0130.039] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fb40, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿò\x9c²\x9e|ý\x18", lpUsedDefaultChar=0x0) returned 256 [0130.039] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc40, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0130.039] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc40, cbMultiByte=256, lpWideCharStr=0x18f398, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0130.039] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0130.039] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f188, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0130.039] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fa40, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿò\x9c²\x9e|ý\x18", lpUsedDefaultChar=0x0) returned 256 [0130.039] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x0, Size=0x80) returned 0xc738a0 [0130.039] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0130.040] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x1aa) returned 0xc81e38 [0130.040] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0130.040] GetLastError () returned 0x0 [0130.040] SetLastError (dwErrCode=0x0) [0130.040] GetEnvironmentStringsW () returned 0xc81ff0* [0130.040] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x0, Size=0xa8c) returned 0xc82a88 [0130.040] FreeEnvironmentStringsW (penv=0xc81ff0) returned 1 [0130.040] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x90) returned 0xc74590 [0130.040] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x3e) returned 0xc7ad00 [0130.040] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x5c) returned 0xc78868 [0130.040] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x6e) returned 0xc74658 [0130.040] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x78) returned 0xc83a48 [0130.040] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x62) returned 0xc74a28 [0130.041] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x28) returned 0xc73dc0 [0130.041] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x48) returned 0xc74010 [0130.041] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x1a) returned 0xc70570 [0130.041] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x3a) returned 0xc7b138 [0130.041] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x62) returned 0xc73c20 [0130.041] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x2a) returned 0xc78750 [0130.041] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x2e) returned 0xc784b0 [0130.041] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x1c) returned 0xc73df0 [0130.041] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x144) returned 0xc79ce0 [0130.041] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x7c) returned 0xc780c8 [0130.041] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x36) returned 0xc7e168 [0130.041] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x3a) returned 0xc7a9e8 [0130.041] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x90) returned 0xc743c8 [0130.041] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x24) returned 0xc73940 [0130.041] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x30) returned 0xc78600 [0130.041] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x36) returned 0xc7e2e8 [0130.041] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x48) returned 0xc72920 [0130.041] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x52) returned 0xc704b8 [0130.041] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x3c) returned 0xc7ae68 [0130.041] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0xd6) returned 0xc79ea0 [0130.041] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x2e) returned 0xc78440 [0130.041] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x1e) returned 0xc72970 [0130.041] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x2c) returned 0xc78590 [0130.041] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x54) returned 0xc73e38 [0130.041] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x52) returned 0xc74098 [0130.041] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x24) returned 0xc73e98 [0130.041] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x42) returned 0xc740f8 [0130.041] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x2c) returned 0xc786a8 [0130.041] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x44) returned 0xc79fd0 [0130.041] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x24) returned 0xc73970 [0130.042] HeapFree (in: hHeap=0xc70000, dwFlags=0x0, lpMem=0xc82a88 | out: hHeap=0xc70000) returned 1 [0130.042] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x8, Size=0x800) returned 0xc81ff0 [0130.042] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0130.042] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0130.042] GetStartupInfoW (in: lpStartupInfo=0x18fda8 | out: lpStartupInfo=0x18fda8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0130.042] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumTokenCertificateIds /fn_args=\"0\"" [0130.043] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumTokenCertificateIds /fn_args=\"0\"", pNumArgs=0x18fd94 | out: pNumArgs=0x18fd94) returned 0xc82c40*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0130.043] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0130.046] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x0, Size=0x1000) returned 0xc84528 [0130.046] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x0, Size=0x58) returned 0xc7a718 [0130.046] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_enumTokenCertificateIds", cchWideChar=-1, lpMultiByteStr=0xc7a718, cbMultiByte=88, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_enumTokenCertificateIds", lpUsedDefaultChar=0x0) returned 44 [0130.046] GetLastError () returned 0x0 [0130.046] SetLastError (dwErrCode=0x0) [0130.046] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_enumTokenCertificateIdsW") returned 0x0 [0130.046] GetLastError () returned 0x7f [0130.046] SetLastError (dwErrCode=0x7f) [0130.046] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_enumTokenCertificateIdsA") returned 0x0 [0130.046] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_enumTokenCertificateIds") returned 0x647c91d9 [0130.046] RtlAllocateHeap (HeapHandle=0xc70000, Flags=0x0, Size=0x4) returned 0xc73848 [0130.046] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0xc73848, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0130.047] GetActiveWindow () returned 0x0 [0130.047] GetLastError () returned 0x7f [0130.047] SetLastError (dwErrCode=0x7f) Thread: id = 328 os_tid = 0xd54 Process: id = "164" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6bd9000" os_pid = "0x116c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "163" os_parent_pid = "0x114c" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumTokenCertificateIds /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "165" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x50ea6000" os_pid = "0x3b8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificate /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11014 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11015 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11016 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 11017 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 11018 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 11019 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 11020 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 11021 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 11022 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 11023 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 11024 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 11025 start_va = 0x7f340000 end_va = 0x7f362fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f340000" filename = "" Region: id = 11026 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11027 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 11028 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11029 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 11038 start_va = 0x410000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 11039 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 11040 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 11041 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 11042 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 11043 start_va = 0x560000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 11069 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 11070 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 11071 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11072 start_va = 0x7f240000 end_va = 0x7f33ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f240000" filename = "" Region: id = 11073 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11074 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 11075 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 11076 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 11077 start_va = 0x560000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 11078 start_va = 0x750000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 11079 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 11080 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 11081 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 11082 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 11112 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 11113 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 11114 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 11115 start_va = 0x4c0000 end_va = 0x4c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 11116 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 11117 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 11118 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 11119 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 11120 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 11121 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 11122 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 11123 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 11124 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 11125 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 11126 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 11166 start_va = 0x4d0000 end_va = 0x4f9fff monitored = 0 entry_point = 0x4d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 11167 start_va = 0x850000 end_va = 0x9d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 11168 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 11172 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 11173 start_va = 0x4d0000 end_va = 0x4d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 11174 start_va = 0x9e0000 end_va = 0xb60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009e0000" filename = "" Region: id = 11175 start_va = 0xb70000 end_va = 0xc9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 11176 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 11197 start_va = 0x660000 end_va = 0x6f0fff monitored = 0 entry_point = 0x698cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 11198 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 11200 start_va = 0x4e0000 end_va = 0x4e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 11201 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 11202 start_va = 0x4f0000 end_va = 0x4f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 11236 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 11251 start_va = 0x500000 end_va = 0x501fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 11252 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 11253 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 11254 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 11255 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Thread: id = 331 os_tid = 0x1244 [0132.154] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0132.155] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0132.155] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0132.155] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0132.155] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0132.155] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0132.156] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0132.156] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0132.157] GetProcessHeap () returned 0x750000 [0132.157] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0132.157] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0132.157] GetLastError () returned 0x7e [0132.157] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0132.157] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0132.157] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x364) returned 0x760a80 [0132.157] SetLastError (dwErrCode=0x7e) [0132.158] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xe00) returned 0x760df0 [0132.159] GetStartupInfoW (in: lpStartupInfo=0x18fb50 | out: lpStartupInfo=0x18fb50*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0132.159] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0132.159] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0132.159] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0132.160] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificate /fn_args=\"0\"" [0132.160] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificate /fn_args=\"0\"" [0132.160] GetACP () returned 0x4e4 [0132.160] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x220) returned 0x761bf8 [0132.160] IsValidCodePage (CodePage=0x4e4) returned 1 [0132.160] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fb70 | out: lpCPInfo=0x18fb70) returned 1 [0132.160] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f438 | out: lpCPInfo=0x18f438) returned 1 [0132.160] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa4c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0132.160] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa4c, cbMultiByte=256, lpWideCharStr=0x18f1d8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0132.160] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f44c | out: lpCharType=0x18f44c) returned 1 [0132.160] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa4c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0132.160] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa4c, cbMultiByte=256, lpWideCharStr=0x18f188, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0132.160] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0132.160] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0132.161] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0132.161] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ef78, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0132.161] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f94c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ3\x84/:\x88û\x18", lpUsedDefaultChar=0x0) returned 256 [0132.161] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa4c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0132.161] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa4c, cbMultiByte=256, lpWideCharStr=0x18f1a8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0132.161] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0132.161] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ef98, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0132.161] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f84c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ3\x84/:\x88û\x18", lpUsedDefaultChar=0x0) returned 256 [0132.161] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x80) returned 0x753888 [0132.161] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0132.161] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x19a) returned 0x761e20 [0132.161] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0132.161] GetLastError () returned 0x0 [0132.161] SetLastError (dwErrCode=0x0) [0132.161] GetEnvironmentStringsW () returned 0x761fc8* [0132.162] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0xa8c) returned 0x762a60 [0132.162] FreeEnvironmentStringsW (penv=0x761fc8) returned 1 [0132.162] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x90) returned 0x7547d8 [0132.162] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x3e) returned 0x75ad30 [0132.162] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x5c) returned 0x758ab0 [0132.162] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x6e) returned 0x7548a0 [0132.162] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x78) returned 0x763720 [0132.162] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x62) returned 0x754c70 [0132.162] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x28) returned 0x753da8 [0132.162] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x48) returned 0x753ff8 [0132.162] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x1a) returned 0x750570 [0132.162] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x3a) returned 0x75adc0 [0132.163] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x62) returned 0x753c08 [0132.163] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x2a) returned 0x7588b8 [0132.163] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x2e) returned 0x758a08 [0132.163] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x1c) returned 0x753dd8 [0132.163] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x144) returned 0x759cc8 [0132.163] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x7c) returned 0x758310 [0132.163] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x36) returned 0x75e2d0 [0132.163] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x3a) returned 0x75ae98 [0132.163] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x90) returned 0x7543b0 [0132.163] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x24) returned 0x753928 [0132.163] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x30) returned 0x7588f0 [0132.163] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x36) returned 0x75e710 [0132.163] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x48) returned 0x752910 [0132.163] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x52) returned 0x7504b8 [0132.163] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x3c) returned 0x75ae08 [0132.163] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xd6) returned 0x759e88 [0132.163] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x2e) returned 0x7586c0 [0132.163] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x1e) returned 0x752960 [0132.163] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x2c) returned 0x758960 [0132.163] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x54) returned 0x753e20 [0132.163] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x52) returned 0x754080 [0132.163] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x24) returned 0x753e80 [0132.163] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x42) returned 0x7540e0 [0132.163] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x2c) returned 0x758848 [0132.163] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x44) returned 0x759fb8 [0132.163] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x24) returned 0x753958 [0132.164] HeapFree (in: hHeap=0x750000, dwFlags=0x0, lpMem=0x762a60 | out: hHeap=0x750000) returned 1 [0132.164] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x800) returned 0x761fc8 [0132.165] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0132.165] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0132.165] GetStartupInfoW (in: lpStartupInfo=0x18fbb4 | out: lpStartupInfo=0x18fbb4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0132.165] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificate /fn_args=\"0\"" [0132.165] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificate /fn_args=\"0\"", pNumArgs=0x18fba0 | out: pNumArgs=0x18fba0) returned 0x762c18*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0132.167] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0132.174] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x1000) returned 0x764500 [0132.174] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x48) returned 0x75a700 [0132.174] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_freeCertificate", cchWideChar=-1, lpMultiByteStr=0x75a700, cbMultiByte=72, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_freeCertificate", lpUsedDefaultChar=0x0) returned 36 [0132.175] GetLastError () returned 0x0 [0132.175] SetLastError (dwErrCode=0x0) [0132.176] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_freeCertificateW") returned 0x0 [0132.176] GetLastError () returned 0x7f [0132.176] SetLastError (dwErrCode=0x7f) [0132.176] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_freeCertificateA") returned 0x0 [0132.176] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_freeCertificate") returned 0x647c6e77 [0132.176] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x4) returned 0x753830 [0132.177] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x753830, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0132.177] GetActiveWindow () returned 0x0 [0132.187] GetLastError () returned 0x7f [0132.187] SetLastError (dwErrCode=0x7f) Thread: id = 337 os_tid = 0xd34 Process: id = "166" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6bf7b000" os_pid = "0x14c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateId /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11047 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11048 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11049 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 11050 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 11051 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 11052 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 11053 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 11054 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 11055 start_va = 0xa30000 end_va = 0xa31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 11056 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 11057 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 11058 start_va = 0x7ec30000 end_va = 0x7ec52fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ec30000" filename = "" Region: id = 11059 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11060 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 11061 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11062 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 11084 start_va = 0x400000 end_va = 0x45ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 11085 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 11086 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 11087 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 11088 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 11089 start_va = 0xa40000 end_va = 0xcaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 11090 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 11091 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 11135 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11136 start_va = 0x7eb30000 end_va = 0x7ec2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eb30000" filename = "" Region: id = 11137 start_va = 0x460000 end_va = 0x51dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11138 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 11139 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 11140 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 11141 start_va = 0x520000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 11142 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 11143 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 11144 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 11145 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 11146 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 11147 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 11148 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 11149 start_va = 0xa30000 end_va = 0xa33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 11150 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 11151 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 11152 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 11178 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 11179 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 11180 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 11181 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 11182 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 11183 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 11184 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 11185 start_va = 0x620000 end_va = 0x7a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 11186 start_va = 0xa40000 end_va = 0xa69fff monitored = 0 entry_point = 0xa45680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 11187 start_va = 0xbb0000 end_va = 0xcaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bb0000" filename = "" Region: id = 11188 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 11203 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 11204 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 11205 start_va = 0x450000 end_va = 0x45ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 11206 start_va = 0x7b0000 end_va = 0x930fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007b0000" filename = "" Region: id = 11207 start_va = 0xa40000 end_va = 0xb8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 11208 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 11209 start_va = 0xa40000 end_va = 0xad0fff monitored = 0 entry_point = 0xa78cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 11210 start_va = 0xb80000 end_va = 0xb8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 11237 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 11256 start_va = 0xa40000 end_va = 0xa40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 11257 start_va = 0xa50000 end_va = 0xa50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a50000" filename = "" Region: id = 11258 start_va = 0xa50000 end_va = 0xa57fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a50000" filename = "" Region: id = 11287 start_va = 0xa50000 end_va = 0xa50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 11288 start_va = 0xa60000 end_va = 0xa61fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a60000" filename = "" Region: id = 11289 start_va = 0xa50000 end_va = 0xa50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 11290 start_va = 0xa60000 end_va = 0xa60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a60000" filename = "" Region: id = 11334 start_va = 0xa50000 end_va = 0xa50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a50000" filename = "" Region: id = 11335 start_va = 0xa60000 end_va = 0xa60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Thread: id = 334 os_tid = 0x1178 [0132.254] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0132.254] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0132.254] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0132.254] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0132.255] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0132.255] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0132.255] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0132.256] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0132.256] GetProcessHeap () returned 0xbb0000 [0132.256] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0132.256] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0132.256] GetLastError () returned 0x7e [0132.256] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0132.256] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0132.256] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x364) returned 0xbc0a88 [0132.257] SetLastError (dwErrCode=0x7e) [0132.257] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0xe00) returned 0xbc0df8 [0132.258] GetStartupInfoW (in: lpStartupInfo=0x18f9e4 | out: lpStartupInfo=0x18f9e4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0132.258] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0132.258] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0132.258] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0132.259] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateId /fn_args=\"0\"" [0132.259] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateId /fn_args=\"0\"" [0132.259] GetACP () returned 0x4e4 [0132.259] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x0, Size=0x220) returned 0xbc1c00 [0132.259] IsValidCodePage (CodePage=0x4e4) returned 1 [0132.259] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fa04 | out: lpCPInfo=0x18fa04) returned 1 [0132.259] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f2cc | out: lpCPInfo=0x18f2cc) returned 1 [0132.259] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8e0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0132.259] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8e0, cbMultiByte=256, lpWideCharStr=0x18f068, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0132.259] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f2e0 | out: lpCharType=0x18f2e0) returned 1 [0132.259] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8e0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0132.259] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8e0, cbMultiByte=256, lpWideCharStr=0x18f028, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0132.259] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0132.259] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0132.259] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0132.260] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ee18, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0132.260] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f7e0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿpàB\x15\x1cú\x18", lpUsedDefaultChar=0x0) returned 256 [0132.260] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8e0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0132.260] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8e0, cbMultiByte=256, lpWideCharStr=0x18f038, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0132.260] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0132.260] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ee28, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0132.260] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f6e0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿpàB\x15\x1cú\x18", lpUsedDefaultChar=0x0) returned 256 [0132.260] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x0, Size=0x80) returned 0xbb3890 [0132.260] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0132.260] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x19e) returned 0xbc1e28 [0132.260] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0132.260] GetLastError () returned 0x0 [0132.260] SetLastError (dwErrCode=0x0) [0132.260] GetEnvironmentStringsW () returned 0xbc1fd0* [0132.260] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x0, Size=0xa8c) returned 0xbc2a68 [0132.261] FreeEnvironmentStringsW (penv=0xbc1fd0) returned 1 [0132.261] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x90) returned 0xbb4580 [0132.261] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x3e) returned 0xbbaab0 [0132.261] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x5c) returned 0xbb8ab8 [0132.261] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x6e) returned 0xbb4648 [0132.261] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x78) returned 0xbc4328 [0132.261] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x62) returned 0xbb4a18 [0132.261] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x28) returned 0xbb3db0 [0132.261] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x48) returned 0xbb4000 [0132.261] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x1a) returned 0xbb0570 [0132.261] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x3a) returned 0xbbad38 [0132.261] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x62) returned 0xbb3c10 [0132.261] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x2a) returned 0xbb8430 [0132.261] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x2e) returned 0xbb8708 [0132.261] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x1c) returned 0xbb3de0 [0132.261] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x144) returned 0xbb9cd0 [0132.261] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x7c) returned 0xbb80b8 [0132.261] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x36) returned 0xbbe558 [0132.261] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x3a) returned 0xbbaa68 [0132.262] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x90) returned 0xbb43b8 [0132.262] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x24) returned 0xbb3930 [0132.262] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x30) returned 0xbb8628 [0132.262] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x36) returned 0xbbe658 [0132.262] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x48) returned 0xbb2918 [0132.262] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x52) returned 0xbb04b8 [0132.262] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x3c) returned 0xbbab40 [0132.262] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0xd6) returned 0xbb9e90 [0132.262] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x2e) returned 0xbb84d8 [0132.262] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x1e) returned 0xbb2968 [0132.262] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x2c) returned 0xbb8740 [0132.262] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x54) returned 0xbb3e28 [0132.262] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x52) returned 0xbb4088 [0132.262] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x24) returned 0xbb3e88 [0132.262] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x42) returned 0xbb40e8 [0132.262] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x2c) returned 0xbb8548 [0132.262] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x44) returned 0xbb9fc0 [0132.262] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x24) returned 0xbb3960 [0132.263] HeapFree (in: hHeap=0xbb0000, dwFlags=0x0, lpMem=0xbc2a68 | out: hHeap=0xbb0000) returned 1 [0132.447] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x8, Size=0x800) returned 0xbc1fd0 [0132.447] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0132.447] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0132.447] GetStartupInfoW (in: lpStartupInfo=0x18fa48 | out: lpStartupInfo=0x18fa48*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0132.447] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateId /fn_args=\"0\"" [0132.448] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateId /fn_args=\"0\"", pNumArgs=0x18fa34 | out: pNumArgs=0x18fa34) returned 0xbc2c20*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0132.448] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0132.451] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x0, Size=0x1000) returned 0xbc4508 [0132.451] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x0, Size=0x4c) returned 0xbba708 [0132.451] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_freeCertificateId", cchWideChar=-1, lpMultiByteStr=0xbba708, cbMultiByte=76, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_freeCertificateId", lpUsedDefaultChar=0x0) returned 38 [0132.452] GetLastError () returned 0x0 [0132.452] SetLastError (dwErrCode=0x0) [0132.452] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_freeCertificateIdW") returned 0x0 [0132.452] GetLastError () returned 0x7f [0132.452] SetLastError (dwErrCode=0x7f) [0132.452] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_freeCertificateIdA") returned 0x0 [0132.452] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_freeCertificateId") returned 0x647c69cb [0132.452] RtlAllocateHeap (HeapHandle=0xbb0000, Flags=0x0, Size=0x4) returned 0xbb3838 [0132.452] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0xbb3838, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0132.453] GetActiveWindow () returned 0x0 [0132.536] GetLastError () returned 0x7f [0132.536] SetLastError (dwErrCode=0x7f) Thread: id = 339 os_tid = 0x11e0 Process: id = "167" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x50c94000" os_pid = "0xd60" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateIdList /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11153 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11154 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11155 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 11156 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 11157 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 11158 start_va = 0x990000 end_va = 0x991fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 11159 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 11160 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 11161 start_va = 0x7f900000 end_va = 0x7f922fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f900000" filename = "" Region: id = 11162 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11163 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 11164 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11165 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 11169 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 11170 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 11171 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 11191 start_va = 0x400000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 11192 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 11193 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 11194 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 11195 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 11196 start_va = 0x9a0000 end_va = 0xa9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 11224 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 11225 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 11226 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11227 start_va = 0x7f800000 end_va = 0x7f8fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f800000" filename = "" Region: id = 11228 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11229 start_va = 0x590000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 11230 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 11231 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 11232 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 11233 start_va = 0x5a0000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 11234 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 11259 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 11260 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 11261 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 11262 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 11263 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 11264 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 11265 start_va = 0x990000 end_va = 0x993fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 11266 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 11267 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 11268 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 11269 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 11270 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 11271 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 11272 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 11273 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 11274 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 11291 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 11292 start_va = 0x6a0000 end_va = 0x827fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 11293 start_va = 0xaa0000 end_va = 0xac9fff monitored = 0 entry_point = 0xaa5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 11294 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 11304 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 11305 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 11306 start_va = 0xaa0000 end_va = 0xc20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000aa0000" filename = "" Region: id = 11307 start_va = 0xc30000 end_va = 0xc4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 11308 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 11310 start_va = 0xc50000 end_va = 0xce0fff monitored = 0 entry_point = 0xc88cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 11341 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 11342 start_va = 0xc30000 end_va = 0xc30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 11343 start_va = 0xc40000 end_va = 0xc4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 11344 start_va = 0xc50000 end_va = 0xc50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c50000" filename = "" Region: id = 11345 start_va = 0xc50000 end_va = 0xc57fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c50000" filename = "" Region: id = 11361 start_va = 0xc50000 end_va = 0xc50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 11377 start_va = 0xc60000 end_va = 0xc61fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c60000" filename = "" Region: id = 11378 start_va = 0xc50000 end_va = 0xc50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 11379 start_va = 0xc60000 end_va = 0xc60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c60000" filename = "" Region: id = 11380 start_va = 0xc50000 end_va = 0xc50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c50000" filename = "" Region: id = 11381 start_va = 0xc60000 end_va = 0xc60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Thread: id = 338 os_tid = 0xd44 [0133.005] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0133.006] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0133.006] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0133.006] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0133.006] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0133.006] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0133.007] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0133.007] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0133.007] GetProcessHeap () returned 0x9a0000 [0133.007] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0133.007] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0133.007] GetLastError () returned 0x7e [0133.007] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0133.008] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0133.008] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x364) returned 0x9b0a90 [0133.008] SetLastError (dwErrCode=0x7e) [0133.008] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0xe00) returned 0x9b0e00 [0133.010] GetStartupInfoW (in: lpStartupInfo=0x18fd14 | out: lpStartupInfo=0x18fd14*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0133.010] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0133.010] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0133.010] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0133.010] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateIdList /fn_args=\"0\"" [0133.010] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateIdList /fn_args=\"0\"" [0133.010] GetACP () returned 0x4e4 [0133.010] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x220) returned 0x9b1c08 [0133.010] IsValidCodePage (CodePage=0x4e4) returned 1 [0133.010] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fd34 | out: lpCPInfo=0x18fd34) returned 1 [0133.010] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f5fc | out: lpCPInfo=0x18f5fc) returned 1 [0133.010] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc10, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0133.010] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc10, cbMultiByte=256, lpWideCharStr=0x18f398, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0133.010] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f610 | out: lpCharType=0x18f610) returned 1 [0133.010] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc10, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0133.010] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc10, cbMultiByte=256, lpWideCharStr=0x18f358, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0133.010] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0133.010] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0133.010] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0133.011] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f148, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0133.011] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fb10, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿUí\x97úLý\x18", lpUsedDefaultChar=0x0) returned 256 [0133.011] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc10, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0133.011] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc10, cbMultiByte=256, lpWideCharStr=0x18f368, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0133.011] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0133.011] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f158, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0133.011] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fa10, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿUí\x97úLý\x18", lpUsedDefaultChar=0x0) returned 256 [0133.011] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x80) returned 0x9a3898 [0133.011] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0133.011] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x1a6) returned 0x9b1e30 [0133.011] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0133.011] GetLastError () returned 0x0 [0133.011] SetLastError (dwErrCode=0x0) [0133.011] GetEnvironmentStringsW () returned 0x9b1fe8* [0133.011] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0xa8c) returned 0x9b2a80 [0133.012] FreeEnvironmentStringsW (penv=0x9b1fe8) returned 1 [0133.012] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x90) returned 0x9a47e8 [0133.012] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x3e) returned 0x9aabd8 [0133.012] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x5c) returned 0x9a8ac0 [0133.012] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x6e) returned 0x9a48b0 [0133.012] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x78) returned 0x9b3ac0 [0133.012] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x62) returned 0x9a4c80 [0133.012] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x28) returned 0x9a4018 [0133.012] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x48) returned 0x9a4268 [0133.012] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x1a) returned 0x9a0570 [0133.012] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x3a) returned 0x9aad88 [0133.012] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x62) returned 0x9a3c18 [0133.012] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x2a) returned 0x9a8708 [0133.012] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x2e) returned 0x9a88c8 [0133.012] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x1c) returned 0x9a4048 [0133.012] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x144) returned 0x9a9cd8 [0133.012] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x7c) returned 0x9a8320 [0133.012] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x36) returned 0x9ae5a0 [0133.012] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x3a) returned 0x9aafc8 [0133.012] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x90) returned 0x9a4620 [0133.012] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x24) returned 0x9a3938 [0133.012] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x30) returned 0x9a8778 [0133.012] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x36) returned 0x9ae660 [0133.012] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x48) returned 0x9a2920 [0133.013] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x52) returned 0x9a04b8 [0133.013] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x3c) returned 0x9aaf38 [0133.013] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0xd6) returned 0x9a9e98 [0133.013] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x2e) returned 0x9a8a18 [0133.013] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x1e) returned 0x9a2970 [0133.013] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x2c) returned 0x9a8820 [0133.013] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x54) returned 0x9a4090 [0133.013] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x52) returned 0x9a42f0 [0133.013] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x24) returned 0x9a40f0 [0133.013] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x42) returned 0x9a4350 [0133.013] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x2c) returned 0x9a87b0 [0133.013] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x44) returned 0x9a9fc8 [0133.013] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x24) returned 0x9a3968 [0133.013] HeapFree (in: hHeap=0x9a0000, dwFlags=0x0, lpMem=0x9b2a80 | out: hHeap=0x9a0000) returned 1 [0133.024] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x800) returned 0x9b1fe8 [0133.024] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0133.024] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0133.024] GetStartupInfoW (in: lpStartupInfo=0x18fd78 | out: lpStartupInfo=0x18fd78*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0133.024] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateIdList /fn_args=\"0\"" [0133.024] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateIdList /fn_args=\"0\"", pNumArgs=0x18fd64 | out: pNumArgs=0x18fd64) returned 0x9b2c38*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0133.025] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0133.028] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x1000) returned 0x9b4520 [0133.028] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x54) returned 0x9aa7f8 [0133.028] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_freeCertificateIdList", cchWideChar=-1, lpMultiByteStr=0x9aa7f8, cbMultiByte=84, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_freeCertificateIdList", lpUsedDefaultChar=0x0) returned 42 [0133.028] GetLastError () returned 0x0 [0133.029] SetLastError (dwErrCode=0x0) [0133.030] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_freeCertificateIdListW") returned 0x0 [0133.030] GetLastError () returned 0x7f [0133.030] SetLastError (dwErrCode=0x7f) [0133.030] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_freeCertificateIdListA") returned 0x0 [0133.030] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_freeCertificateIdList") returned 0x647c90f5 [0133.030] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x4) returned 0x9a3840 [0133.030] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x9a3840, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0133.030] GetActiveWindow () returned 0x0 [0133.031] GetLastError () returned 0x7f [0133.032] SetLastError (dwErrCode=0x7f) Thread: id = 341 os_tid = 0xd08 Process: id = "168" image_name = "werfault.exe" filename = "c:\\windows\\syswow64\\werfault.exe" page_root = "0x12fd9000" os_pid = "0x11d8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "165" os_parent_pid = "0x3b8" cmd_line = "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 952 -s 364" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11311 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11312 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11313 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 11314 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 11315 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 11316 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 11317 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 11318 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 11319 start_va = 0x6d0000 end_va = 0x6d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 11320 start_va = 0x10e0000 end_va = 0x1122fff monitored = 0 entry_point = 0x1100f50 region_type = mapped_file name = "werfault.exe" filename = "\\Windows\\SysWOW64\\WerFault.exe" (normalized: "c:\\windows\\syswow64\\werfault.exe") Region: id = 11321 start_va = 0x1130000 end_va = 0x512ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 11322 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 11323 start_va = 0x7ed90000 end_va = 0x7edb2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed90000" filename = "" Region: id = 11324 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11325 start_va = 0x7fff0000 end_va = 0x7dfb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 11326 start_va = 0x7dfb201b0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfb201b0000" filename = "" Region: id = 11327 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11328 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 11329 start_va = 0x100000 end_va = 0x1affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 11330 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 11331 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 11332 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 11333 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 11346 start_va = 0x6e0000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 11347 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 11348 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 11349 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11350 start_va = 0x7ec90000 end_va = 0x7ed8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ec90000" filename = "" Region: id = 11351 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11352 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 11353 start_va = 0x100000 end_va = 0x13ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 11354 start_va = 0x140000 end_va = 0x17ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 11355 start_va = 0x1a0000 end_va = 0x1affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 11356 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 11357 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 11358 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 11362 start_va = 0x6fb30000 end_va = 0x6fbb6fff monitored = 0 entry_point = 0x6fb9dbc0 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\SysWOW64\\wer.dll" (normalized: "c:\\windows\\syswow64\\wer.dll") Region: id = 11363 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 11364 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 11365 start_va = 0x6d0000 end_va = 0x6d3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 11366 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 11367 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 11368 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 11369 start_va = 0x6fbc0000 end_va = 0x6fcfefff monitored = 0 entry_point = 0x6fbed880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 11370 start_va = 0x6fb00000 end_va = 0x6fb21fff monitored = 0 entry_point = 0x6fb091f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 11371 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 11372 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 11373 start_va = 0x6faa0000 end_va = 0x6faf3fff monitored = 0 entry_point = 0x6fad10d0 region_type = mapped_file name = "faultrep.dll" filename = "\\Windows\\SysWOW64\\Faultrep.dll" (normalized: "c:\\windows\\syswow64\\faultrep.dll") Region: id = 11374 start_va = 0x6fa70000 end_va = 0x6fa90fff monitored = 0 entry_point = 0x6fa8a910 region_type = mapped_file name = "dbgcore.dll" filename = "\\Windows\\SysWOW64\\dbgcore.dll" (normalized: "c:\\windows\\syswow64\\dbgcore.dll") Region: id = 11382 start_va = 0x860000 end_va = 0x91ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 11383 start_va = 0x920000 end_va = 0xadffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000920000" filename = "" Region: id = 11384 start_va = 0x6e0000 end_va = 0x6e3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 11385 start_va = 0x760000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 11386 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 11387 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 11389 start_va = 0x4c0000 end_va = 0x647fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 11390 start_va = 0x6f0000 end_va = 0x719fff monitored = 0 entry_point = 0x6f5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 11391 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 11392 start_va = 0x920000 end_va = 0xaa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000920000" filename = "" Region: id = 11393 start_va = 0xad0000 end_va = 0xadffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 11394 start_va = 0x5130000 end_va = 0x652ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005130000" filename = "" Region: id = 11395 start_va = 0x6f0000 end_va = 0x6f3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werfault.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\WerFault.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werfault.exe.mui") Region: id = 11396 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 11397 start_va = 0x180000 end_va = 0x180fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 11398 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 11399 start_va = 0xae0000 end_va = 0xbaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 11448 start_va = 0x700000 end_va = 0x700fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 11449 start_va = 0x710000 end_va = 0x710fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 11450 start_va = 0x720000 end_va = 0x720fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 11451 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 11452 start_va = 0x720000 end_va = 0x720fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 11453 start_va = 0x6530000 end_va = 0x6d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006530000" filename = "" Region: id = 11454 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 11455 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 11456 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 11457 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 11458 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 11459 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 11460 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 11461 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 11462 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 11463 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 11495 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 11496 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 11497 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 11498 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 11499 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 11500 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 11501 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 11502 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 11503 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 11504 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 11505 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 11506 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 11507 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 11508 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 11509 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 11510 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 11511 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 11526 start_va = 0x1b0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 11527 start_va = 0x650000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 11528 start_va = 0x860000 end_va = 0x8dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 11529 start_va = 0x910000 end_va = 0x91ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000910000" filename = "" Region: id = 11556 start_va = 0x720000 end_va = 0x721fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "faultrep.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\faultrep.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\faultrep.dll.mui") Region: id = 11557 start_va = 0x730000 end_va = 0x730fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 11558 start_va = 0x6ef60000 end_va = 0x6f37dfff monitored = 0 entry_point = 0x6f05ee80 region_type = mapped_file name = "dbgeng.dll" filename = "\\Windows\\SysWOW64\\dbgeng.dll" (normalized: "c:\\windows\\syswow64\\dbgeng.dll") Region: id = 11559 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 11560 start_va = 0x6f8c0000 end_va = 0x6f92ffff monitored = 0 entry_point = 0x6f914b90 region_type = mapped_file name = "dbgmodel.dll" filename = "\\Windows\\SysWOW64\\DbgModel.dll" (normalized: "c:\\windows\\syswow64\\dbgmodel.dll") Region: id = 11561 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 11571 start_va = 0xbb0000 end_va = 0xc99fff monitored = 0 entry_point = 0xbed650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 11572 start_va = 0x70050000 end_va = 0x70059fff monitored = 0 entry_point = 0x70053200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 11573 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 11574 start_va = 0x6f5d0000 end_va = 0x6f5d7fff monitored = 0 entry_point = 0x6f5d17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 11575 start_va = 0xbb0000 end_va = 0xcaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bb0000" filename = "" Region: id = 11576 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 11584 start_va = 0xcb0000 end_va = 0xfe6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 11585 start_va = 0x730000 end_va = 0x731fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 11586 start_va = 0x730000 end_va = 0x733fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 11587 start_va = 0x730000 end_va = 0x735fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 11588 start_va = 0x730000 end_va = 0x737fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 11589 start_va = 0x6530000 end_va = 0x662ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006530000" filename = "" Region: id = 11593 start_va = 0x730000 end_va = 0x739fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 11594 start_va = 0x730000 end_va = 0x73bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 11595 start_va = 0x730000 end_va = 0x73dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 11596 start_va = 0x730000 end_va = 0x73ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 11597 start_va = 0x730000 end_va = 0x741fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 11598 start_va = 0x730000 end_va = 0x743fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 11599 start_va = 0x730000 end_va = 0x745fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 11600 start_va = 0x730000 end_va = 0x747fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 11601 start_va = 0x730000 end_va = 0x749fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 11602 start_va = 0x730000 end_va = 0x74bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 11603 start_va = 0x730000 end_va = 0x74dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 11604 start_va = 0x730000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 11606 start_va = 0xff0000 end_va = 0x10cffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 11665 start_va = 0x6630000 end_va = 0x66f6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006630000" filename = "" Region: id = 11666 start_va = 0xae0000 end_va = 0xb98fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 11667 start_va = 0xba0000 end_va = 0xbaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 11675 start_va = 0x6700000 end_va = 0x67a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006700000" filename = "" Region: id = 11695 start_va = 0x730000 end_va = 0x730fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 11696 start_va = 0x740000 end_va = 0x742fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wer.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wer.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wer.dll.mui") Region: id = 11697 start_va = 0x750000 end_va = 0x753fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 11698 start_va = 0x6630000 end_va = 0x6e2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006630000" filename = "" Region: id = 11699 start_va = 0x8e0000 end_va = 0x8e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 11700 start_va = 0x8e0000 end_va = 0x8e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 11701 start_va = 0x8e0000 end_va = 0x8e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 11702 start_va = 0x8e0000 end_va = 0x8e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 11703 start_va = 0x8e0000 end_va = 0x8e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 11704 start_va = 0x8e0000 end_va = 0x8e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 11705 start_va = 0x8e0000 end_va = 0x8e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 11706 start_va = 0x8e0000 end_va = 0x8e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 11707 start_va = 0x8e0000 end_va = 0x8e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 11708 start_va = 0x8e0000 end_va = 0x8e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 11709 start_va = 0x8e0000 end_va = 0x8e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 11710 start_va = 0x8e0000 end_va = 0x8e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 11711 start_va = 0x8e0000 end_va = 0x8e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 11712 start_va = 0x8e0000 end_va = 0x8e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 11714 start_va = 0x8e0000 end_va = 0x8e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 11715 start_va = 0x8e0000 end_va = 0x8e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 11716 start_va = 0x8e0000 end_va = 0x8e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 11717 start_va = 0x8e0000 end_va = 0x8e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 11718 start_va = 0x8e0000 end_va = 0x8e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 11719 start_va = 0x8e0000 end_va = 0x8e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 11720 start_va = 0x8e0000 end_va = 0x8e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 11721 start_va = 0x8e0000 end_va = 0x8e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 11722 start_va = 0x6630000 end_va = 0x672ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006630000" filename = "" Region: id = 11723 start_va = 0x8e0000 end_va = 0x8e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 11724 start_va = 0x8e0000 end_va = 0x8e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 11725 start_va = 0x8e0000 end_va = 0x8e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 11726 start_va = 0x8e0000 end_va = 0x8e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 11728 start_va = 0x8e0000 end_va = 0x8e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 11729 start_va = 0x6fa00000 end_va = 0x6fa63fff monitored = 0 entry_point = 0x6fa3e270 region_type = mapped_file name = "werui.dll" filename = "\\Windows\\SysWOW64\\werui.dll" (normalized: "c:\\windows\\syswow64\\werui.dll") Region: id = 11730 start_va = 0x190000 end_va = 0x191fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 11731 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 11732 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 11733 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 11734 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 11735 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 11736 start_va = 0x731b0000 end_va = 0x733befff monitored = 0 entry_point = 0x7325b0a0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 11737 start_va = 0x6f460000 end_va = 0x6f5c6fff monitored = 0 entry_point = 0x6f4db9d0 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\SysWOW64\\dui70.dll" (normalized: "c:\\windows\\syswow64\\dui70.dll") Region: id = 11738 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 11739 start_va = 0x6f430000 end_va = 0x6f457fff monitored = 0 entry_point = 0x6f437820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 11741 start_va = 0x8e0000 end_va = 0x8e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 11742 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 11743 start_va = 0x8e0000 end_va = 0x8e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 11744 start_va = 0x759b0000 end_va = 0x75a33fff monitored = 0 entry_point = 0x759d6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 11745 start_va = 0x8f0000 end_va = 0x8f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 11746 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 12080 start_va = 0x690000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 12081 start_va = 0xae0000 end_va = 0xb1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 12082 start_va = 0xb20000 end_va = 0xb5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 12083 start_va = 0xb60000 end_va = 0xb9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 12084 start_va = 0x6730000 end_va = 0x676ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006730000" filename = "" Region: id = 12085 start_va = 0x6770000 end_va = 0x67affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006770000" filename = "" Region: id = 12092 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 12246 start_va = 0x8e0000 end_va = 0x8e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 12247 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 12361 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 12499 start_va = 0x8e0000 end_va = 0x8e4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werui.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\werui.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werui.dll.mui") Region: id = 12500 start_va = 0x900000 end_va = 0x900fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000900000" filename = "" Region: id = 12501 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 12647 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 12928 start_va = 0x67b0000 end_va = 0x67effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000067b0000" filename = "" Region: id = 12929 start_va = 0x67f0000 end_va = 0x682ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000067f0000" filename = "" Region: id = 12934 start_va = 0x900000 end_va = 0x900fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000900000" filename = "" Region: id = 12935 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 13139 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 13356 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 13357 start_va = 0x6f840000 end_va = 0x6f8bafff monitored = 0 entry_point = 0x6f864d80 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\SysWOW64\\duser.dll" (normalized: "c:\\windows\\syswow64\\duser.dll") Region: id = 13381 start_va = 0x6830000 end_va = 0x686ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006830000" filename = "" Region: id = 13382 start_va = 0x6870000 end_va = 0x68affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006870000" filename = "" Region: id = 13383 start_va = 0x6f7b0000 end_va = 0x6f830fff monitored = 0 entry_point = 0x6f7b6310 region_type = mapped_file name = "riched20.dll" filename = "\\Windows\\SysWOW64\\riched20.dll" (normalized: "c:\\windows\\syswow64\\riched20.dll") Region: id = 13384 start_va = 0x6f790000 end_va = 0x6f7a5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 13385 start_va = 0x6f750000 end_va = 0x6f780fff monitored = 0 entry_point = 0x6f7622d0 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\SysWOW64\\msls31.dll" (normalized: "c:\\windows\\syswow64\\msls31.dll") Region: id = 13386 start_va = 0x900000 end_va = 0x900fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000900000" filename = "" Region: id = 13387 start_va = 0x68b0000 end_va = 0x696bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000068b0000" filename = "" Region: id = 13388 start_va = 0x900000 end_va = 0x903fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000900000" filename = "" Region: id = 13389 start_va = 0x74230000 end_va = 0x7424cfff monitored = 0 entry_point = 0x74233b10 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 13390 start_va = 0xab0000 end_va = 0xab3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 13391 start_va = 0xac0000 end_va = 0xac0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 13392 start_va = 0x10d0000 end_va = 0x10d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010d0000" filename = "" Region: id = 13393 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 13394 start_va = 0x6970000 end_va = 0x6970fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "duser.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\duser.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\duser.dll.mui") Region: id = 13395 start_va = 0x6f740000 end_va = 0x6f74cfff monitored = 0 entry_point = 0x6f747d80 region_type = mapped_file name = "atlthunk.dll" filename = "\\Windows\\SysWOW64\\atlthunk.dll" (normalized: "c:\\windows\\syswow64\\atlthunk.dll") Region: id = 13396 start_va = 0x6980000 end_va = 0x6982fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui") Region: id = 13397 start_va = 0x1f0000 end_va = 0x1f2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 13398 start_va = 0x6990000 end_va = 0x6e81fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006990000" filename = "" Region: id = 13399 start_va = 0x6e90000 end_va = 0x7ecffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 13410 start_va = 0x7ed0000 end_va = 0x7f11fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007ed0000" filename = "" Region: id = 13417 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 13418 start_va = 0x77500000 end_va = 0x7761efff monitored = 0 entry_point = 0x77545980 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Thread: id = 342 os_tid = 0xd28 Thread: id = 343 os_tid = 0xd14 Thread: id = 347 os_tid = 0x11c0 Thread: id = 368 os_tid = 0x1210 Thread: id = 369 os_tid = 0x1324 Thread: id = 370 os_tid = 0x1378 Thread: id = 408 os_tid = 0xc88 Thread: id = 422 os_tid = 0x11f0 Process: id = "169" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x50b42000" os_pid = "0xd0c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "165" os_parent_pid = "0x3b8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificate /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "170" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x47411000" os_pid = "0x1228" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "166" os_parent_pid = "0x14c" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateId /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "171" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6a50000" os_pid = "0x970" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "167" os_parent_pid = "0xd60" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateIdList /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "172" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x506ac000" os_pid = "0x1298" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateBlob /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11402 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11403 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11404 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 11405 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 11406 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 11407 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 11408 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 11409 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 11410 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 11411 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 11412 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 11413 start_va = 0x7f3e0000 end_va = 0x7f402fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f3e0000" filename = "" Region: id = 11414 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11415 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 11416 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11417 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 11419 start_va = 0x410000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 11420 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 11421 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 11422 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 11423 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 11424 start_va = 0x510000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 11425 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 11427 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 11428 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11429 start_va = 0x7f2e0000 end_va = 0x7f3dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f2e0000" filename = "" Region: id = 11430 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11431 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 11432 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 11433 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 11434 start_va = 0x510000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 11435 start_va = 0x660000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 11436 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 11437 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 11438 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 11439 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 11464 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 11465 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 11466 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 11467 start_va = 0x4c0000 end_va = 0x4c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 11468 start_va = 0x500000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 11469 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 11470 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 11471 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 11472 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 11473 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 11474 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 11475 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 11476 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 11477 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 11512 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 11513 start_va = 0x4d0000 end_va = 0x4f9fff monitored = 0 entry_point = 0x4d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 11514 start_va = 0x760000 end_va = 0x8e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 11515 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 11530 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 11531 start_va = 0x4d0000 end_va = 0x4d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 11532 start_va = 0x8f0000 end_va = 0xa70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 11533 start_va = 0xa80000 end_va = 0xbcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 11534 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 11535 start_va = 0xa80000 end_va = 0xb10fff monitored = 0 entry_point = 0xab8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 11536 start_va = 0xbc0000 end_va = 0xbcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bc0000" filename = "" Region: id = 11544 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 11545 start_va = 0x4e0000 end_va = 0x4e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 11546 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 11547 start_va = 0x4f0000 end_va = 0x4f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 11577 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 11578 start_va = 0x610000 end_va = 0x611fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 11579 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 11580 start_va = 0x610000 end_va = 0x610fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 11581 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 11582 start_va = 0x610000 end_va = 0x610fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Thread: id = 344 os_tid = 0x340 [0134.398] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0134.398] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0134.398] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0134.398] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0134.399] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0134.399] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0134.399] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0134.400] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0134.400] GetProcessHeap () returned 0x660000 [0134.400] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0134.400] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0134.400] GetLastError () returned 0x7e [0134.401] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0134.401] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0134.401] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x364) returned 0x670a88 [0134.401] SetLastError (dwErrCode=0x7e) [0134.401] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0xe00) returned 0x670df8 [0134.403] GetStartupInfoW (in: lpStartupInfo=0x18fd68 | out: lpStartupInfo=0x18fd68*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0134.403] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0134.403] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0134.403] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0134.403] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateBlob /fn_args=\"0\"" [0134.403] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateBlob /fn_args=\"0\"" [0134.403] GetACP () returned 0x4e4 [0134.403] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x0, Size=0x220) returned 0x671c00 [0134.403] IsValidCodePage (CodePage=0x4e4) returned 1 [0134.403] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fd88 | out: lpCPInfo=0x18fd88) returned 1 [0134.404] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f650 | out: lpCPInfo=0x18f650) returned 1 [0134.404] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0134.404] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc64, cbMultiByte=256, lpWideCharStr=0x18f3f8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0134.404] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f664 | out: lpCharType=0x18f664) returned 1 [0134.404] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0134.404] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc64, cbMultiByte=256, lpWideCharStr=0x18f3a8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0134.404] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0134.404] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0134.405] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0134.405] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f198, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0134.405] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fb64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x95\x87v| ý\x18", lpUsedDefaultChar=0x0) returned 256 [0134.405] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc64, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0134.405] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc64, cbMultiByte=256, lpWideCharStr=0x18f3c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0134.405] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0134.405] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f1b8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0134.405] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fa64, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x95\x87v| ý\x18", lpUsedDefaultChar=0x0) returned 256 [0134.405] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x0, Size=0x80) returned 0x663890 [0134.405] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0134.405] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x1a0) returned 0x671e28 [0134.405] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0134.405] GetLastError () returned 0x0 [0134.405] SetLastError (dwErrCode=0x0) [0134.405] GetEnvironmentStringsW () returned 0x671fd0* [0134.406] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x0, Size=0xa8c) returned 0x672a68 [0134.406] FreeEnvironmentStringsW (penv=0x671fd0) returned 1 [0134.406] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x90) returned 0x6647e0 [0134.406] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x3e) returned 0x66ab88 [0134.406] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x5c) returned 0x668ab8 [0134.406] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x6e) returned 0x6648a8 [0134.406] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x78) returned 0x673e28 [0134.406] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x62) returned 0x664c78 [0134.406] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x28) returned 0x663db0 [0134.406] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x48) returned 0x664000 [0134.406] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x1a) returned 0x660570 [0134.406] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x3a) returned 0x66afc0 [0134.406] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x62) returned 0x663c10 [0134.406] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x2a) returned 0x668818 [0134.407] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x2e) returned 0x668968 [0134.407] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x1c) returned 0x663de0 [0134.407] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x144) returned 0x669cd0 [0134.407] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x7c) returned 0x668318 [0134.407] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x36) returned 0x66e598 [0134.407] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x3a) returned 0x66b008 [0134.407] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x90) returned 0x6643b8 [0134.407] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x24) returned 0x663930 [0134.407] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x30) returned 0x6689a0 [0134.407] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x36) returned 0x66df98 [0134.407] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x48) returned 0x662918 [0134.407] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x52) returned 0x6604b8 [0134.407] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x3c) returned 0x66aea0 [0134.407] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0xd6) returned 0x669e90 [0134.407] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x2e) returned 0x6687a8 [0134.407] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x1e) returned 0x662968 [0134.407] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x2c) returned 0x668850 [0134.407] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x54) returned 0x663e28 [0134.407] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x52) returned 0x664088 [0134.407] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x24) returned 0x663e88 [0134.407] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x42) returned 0x6640e8 [0134.407] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x2c) returned 0x6689d8 [0134.407] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x44) returned 0x669fc0 [0134.407] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x24) returned 0x663960 [0134.409] HeapFree (in: hHeap=0x660000, dwFlags=0x0, lpMem=0x672a68 | out: hHeap=0x660000) returned 1 [0134.409] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x8, Size=0x800) returned 0x671fd0 [0134.409] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0134.409] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0134.409] GetStartupInfoW (in: lpStartupInfo=0x18fdcc | out: lpStartupInfo=0x18fdcc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0134.409] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateBlob /fn_args=\"0\"" [0134.409] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateBlob /fn_args=\"0\"", pNumArgs=0x18fdb8 | out: pNumArgs=0x18fdb8) returned 0x672c20*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0134.410] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0134.413] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x0, Size=0x1000) returned 0x674508 [0134.413] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x0, Size=0x4e) returned 0x66a7f0 [0134.413] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_getCertificateBlob", cchWideChar=-1, lpMultiByteStr=0x66a7f0, cbMultiByte=78, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_getCertificateBlob", lpUsedDefaultChar=0x0) returned 39 [0134.413] GetLastError () returned 0x0 [0134.413] SetLastError (dwErrCode=0x0) [0134.414] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_getCertificateBlobW") returned 0x0 [0134.414] GetLastError () returned 0x7f [0134.414] SetLastError (dwErrCode=0x7f) [0134.414] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_getCertificateBlobA") returned 0x0 [0134.414] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_getCertificateBlob") returned 0x647c8232 [0134.414] RtlAllocateHeap (HeapHandle=0x660000, Flags=0x0, Size=0x4) returned 0x663838 [0134.414] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x663838, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0134.414] GetActiveWindow () returned 0x0 [0134.415] GetLastError () returned 0x7f [0134.415] SetLastError (dwErrCode=0x7f) Thread: id = 346 os_tid = 0xd18 Process: id = "173" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x731fc000" os_pid = "0x11e8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "172" os_parent_pid = "0x1298" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateBlob /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "174" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x57cc3000" os_pid = "0xa88" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateId /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11608 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11609 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11610 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 11611 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 11612 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 11613 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 11614 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 11615 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 11616 start_va = 0x760000 end_va = 0x761fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 11617 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 11618 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 11619 start_va = 0x7efe0000 end_va = 0x7f002fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 11620 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11621 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 11622 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11623 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 11625 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 11626 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 11627 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 11628 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 11629 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 11630 start_va = 0x770000 end_va = 0x9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 11632 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 11633 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 11634 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11635 start_va = 0x7eee0000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eee0000" filename = "" Region: id = 11636 start_va = 0x480000 end_va = 0x53dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11637 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 11638 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 11639 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 11640 start_va = 0x540000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 11641 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 11642 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 11644 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 11645 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 11646 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 11647 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 11648 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 11649 start_va = 0x760000 end_va = 0x763fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 11650 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 11651 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 11652 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 11653 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 11654 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 11655 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 11656 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 11657 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 11658 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 11659 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 11661 start_va = 0x770000 end_va = 0x799fff monitored = 0 entry_point = 0x775680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 11662 start_va = 0x8c0000 end_va = 0x9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 11663 start_va = 0x9c0000 end_va = 0xb47fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009c0000" filename = "" Region: id = 11664 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 11669 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 11670 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 11671 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 11672 start_va = 0x770000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 11673 start_va = 0xb50000 end_va = 0xcd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b50000" filename = "" Region: id = 11674 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 11677 start_va = 0x770000 end_va = 0x800fff monitored = 0 entry_point = 0x7a8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 11678 start_va = 0x840000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 11679 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 11680 start_va = 0x770000 end_va = 0x770fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 11681 start_va = 0x780000 end_va = 0x780fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 11682 start_va = 0x780000 end_va = 0x787fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 11687 start_va = 0x780000 end_va = 0x780fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 11688 start_va = 0x790000 end_va = 0x791fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 11689 start_va = 0x780000 end_va = 0x780fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 11690 start_va = 0x790000 end_va = 0x790fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 11691 start_va = 0x780000 end_va = 0x780fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 11692 start_va = 0x790000 end_va = 0x790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Thread: id = 349 os_tid = 0xd24 [0135.591] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0135.591] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0135.592] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0135.592] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0135.592] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0135.592] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0135.593] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0135.593] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0135.593] GetProcessHeap () returned 0x8c0000 [0135.593] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0135.594] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0135.594] GetLastError () returned 0x7e [0135.594] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0135.594] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0135.594] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x364) returned 0x8d0a88 [0135.594] SetLastError (dwErrCode=0x7e) [0135.594] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0xe00) returned 0x8d0df8 [0135.597] GetStartupInfoW (in: lpStartupInfo=0x18f744 | out: lpStartupInfo=0x18f744*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0135.597] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0135.597] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0135.597] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0135.597] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateId /fn_args=\"0\"" [0135.597] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateId /fn_args=\"0\"" [0135.597] GetACP () returned 0x4e4 [0135.597] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x0, Size=0x220) returned 0x8d1c00 [0135.597] IsValidCodePage (CodePage=0x4e4) returned 1 [0135.597] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f764 | out: lpCPInfo=0x18f764) returned 1 [0135.597] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f02c | out: lpCPInfo=0x18f02c) returned 1 [0135.597] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f640, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0135.597] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f640, cbMultiByte=256, lpWideCharStr=0x18edc8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0135.597] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f040 | out: lpCharType=0x18f040) returned 1 [0135.597] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f640, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0135.597] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f640, cbMultiByte=256, lpWideCharStr=0x18ed88, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0135.598] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0135.598] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0135.598] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0135.598] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18eb78, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0135.598] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f540, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ²\x89\x19z|÷\x18", lpUsedDefaultChar=0x0) returned 256 [0135.598] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f640, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0135.598] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f640, cbMultiByte=256, lpWideCharStr=0x18ed98, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0135.598] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0135.598] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18eb88, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0135.598] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f440, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ²\x89\x19z|÷\x18", lpUsedDefaultChar=0x0) returned 256 [0135.598] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x0, Size=0x80) returned 0x8c3890 [0135.598] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0135.598] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x19c) returned 0x8d1e28 [0135.598] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0135.599] GetLastError () returned 0x0 [0135.599] SetLastError (dwErrCode=0x0) [0135.599] GetEnvironmentStringsW () returned 0x8d1fd0* [0135.599] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x0, Size=0xa8c) returned 0x8d2a68 [0135.599] FreeEnvironmentStringsW (penv=0x8d1fd0) returned 1 [0135.599] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x90) returned 0x8c47e0 [0135.599] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x3e) returned 0x8caf30 [0135.599] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x5c) returned 0x8c8ab8 [0135.599] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x6e) returned 0x8c48a8 [0135.599] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x78) returned 0x8d3f28 [0135.600] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x62) returned 0x8c4c78 [0135.600] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x28) returned 0x8c3db0 [0135.600] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x48) returned 0x8c4260 [0135.600] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x1a) returned 0x8c0570 [0135.600] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x3a) returned 0x8caaf8 [0135.600] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x62) returned 0x8c3c10 [0135.600] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x2a) returned 0x8c8700 [0135.600] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x2e) returned 0x8c8690 [0135.600] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x1c) returned 0x8c3de0 [0135.600] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x144) returned 0x8c9cd0 [0135.600] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x7c) returned 0x8c8318 [0135.600] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x36) returned 0x8ce618 [0135.600] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x3a) returned 0x8cac18 [0135.600] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x90) returned 0x8c4618 [0135.600] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x24) returned 0x8c3930 [0135.600] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x30) returned 0x8c86c8 [0135.600] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x36) returned 0x8ce718 [0135.600] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x48) returned 0x8c2918 [0135.600] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x52) returned 0x8c04b8 [0135.600] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x3c) returned 0x8ca9d8 [0135.600] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0xd6) returned 0x8c9e90 [0135.600] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x2e) returned 0x8c87a8 [0135.600] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x1e) returned 0x8c2968 [0135.600] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x2c) returned 0x8c89a0 [0135.600] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x54) returned 0x8c3e28 [0135.600] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x52) returned 0x8c42e8 [0135.601] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x24) returned 0x8c3e88 [0135.601] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x42) returned 0x8c4348 [0135.601] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x2c) returned 0x8c8770 [0135.601] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x44) returned 0x8c9fc0 [0135.601] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x24) returned 0x8c3960 [0135.601] HeapFree (in: hHeap=0x8c0000, dwFlags=0x0, lpMem=0x8d2a68 | out: hHeap=0x8c0000) returned 1 [0135.601] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x800) returned 0x8d1fd0 [0135.602] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0135.602] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0135.602] GetStartupInfoW (in: lpStartupInfo=0x18f7a8 | out: lpStartupInfo=0x18f7a8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0135.602] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateId /fn_args=\"0\"" [0135.602] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateId /fn_args=\"0\"", pNumArgs=0x18f794 | out: pNumArgs=0x18f794) returned 0x8d2c20*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0135.603] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0135.606] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x0, Size=0x1000) returned 0x8d4508 [0135.606] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x0, Size=0x4a) returned 0x8ca7f0 [0135.606] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_getCertificateId", cchWideChar=-1, lpMultiByteStr=0x8ca7f0, cbMultiByte=74, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_getCertificateId", lpUsedDefaultChar=0x0) returned 37 [0135.606] GetLastError () returned 0x0 [0135.606] SetLastError (dwErrCode=0x0) [0135.606] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_getCertificateIdW") returned 0x0 [0135.606] GetLastError () returned 0x7f [0135.606] SetLastError (dwErrCode=0x7f) [0135.607] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_getCertificateIdA") returned 0x0 [0135.607] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_getCertificateId") returned 0x647c8109 [0135.607] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x0, Size=0x4) returned 0x8c3838 [0135.607] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x8c3838, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0135.607] GetActiveWindow () returned 0x0 [0135.611] GetLastError () returned 0x7f [0135.611] SetLastError (dwErrCode=0x7f) Thread: id = 351 os_tid = 0x11f4 Process: id = "175" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x3526000" os_pid = "0x12c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "174" os_parent_pid = "0xa88" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateId /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "176" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x50202000" os_pid = "0x12c4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getPromptMask /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11748 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11749 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11750 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 11751 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 11752 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 11753 start_va = 0xa80000 end_va = 0xa81fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 11754 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 11755 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 11756 start_va = 0x7e7d0000 end_va = 0x7e7f2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e7d0000" filename = "" Region: id = 11757 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11758 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 11759 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11760 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 11762 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 11763 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 11764 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 11765 start_va = 0x400000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 11766 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 11767 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 11768 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 11769 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 11770 start_va = 0xa90000 end_va = 0xbeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a90000" filename = "" Region: id = 11771 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 11772 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 11774 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11775 start_va = 0x7e6d0000 end_va = 0x7e7cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e6d0000" filename = "" Region: id = 11776 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11777 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 11778 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 11779 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 11780 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 11781 start_va = 0x4f0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 11782 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 11783 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 11784 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 11785 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 11786 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 11787 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 11788 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 11789 start_va = 0xa80000 end_va = 0xa83fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 11790 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 11791 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 11793 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 11794 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 11795 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 11796 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 11797 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 11798 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 11799 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 11800 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 11801 start_va = 0x5f0000 end_va = 0x777fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 11802 start_va = 0xa90000 end_va = 0xab9fff monitored = 0 entry_point = 0xa95680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 11803 start_va = 0xaf0000 end_va = 0xbeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 11804 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 11806 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 11807 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 11808 start_va = 0x780000 end_va = 0x900fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 11809 start_va = 0xbf0000 end_va = 0xd8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bf0000" filename = "" Region: id = 11810 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 11811 start_va = 0xbf0000 end_va = 0xc80fff monitored = 0 entry_point = 0xc28cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 11812 start_va = 0xd80000 end_va = 0xd8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d80000" filename = "" Region: id = 11814 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 11815 start_va = 0xa90000 end_va = 0xa90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a90000" filename = "" Region: id = 11816 start_va = 0xaa0000 end_va = 0xaa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000aa0000" filename = "" Region: id = 11817 start_va = 0xaa0000 end_va = 0xaa7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000aa0000" filename = "" Region: id = 11821 start_va = 0xaa0000 end_va = 0xaa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000aa0000" filename = "" Region: id = 11822 start_va = 0xab0000 end_va = 0xab1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 11823 start_va = 0xaa0000 end_va = 0xaa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000aa0000" filename = "" Region: id = 11824 start_va = 0xab0000 end_va = 0xab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 11825 start_va = 0xaa0000 end_va = 0xaa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000aa0000" filename = "" Region: id = 11826 start_va = 0xab0000 end_va = 0xab0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Thread: id = 352 os_tid = 0x864 [0136.456] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0136.456] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0136.456] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0136.457] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0136.457] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0136.457] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0136.458] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0136.458] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0136.458] GetProcessHeap () returned 0xaf0000 [0136.458] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0136.459] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0136.459] GetLastError () returned 0x7e [0136.459] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0136.459] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0136.459] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x364) returned 0xb009a8 [0136.459] SetLastError (dwErrCode=0x7e) [0136.459] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0xe00) returned 0xb00d18 [0136.461] GetStartupInfoW (in: lpStartupInfo=0x18fb24 | out: lpStartupInfo=0x18fb24*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0136.461] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0136.461] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0136.462] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0136.462] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getPromptMask /fn_args=\"0\"" [0136.462] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getPromptMask /fn_args=\"0\"" [0136.462] GetACP () returned 0x4e4 [0136.462] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x0, Size=0x220) returned 0xb01b20 [0136.462] IsValidCodePage (CodePage=0x4e4) returned 1 [0136.462] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fb44 | out: lpCPInfo=0x18fb44) returned 1 [0136.462] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f40c | out: lpCPInfo=0x18f40c) returned 1 [0136.462] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa20, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0136.462] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa20, cbMultiByte=256, lpWideCharStr=0x18f1a8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0136.462] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f420 | out: lpCharType=0x18f420) returned 1 [0136.462] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa20, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0136.462] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa20, cbMultiByte=256, lpWideCharStr=0x18f168, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0136.462] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0136.463] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0136.463] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0136.463] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ef58, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0136.463] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f920, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ°6µ\x8c\\û\x18", lpUsedDefaultChar=0x0) returned 256 [0136.463] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa20, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0136.463] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa20, cbMultiByte=256, lpWideCharStr=0x18f178, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0136.463] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0136.463] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ef68, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0136.463] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f820, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ°6µ\x8c\\û\x18", lpUsedDefaultChar=0x0) returned 256 [0136.463] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x0, Size=0x80) returned 0xaf3880 [0136.463] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0136.463] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x196) returned 0xb01d48 [0136.463] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0136.463] GetLastError () returned 0x0 [0136.463] SetLastError (dwErrCode=0x0) [0136.463] GetEnvironmentStringsW () returned 0xb01ee8* [0136.464] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x0, Size=0xa8c) returned 0xb02980 [0136.464] FreeEnvironmentStringsW (penv=0xb01ee8) returned 1 [0136.464] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x90) returned 0xaf4570 [0136.464] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x3e) returned 0xafaaa0 [0136.464] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x5c) returned 0xaf8aa8 [0136.464] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x6e) returned 0xaf4638 [0136.464] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x78) returned 0xb04240 [0136.464] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x62) returned 0xaf4a08 [0136.464] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x28) returned 0xaf3da0 [0136.464] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x48) returned 0xaf3ff0 [0136.464] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x1a) returned 0xaf0570 [0136.465] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x3a) returned 0xafad28 [0136.465] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x62) returned 0xaf3c00 [0136.465] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x2a) returned 0xaf8458 [0136.465] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x2e) returned 0xaf86f8 [0136.465] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x1c) returned 0xaf3dd0 [0136.465] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x144) returned 0xaf9cc0 [0136.465] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x7c) returned 0xaf80a8 [0136.465] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x36) returned 0xafe078 [0136.465] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x3a) returned 0xafad70 [0136.465] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x90) returned 0xaf43a8 [0136.465] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x24) returned 0xaf3920 [0136.465] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x30) returned 0xaf8500 [0136.465] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x36) returned 0xafdff8 [0136.465] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x48) returned 0xaf2910 [0136.465] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x52) returned 0xaf04b8 [0136.465] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x3c) returned 0xafac50 [0136.465] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0xd6) returned 0xaf9e80 [0136.465] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x2e) returned 0xaf8570 [0136.465] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x1e) returned 0xaf2960 [0136.465] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x2c) returned 0xaf8768 [0136.465] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x54) returned 0xaf3e18 [0136.465] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x52) returned 0xaf4078 [0136.465] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x24) returned 0xaf3e78 [0136.465] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x42) returned 0xaf40d8 [0136.465] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x2c) returned 0xaf84c8 [0136.465] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x44) returned 0xaf9fb0 [0136.465] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x24) returned 0xaf3950 [0136.466] HeapFree (in: hHeap=0xaf0000, dwFlags=0x0, lpMem=0xb02980 | out: hHeap=0xaf0000) returned 1 [0136.466] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x800) returned 0xb01ee8 [0136.467] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0136.467] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0136.467] GetStartupInfoW (in: lpStartupInfo=0x18fb88 | out: lpStartupInfo=0x18fb88*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0136.467] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getPromptMask /fn_args=\"0\"" [0136.467] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getPromptMask /fn_args=\"0\"", pNumArgs=0x18fb74 | out: pNumArgs=0x18fb74) returned 0xb02b38*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0136.468] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0136.478] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x0, Size=0x1000) returned 0xb04420 [0136.479] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x0, Size=0x44) returned 0xafa6f8 [0136.479] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_getPromptMask", cchWideChar=-1, lpMultiByteStr=0xafa6f8, cbMultiByte=68, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_getPromptMask", lpUsedDefaultChar=0x0) returned 34 [0136.479] GetLastError () returned 0x0 [0136.479] SetLastError (dwErrCode=0x0) [0136.479] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_getPromptMaskW") returned 0x0 [0136.479] GetLastError () returned 0x7f [0136.479] SetLastError (dwErrCode=0x7f) [0136.479] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_getPromptMaskA") returned 0x0 [0136.479] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_getPromptMask") returned 0x647c8041 [0136.480] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x0, Size=0x4) returned 0xaf3828 [0136.480] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0xaf3828, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0136.480] GetActiveWindow () returned 0x0 [0136.481] GetLastError () returned 0x7f [0136.481] SetLastError (dwErrCode=0x7f) Thread: id = 354 os_tid = 0x1184 Process: id = "177" image_name = "wermgr.exe" filename = "c:\\windows\\syswow64\\wermgr.exe" page_root = "0x502c5000" os_pid = "0x1334" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "141" os_parent_pid = "0xfcc" cmd_line = "C:\\Windows\\SysWOW64\\wermgr.exe" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11828 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11829 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11830 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 11831 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 11832 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 11833 start_va = 0x910000 end_va = 0x935fff monitored = 0 entry_point = 0x919700 region_type = mapped_file name = "wermgr.exe" filename = "\\Windows\\SysWOW64\\wermgr.exe" (normalized: "c:\\windows\\syswow64\\wermgr.exe") Region: id = 11834 start_va = 0x940000 end_va = 0x493ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 11835 start_va = 0x4940000 end_va = 0x4941fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004940000" filename = "" Region: id = 11836 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 11837 start_va = 0x7f0f0000 end_va = 0x7f112fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f0f0000" filename = "" Region: id = 11838 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11839 start_va = 0x7fff0000 end_va = 0x7dfb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 11840 start_va = 0x7dfb201b0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfb201b0000" filename = "" Region: id = 11841 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11842 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 11843 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 11844 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 11845 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 11846 start_va = 0x4950000 end_va = 0x4973fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004950000" filename = "" Region: id = 11847 start_va = 0x4980000 end_va = 0x4981fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004980000" filename = "" Region: id = 13003 start_va = 0x400000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 13004 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 13005 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 13006 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 13007 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 13008 start_va = 0x4990000 end_va = 0x4beffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004990000" filename = "" Region: id = 13017 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 13018 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 13019 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13020 start_va = 0x7eff0000 end_va = 0x7f0effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eff0000" filename = "" Region: id = 13021 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13022 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 13041 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 13042 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 13043 start_va = 0x5b0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 13044 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 13045 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 13046 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 13047 start_va = 0x4940000 end_va = 0x4943fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004940000" filename = "" Region: id = 13048 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 13049 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 13050 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 13051 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 13057 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 13058 start_va = 0x6fb30000 end_va = 0x6fbb6fff monitored = 0 entry_point = 0x6fb9dbc0 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\SysWOW64\\wer.dll" (normalized: "c:\\windows\\syswow64\\wer.dll") Region: id = 13059 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 13075 start_va = 0x4bf0000 end_va = 0x4deffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004bf0000" filename = "" Region: id = 13076 start_va = 0x4990000 end_va = 0x4a79fff monitored = 0 entry_point = 0x49cd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 13077 start_va = 0x4af0000 end_va = 0x4beffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004af0000" filename = "" Region: id = 13078 start_va = 0x4990000 end_va = 0x4a8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004990000" filename = "" Region: id = 13101 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 13102 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 13103 start_va = 0x5c0000 end_va = 0x747fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 13104 start_va = 0x4990000 end_va = 0x49b9fff monitored = 0 entry_point = 0x4995680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 13105 start_va = 0x4a80000 end_va = 0x4a8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004a80000" filename = "" Region: id = 13106 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 13119 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 13120 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 13121 start_va = 0x750000 end_va = 0x8d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 13122 start_va = 0x4df0000 end_va = 0x61effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004df0000" filename = "" Region: id = 13132 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 13133 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 13134 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 13135 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 13136 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 13137 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 13138 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 13141 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 13142 start_va = 0x4bf0000 end_va = 0x4ddffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004bf0000" filename = "" Region: id = 13143 start_va = 0x4de0000 end_va = 0x4deffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004de0000" filename = "" Region: id = 13144 start_va = 0x743a0000 end_va = 0x743b2fff monitored = 0 entry_point = 0x743a1d20 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 13145 start_va = 0x6f9d0000 end_va = 0x6f9ebfff monitored = 0 entry_point = 0x6f9d4720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 13146 start_va = 0x6f9b0000 end_va = 0x6f9c4fff monitored = 0 entry_point = 0x6f9b5210 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\SysWOW64\\samcli.dll" (normalized: "c:\\windows\\syswow64\\samcli.dll") Region: id = 13147 start_va = 0x6f9a0000 end_va = 0x6f9a9fff monitored = 0 entry_point = 0x6f9a28d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 13148 start_va = 0x6f970000 end_va = 0x6f99efff monitored = 0 entry_point = 0x6f985140 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\SysWOW64\\logoncli.dll" (normalized: "c:\\windows\\syswow64\\logoncli.dll") Region: id = 13149 start_va = 0x6f960000 end_va = 0x6f96ffff monitored = 0 entry_point = 0x6f9634d0 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 13150 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 13151 start_va = 0x6f940000 end_va = 0x6f958fff monitored = 0 entry_point = 0x6f9447e0 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 13152 start_va = 0x77200000 end_va = 0x7725efff monitored = 0 entry_point = 0x77204af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 13208 start_va = 0x450000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 13209 start_va = 0x490000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 13210 start_va = 0x6f930000 end_va = 0x6f93efff monitored = 0 entry_point = 0x6f932a50 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\SysWOW64\\wtsapi32.dll" (normalized: "c:\\windows\\syswow64\\wtsapi32.dll") Region: id = 13211 start_va = 0x4990000 end_va = 0x4990fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004990000" filename = "" Region: id = 13220 start_va = 0x61f0000 end_va = 0x6526fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 13222 start_va = 0x6f8e0000 end_va = 0x6f923fff monitored = 0 entry_point = 0x6f8faaf0 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 13223 start_va = 0x49a0000 end_va = 0x49a3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000049a0000" filename = "" Region: id = 13227 start_va = 0x6f8c0000 end_va = 0x6f8d2fff monitored = 0 entry_point = 0x6f8c5c60 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\SysWOW64\\samlib.dll" (normalized: "c:\\windows\\syswow64\\samlib.dll") Region: id = 13292 start_va = 0x719f0000 end_va = 0x71bfcfff monitored = 0 entry_point = 0x71adacb0 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 13293 start_va = 0x71c00000 end_va = 0x71d7dfff monitored = 0 entry_point = 0x71c7c630 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 13294 start_va = 0x73f60000 end_va = 0x7422afff monitored = 0 entry_point = 0x7419c4c0 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 13309 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 13310 start_va = 0x6530000 end_va = 0x66fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006530000" filename = "" Region: id = 13340 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 13347 start_va = 0x4e0000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 13348 start_va = 0x520000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 13349 start_va = 0x77350000 end_va = 0x774c7fff monitored = 0 entry_point = 0x773a8a90 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 13351 start_va = 0x755a0000 end_va = 0x755adfff monitored = 0 entry_point = 0x755a5410 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 13352 start_va = 0x560000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 13353 start_va = 0x49b0000 end_va = 0x49effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000049b0000" filename = "" Region: id = 13354 start_va = 0x6700000 end_va = 0x7110fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006700000" filename = "" Region: id = 13355 start_va = 0x6f430000 end_va = 0x6f457fff monitored = 0 entry_point = 0x6f437820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 13902 start_va = 0x49f0000 end_va = 0x4a2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000049f0000" filename = "" Region: id = 13903 start_va = 0x4a30000 end_va = 0x4a6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004a30000" filename = "" Region: id = 13904 start_va = 0x4a90000 end_va = 0x4acffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004a90000" filename = "" Region: id = 13905 start_va = 0x4bf0000 end_va = 0x4c2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004bf0000" filename = "" Region: id = 13906 start_va = 0x4d40000 end_va = 0x4ddffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004d40000" filename = "" Region: id = 13907 start_va = 0x7120000 end_va = 0x7611fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007120000" filename = "" Region: id = 13908 start_va = 0x7620000 end_va = 0x7b1cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007620000" filename = "" Region: id = 13913 start_va = 0x7b20000 end_va = 0x8012fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007b20000" filename = "" Region: id = 13965 start_va = 0x4c30000 end_va = 0x4d2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004c30000" filename = "" Region: id = 14012 start_va = 0x4a70000 end_va = 0x4a73fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004a70000" filename = "" Region: id = 14013 start_va = 0x4a90000 end_va = 0x4a9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004a90000" filename = "" Region: id = 14014 start_va = 0x6530000 end_va = 0x662ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006530000" filename = "" Region: id = 14015 start_va = 0x66f0000 end_va = 0x66fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000066f0000" filename = "" Region: id = 14016 start_va = 0x4a90000 end_va = 0x4aaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004a90000" filename = "" Region: id = 14017 start_va = 0x4ab0000 end_va = 0x4ac0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 14018 start_va = 0x4a90000 end_va = 0x4aa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a90000" filename = "" Region: id = 14019 start_va = 0x4a90000 end_va = 0x4aa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a90000" filename = "" Region: id = 14020 start_va = 0x8020000 end_va = 0x881ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008020000" filename = "" Region: id = 14021 start_va = 0x4a90000 end_va = 0x4aa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a90000" filename = "" Region: id = 14022 start_va = 0x8020000 end_va = 0x881ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008020000" filename = "" Region: id = 14023 start_va = 0x4a90000 end_va = 0x4aa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a90000" filename = "" Region: id = 14024 start_va = 0x8020000 end_va = 0x881ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008020000" filename = "" Region: id = 14025 start_va = 0x4a90000 end_va = 0x4aa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a90000" filename = "" Region: id = 14026 start_va = 0x8020000 end_va = 0x881ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008020000" filename = "" Region: id = 14027 start_va = 0x4a90000 end_va = 0x4aa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a90000" filename = "" Region: id = 14058 start_va = 0x8020000 end_va = 0x821ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008020000" filename = "" Region: id = 14155 start_va = 0x6630000 end_va = 0x66b6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006630000" filename = "" Region: id = 14156 start_va = 0x8220000 end_va = 0x82abfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008220000" filename = "" Region: id = 14158 start_va = 0x6630000 end_va = 0x66c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006630000" filename = "" Region: id = 14159 start_va = 0x8220000 end_va = 0x82b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008220000" filename = "" Region: id = 14161 start_va = 0x6630000 end_va = 0x66cefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006630000" filename = "" Region: id = 14162 start_va = 0x8220000 end_va = 0x82c4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008220000" filename = "" Region: id = 14163 start_va = 0x6630000 end_va = 0x66d3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006630000" filename = "" Region: id = 14164 start_va = 0x8220000 end_va = 0x82c9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008220000" filename = "" Region: id = 14181 start_va = 0x6630000 end_va = 0x66e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006630000" filename = "" Region: id = 14190 start_va = 0x8220000 end_va = 0x82d1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008220000" filename = "" Region: id = 14191 start_va = 0x6630000 end_va = 0x66ddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006630000" filename = "" Region: id = 14230 start_va = 0x8220000 end_va = 0x82d8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008220000" filename = "" Region: id = 14231 start_va = 0x6630000 end_va = 0x66ebfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006630000" filename = "" Region: id = 14254 start_va = 0x8220000 end_va = 0x82e1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008220000" filename = "" Region: id = 14255 start_va = 0x6630000 end_va = 0x66ebfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006630000" filename = "" Region: id = 14273 start_va = 0x8220000 end_va = 0x82ecfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008220000" filename = "" Region: id = 14274 start_va = 0x82f0000 end_va = 0x83bbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000082f0000" filename = "" Region: id = 14315 start_va = 0x83c0000 end_va = 0x8492fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000083c0000" filename = "" Region: id = 14374 start_va = 0x8220000 end_va = 0x82f4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008220000" filename = "" Region: id = 14424 start_va = 0x8300000 end_va = 0x83d6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008300000" filename = "" Region: id = 14485 start_va = 0x8220000 end_va = 0x82fcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008220000" filename = "" Region: id = 14486 start_va = 0x8300000 end_va = 0x83d7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008300000" filename = "" Region: id = 14545 start_va = 0x8220000 end_va = 0x82fcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008220000" filename = "" Region: id = 14546 start_va = 0x8300000 end_va = 0x83e5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008300000" filename = "" Region: id = 14547 start_va = 0x83f0000 end_va = 0x84dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000083f0000" filename = "" Region: id = 14548 start_va = 0x8220000 end_va = 0x830efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008220000" filename = "" Region: id = 14549 start_va = 0x8310000 end_va = 0x8408fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008310000" filename = "" Region: id = 14551 start_va = 0x8410000 end_va = 0x8508fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008410000" filename = "" Region: id = 14552 start_va = 0x8220000 end_va = 0x8319fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008220000" filename = "" Region: id = 14553 start_va = 0x8320000 end_va = 0x8419fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008320000" filename = "" Region: id = 14570 start_va = 0x8220000 end_va = 0x831bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008220000" filename = "" Region: id = 14579 start_va = 0x8320000 end_va = 0x8429fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008320000" filename = "" Region: id = 14600 start_va = 0x8430000 end_va = 0x8537fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008430000" filename = "" Region: id = 14611 start_va = 0x8220000 end_va = 0x832ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008220000" filename = "" Region: id = 14623 start_va = 0x8330000 end_va = 0x843dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008330000" filename = "" Region: id = 14639 start_va = 0x8440000 end_va = 0x8550fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008440000" filename = "" Region: id = 14707 start_va = 0x8220000 end_va = 0x833afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008220000" filename = "" Region: id = 14708 start_va = 0x8340000 end_va = 0x8461fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008340000" filename = "" Region: id = 14775 start_va = 0x8220000 end_va = 0x833bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008220000" filename = "" Region: id = 14847 start_va = 0x8340000 end_va = 0x8460fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008340000" filename = "" Region: id = 14885 start_va = 0x8470000 end_va = 0x85a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008470000" filename = "" Region: id = 14886 start_va = 0x85b0000 end_va = 0x8daffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000085b0000" filename = "" Region: id = 14887 start_va = 0x4a90000 end_va = 0x4aa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a90000" filename = "" Region: id = 14888 start_va = 0x85b0000 end_va = 0x8daffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000085b0000" filename = "" Region: id = 14889 start_va = 0x4a90000 end_va = 0x4aa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a90000" filename = "" Region: id = 14890 start_va = 0x85b0000 end_va = 0x8daffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000085b0000" filename = "" Region: id = 14891 start_va = 0x4a90000 end_va = 0x4aa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a90000" filename = "" Region: id = 14892 start_va = 0x85b0000 end_va = 0x8daffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000085b0000" filename = "" Region: id = 14893 start_va = 0x4a90000 end_va = 0x4aa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a90000" filename = "" Region: id = 14894 start_va = 0x85b0000 end_va = 0x8daffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000085b0000" filename = "" Region: id = 14895 start_va = 0x4a90000 end_va = 0x4aa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a90000" filename = "" Region: id = 14896 start_va = 0x85b0000 end_va = 0x8daffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000085b0000" filename = "" Region: id = 14897 start_va = 0x4a90000 end_va = 0x4aa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a90000" filename = "" Region: id = 14898 start_va = 0x85b0000 end_va = 0x8daffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000085b0000" filename = "" Region: id = 14899 start_va = 0x4a90000 end_va = 0x4aa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a90000" filename = "" Region: id = 14900 start_va = 0x85b0000 end_va = 0x8daffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000085b0000" filename = "" Region: id = 14901 start_va = 0x4a90000 end_va = 0x4aa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a90000" filename = "" Region: id = 14902 start_va = 0x85b0000 end_va = 0x8daffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000085b0000" filename = "" Region: id = 14903 start_va = 0x4a90000 end_va = 0x4aa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a90000" filename = "" Region: id = 14904 start_va = 0x85b0000 end_va = 0x8daffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000085b0000" filename = "" Region: id = 14905 start_va = 0x4a90000 end_va = 0x4aa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a90000" filename = "" Region: id = 14906 start_va = 0x85b0000 end_va = 0x8daffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000085b0000" filename = "" Region: id = 14907 start_va = 0x4a90000 end_va = 0x4aa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a90000" filename = "" Region: id = 14908 start_va = 0x85b0000 end_va = 0x8daffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000085b0000" filename = "" Region: id = 14909 start_va = 0x4a90000 end_va = 0x4aa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a90000" filename = "" Region: id = 14910 start_va = 0x85b0000 end_va = 0x8daffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000085b0000" filename = "" Region: id = 14911 start_va = 0x77500000 end_va = 0x7761efff monitored = 0 entry_point = 0x77545980 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 14912 start_va = 0x4a90000 end_va = 0x4a90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a90000" filename = "" Region: id = 14913 start_va = 0x6630000 end_va = 0x66ebfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006630000" filename = "" Region: id = 14914 start_va = 0x4a90000 end_va = 0x4a93fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a90000" filename = "" Region: id = 14915 start_va = 0x74230000 end_va = 0x7424cfff monitored = 0 entry_point = 0x74233b10 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 14916 start_va = 0x8220000 end_va = 0x8349fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008220000" filename = "" Region: id = 14917 start_va = 0x8350000 end_va = 0x847bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008350000" filename = "" Region: id = 16264 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 16265 start_va = 0x7620000 end_va = 0x7e1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007620000" filename = "" Region: id = 16266 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 16267 start_va = 0x7620000 end_va = 0x7e1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007620000" filename = "" Region: id = 16268 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 16269 start_va = 0x7620000 end_va = 0x7e1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007620000" filename = "" Region: id = 16270 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 16271 start_va = 0x7620000 end_va = 0x7e1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007620000" filename = "" Region: id = 16272 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 16273 start_va = 0x7620000 end_va = 0x7e1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007620000" filename = "" Region: id = 16274 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 16275 start_va = 0x7620000 end_va = 0x7e1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007620000" filename = "" Region: id = 16276 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 16277 start_va = 0x7620000 end_va = 0x7e1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007620000" filename = "" Region: id = 16278 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 16279 start_va = 0x7620000 end_va = 0x7e1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007620000" filename = "" Region: id = 16804 start_va = 0x8480000 end_va = 0x897cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008480000" filename = "" Region: id = 16833 start_va = 0x7120000 end_va = 0x7616fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007120000" filename = "" Region: id = 16834 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 16835 start_va = 0x7620000 end_va = 0x7e1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007620000" filename = "" Region: id = 16836 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 16837 start_va = 0x7620000 end_va = 0x7e1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007620000" filename = "" Region: id = 16838 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 16839 start_va = 0x7620000 end_va = 0x7e1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007620000" filename = "" Region: id = 16840 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 16841 start_va = 0x7620000 end_va = 0x7e1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007620000" filename = "" Region: id = 16842 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 16843 start_va = 0x7620000 end_va = 0x7e1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007620000" filename = "" Region: id = 16844 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 16845 start_va = 0x7620000 end_va = 0x7e1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007620000" filename = "" Region: id = 16846 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 16847 start_va = 0x7620000 end_va = 0x7e1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007620000" filename = "" Region: id = 16848 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 16849 start_va = 0x7620000 end_va = 0x7e1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007620000" filename = "" Region: id = 16850 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 16851 start_va = 0x7620000 end_va = 0x7e1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007620000" filename = "" Region: id = 16852 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 16853 start_va = 0x7620000 end_va = 0x7e1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007620000" filename = "" Region: id = 16886 start_va = 0x8980000 end_va = 0x8d7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008980000" filename = "" Region: id = 16926 start_va = 0x7e20000 end_va = 0x7ea4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007e20000" filename = "" Region: id = 16927 start_va = 0x7eb0000 end_va = 0x7f3afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007eb0000" filename = "" Region: id = 16934 start_va = 0x7e20000 end_va = 0x7eaafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007e20000" filename = "" Region: id = 16935 start_va = 0x7eb0000 end_va = 0x7f48fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007eb0000" filename = "" Region: id = 16941 start_va = 0x7f50000 end_va = 0x7fe1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007f50000" filename = "" Region: id = 16942 start_va = 0x7e20000 end_va = 0x7ec3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007e20000" filename = "" Region: id = 16943 start_va = 0x7ed0000 end_va = 0x7f6afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ed0000" filename = "" Region: id = 16950 start_va = 0x7e20000 end_va = 0x7ec0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007e20000" filename = "" Region: id = 16951 start_va = 0x7ed0000 end_va = 0x7f7afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ed0000" filename = "" Region: id = 16954 start_va = 0x7e20000 end_va = 0x7ecafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007e20000" filename = "" Region: id = 16955 start_va = 0x7ed0000 end_va = 0x7f82fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ed0000" filename = "" Region: id = 16967 start_va = 0x7e20000 end_va = 0x7ecffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007e20000" filename = "" Region: id = 16971 start_va = 0x7ed0000 end_va = 0x7f8dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ed0000" filename = "" Region: id = 16992 start_va = 0x8220000 end_va = 0x82e2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008220000" filename = "" Region: id = 16993 start_va = 0x7e20000 end_va = 0x7edbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007e20000" filename = "" Region: id = 17002 start_va = 0x7ee0000 end_va = 0x7fa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ee0000" filename = "" Region: id = 17018 start_va = 0x8220000 end_va = 0x82e5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008220000" filename = "" Region: id = 17037 start_va = 0x7e20000 end_va = 0x7ee9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007e20000" filename = "" Region: id = 17038 start_va = 0x7ef0000 end_va = 0x7fbafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ef0000" filename = "" Region: id = 17044 start_va = 0x8220000 end_va = 0x82f4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008220000" filename = "" Region: id = 17051 start_va = 0x7e20000 end_va = 0x7ef7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007e20000" filename = "" Region: id = 17057 start_va = 0x7f00000 end_va = 0x7fe2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007f00000" filename = "" Region: id = 17058 start_va = 0x8220000 end_va = 0x8304fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008220000" filename = "" Region: id = 17118 start_va = 0x7e20000 end_va = 0x7efefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007e20000" filename = "" Region: id = 17169 start_va = 0x7f00000 end_va = 0x7fe2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007f00000" filename = "" Region: id = 17243 start_va = 0x8220000 end_va = 0x825ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008220000" filename = "" Region: id = 17244 start_va = 0x8260000 end_va = 0x829ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008260000" filename = "" Region: id = 17245 start_va = 0x8d80000 end_va = 0x8e69fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008d80000" filename = "" Region: id = 17318 start_va = 0x7e20000 end_va = 0x7f12fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007e20000" filename = "" Region: id = 17319 start_va = 0x82a0000 end_va = 0x82dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000082a0000" filename = "" Region: id = 17320 start_va = 0x82e0000 end_va = 0x831ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000082e0000" filename = "" Region: id = 17321 start_va = 0x7f20000 end_va = 0x8018fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007f20000" filename = "" Region: id = 17384 start_va = 0x7e20000 end_va = 0x7f1dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007e20000" filename = "" Region: id = 17471 start_va = 0x7f20000 end_va = 0x801bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007f20000" filename = "" Region: id = 17549 start_va = 0x8d80000 end_va = 0x8e88fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008d80000" filename = "" Region: id = 17623 start_va = 0x7e20000 end_va = 0x7f2cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007e20000" filename = "" Region: id = 17624 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17625 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17626 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17627 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17628 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17629 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17630 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17631 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17632 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17633 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17634 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17635 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17636 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17637 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17638 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17639 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17640 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17641 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17642 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17643 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17644 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17645 start_va = 0x7620000 end_va = 0x7e1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007620000" filename = "" Region: id = 17646 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17647 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17648 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17649 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17650 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17651 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17652 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17653 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17654 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17655 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17656 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17657 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17658 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17659 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17660 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17661 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17662 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17663 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17664 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17665 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 17669 start_va = 0x7620000 end_va = 0x7722fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007620000" filename = "" Region: id = 17670 start_va = 0x7730000 end_va = 0x783efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007730000" filename = "" Region: id = 17676 start_va = 0x7620000 end_va = 0x772bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007620000" filename = "" Region: id = 17677 start_va = 0x7730000 end_va = 0x7849fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007730000" filename = "" Region: id = 17699 start_va = 0x7850000 end_va = 0x7964fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007850000" filename = "" Region: id = 17708 start_va = 0x7620000 end_va = 0x773efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007620000" filename = "" Region: id = 17762 start_va = 0x7740000 end_va = 0x7859fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007740000" filename = "" Region: id = 17779 start_va = 0x7860000 end_va = 0x7988fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007860000" filename = "" Region: id = 17798 start_va = 0x7620000 end_va = 0x7748fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007620000" filename = "" Region: id = 17810 start_va = 0x7750000 end_va = 0x787cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 17851 start_va = 0x7880000 end_va = 0x79b4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007880000" filename = "" Region: id = 18768 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 18769 start_va = 0x8d80000 end_va = 0x957ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008d80000" filename = "" Region: id = 18770 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 18771 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 18772 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 18773 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 18774 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 18775 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 18776 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 18777 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 18778 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 18779 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 18780 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 18781 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 18782 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 18783 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 18784 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 18785 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 18786 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 18787 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 18788 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 18789 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 18790 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 18791 start_va = 0x8d80000 end_va = 0x957ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008d80000" filename = "" Region: id = 19653 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 19654 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 19655 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 19656 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 19657 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 19658 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 19659 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 19660 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 19661 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 19662 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 19663 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 19664 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 19665 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 19666 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 19667 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 19668 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 19669 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 19670 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 19671 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 19672 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 19673 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 19674 start_va = 0x8d80000 end_va = 0x957ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008d80000" filename = "" Region: id = 19675 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 19676 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 19677 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 19678 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 19679 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 19680 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 19681 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20110 start_va = 0x7120000 end_va = 0x7611fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007120000" filename = "" Region: id = 20111 start_va = 0x79c0000 end_va = 0x7ebcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000079c0000" filename = "" Region: id = 20115 start_va = 0x8480000 end_va = 0x897bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008480000" filename = "" Region: id = 20222 start_va = 0x7620000 end_va = 0x76abfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007620000" filename = "" Region: id = 20223 start_va = 0x76b0000 end_va = 0x773cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000076b0000" filename = "" Region: id = 20224 start_va = 0x7740000 end_va = 0x77d6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007740000" filename = "" Region: id = 20227 start_va = 0x7620000 end_va = 0x76b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007620000" filename = "" Region: id = 20244 start_va = 0x76c0000 end_va = 0x7756fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000076c0000" filename = "" Region: id = 20245 start_va = 0x7620000 end_va = 0x76b7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007620000" filename = "" Region: id = 20253 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20254 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20255 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20256 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20257 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20258 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20259 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20260 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20261 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20262 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20263 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20264 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20265 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20266 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20267 start_va = 0x8d80000 end_va = 0x957ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008d80000" filename = "" Region: id = 20268 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20269 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20270 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20271 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20272 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20273 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20274 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20275 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20276 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20277 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20278 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20279 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20280 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20281 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20282 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20283 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20284 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20285 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20286 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20287 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20288 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20289 start_va = 0x8d80000 end_va = 0x957ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008d80000" filename = "" Region: id = 20290 start_va = 0x76c0000 end_va = 0x775bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000076c0000" filename = "" Region: id = 20291 start_va = 0x7620000 end_va = 0x76befff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007620000" filename = "" Region: id = 20328 start_va = 0x76c0000 end_va = 0x7769fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000076c0000" filename = "" Region: id = 20329 start_va = 0x7770000 end_va = 0x781dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007770000" filename = "" Region: id = 20357 start_va = 0x7620000 end_va = 0x76c9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007620000" filename = "" Region: id = 20372 start_va = 0x76d0000 end_va = 0x7785fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000076d0000" filename = "" Region: id = 20373 start_va = 0x7790000 end_va = 0x7843fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007790000" filename = "" Region: id = 20388 start_va = 0x7620000 end_va = 0x76d8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007620000" filename = "" Region: id = 20392 start_va = 0x76e0000 end_va = 0x779cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000076e0000" filename = "" Region: id = 20393 start_va = 0x7620000 end_va = 0x76ddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007620000" filename = "" Region: id = 20398 start_va = 0x76e0000 end_va = 0x77abfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000076e0000" filename = "" Region: id = 20400 start_va = 0x7ec0000 end_va = 0x7f94fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 20401 start_va = 0x7620000 end_va = 0x76edfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007620000" filename = "" Region: id = 20420 start_va = 0x76f0000 end_va = 0x77bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000076f0000" filename = "" Region: id = 20427 start_va = 0x7ec0000 end_va = 0x7f99fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 20441 start_va = 0x7620000 end_va = 0x7702fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007620000" filename = "" Region: id = 20460 start_va = 0x7710000 end_va = 0x77ebfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007710000" filename = "" Region: id = 20468 start_va = 0x7620000 end_va = 0x76fdfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007620000" filename = "" Region: id = 20474 start_va = 0x7700000 end_va = 0x77e9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007700000" filename = "" Region: id = 20479 start_va = 0x7ec0000 end_va = 0x7fa5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 20482 start_va = 0x7620000 end_va = 0x770afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007620000" filename = "" Region: id = 20483 start_va = 0x7710000 end_va = 0x7808fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007710000" filename = "" Region: id = 20486 start_va = 0x7ec0000 end_va = 0x7fbcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 20487 start_va = 0x7620000 end_va = 0x7718fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007620000" filename = "" Region: id = 20488 start_va = 0x7720000 end_va = 0x7821fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007720000" filename = "" Region: id = 20489 start_va = 0x7ec0000 end_va = 0x7fc3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 20492 start_va = 0x7620000 end_va = 0x772ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007620000" filename = "" Region: id = 20495 start_va = 0x7730000 end_va = 0x7842fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007730000" filename = "" Region: id = 20496 start_va = 0x7ec0000 end_va = 0x7fd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 20497 start_va = 0x7620000 end_va = 0x7731fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007620000" filename = "" Region: id = 20514 start_va = 0x7740000 end_va = 0x7860fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007740000" filename = "" Region: id = 20522 start_va = 0x7620000 end_va = 0x773dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007620000" filename = "" Region: id = 20537 start_va = 0x7740000 end_va = 0x7861fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007740000" filename = "" Region: id = 20556 start_va = 0x7ec0000 end_va = 0x7fecfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 20581 start_va = 0x7620000 end_va = 0x774efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007620000" filename = "" Region: id = 20582 start_va = 0x7750000 end_va = 0x7878fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 20587 start_va = 0x7620000 end_va = 0x7745fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007620000" filename = "" Region: id = 20680 start_va = 0x7120000 end_va = 0x7611fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007120000" filename = "" Region: id = 20681 start_va = 0x79c0000 end_va = 0x7eb3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000079c0000" filename = "" Region: id = 20682 start_va = 0x8480000 end_va = 0x8975fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008480000" filename = "" Region: id = 20707 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20708 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20709 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20710 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20711 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20712 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20713 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20714 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20715 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20716 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20717 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20718 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20719 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20720 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20721 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20722 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20723 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20724 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20725 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20726 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20727 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20728 start_va = 0x8d80000 end_va = 0x957ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008d80000" filename = "" Region: id = 20729 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20730 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20731 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20732 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20733 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20734 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20735 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20736 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20737 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20738 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20739 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20740 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20741 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20742 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20743 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20744 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20745 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20746 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20747 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20748 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 20833 start_va = 0x7750000 end_va = 0x77d7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 20866 start_va = 0x77e0000 end_va = 0x7872fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000077e0000" filename = "" Region: id = 20867 start_va = 0x7ec0000 end_va = 0x7f50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 20915 start_va = 0x7750000 end_va = 0x77e6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 20916 start_va = 0x7ec0000 end_va = 0x7f59fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 20944 start_va = 0x7120000 end_va = 0x71befff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007120000" filename = "" Region: id = 20945 start_va = 0x71c0000 end_va = 0x7267fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000071c0000" filename = "" Region: id = 20972 start_va = 0x7270000 end_va = 0x7317fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007270000" filename = "" Region: id = 20973 start_va = 0x7120000 end_va = 0x71c5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007120000" filename = "" Region: id = 20985 start_va = 0x71d0000 end_va = 0x7275fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000071d0000" filename = "" Region: id = 20991 start_va = 0x7280000 end_va = 0x7333fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007280000" filename = "" Region: id = 21006 start_va = 0x7120000 end_va = 0x71dcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007120000" filename = "" Region: id = 21007 start_va = 0x71e0000 end_va = 0x729efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000071e0000" filename = "" Region: id = 21034 start_va = 0x7120000 end_va = 0x71d5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007120000" filename = "" Region: id = 21036 start_va = 0x71e0000 end_va = 0x72a2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000071e0000" filename = "" Region: id = 21037 start_va = 0x72b0000 end_va = 0x7375fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000072b0000" filename = "" Region: id = 21057 start_va = 0x7120000 end_va = 0x71ebfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007120000" filename = "" Region: id = 21068 start_va = 0x71f0000 end_va = 0x72c4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000071f0000" filename = "" Region: id = 21087 start_va = 0x72d0000 end_va = 0x73a5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000072d0000" filename = "" Region: id = 21111 start_va = 0x7120000 end_va = 0x71fbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007120000" filename = "" Region: id = 21125 start_va = 0x7200000 end_va = 0x72d3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007200000" filename = "" Region: id = 21126 start_va = 0x7120000 end_va = 0x71fbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007120000" filename = "" Region: id = 21150 start_va = 0x7200000 end_va = 0x72e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007200000" filename = "" Region: id = 21153 start_va = 0x72f0000 end_va = 0x73d7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000072f0000" filename = "" Region: id = 21161 start_va = 0x7120000 end_va = 0x720bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007120000" filename = "" Region: id = 21163 start_va = 0x7210000 end_va = 0x7302fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007210000" filename = "" Region: id = 21186 start_va = 0x7310000 end_va = 0x7408fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007310000" filename = "" Region: id = 21187 start_va = 0x7120000 end_va = 0x7212fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007120000" filename = "" Region: id = 21210 start_va = 0x7220000 end_va = 0x7313fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007220000" filename = "" Region: id = 21211 start_va = 0x7120000 end_va = 0x7215fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007120000" filename = "" Region: id = 21237 start_va = 0x7220000 end_va = 0x7327fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007220000" filename = "" Region: id = 21246 start_va = 0x7330000 end_va = 0x743cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007330000" filename = "" Region: id = 21248 start_va = 0x7120000 end_va = 0x7221fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007120000" filename = "" Region: id = 21266 start_va = 0x7230000 end_va = 0x733afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007230000" filename = "" Region: id = 21291 start_va = 0x7340000 end_va = 0x7452fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007340000" filename = "" Region: id = 21306 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21307 start_va = 0x8d80000 end_va = 0x957ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008d80000" filename = "" Region: id = 21308 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21309 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21310 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21311 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21312 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21313 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21314 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21315 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21316 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21317 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21318 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21319 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21320 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21321 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21322 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21323 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21324 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21325 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21326 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21327 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21328 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21329 start_va = 0x8d80000 end_va = 0x957ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008d80000" filename = "" Region: id = 21348 start_va = 0x7120000 end_va = 0x7230fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007120000" filename = "" Region: id = 21373 start_va = 0x7240000 end_va = 0x735bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007240000" filename = "" Region: id = 21398 start_va = 0x7120000 end_va = 0x7239fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007120000" filename = "" Region: id = 21427 start_va = 0x7240000 end_va = 0x735efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007240000" filename = "" Region: id = 21439 start_va = 0x7360000 end_va = 0x7486fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007360000" filename = "" Region: id = 21469 start_va = 0x7120000 end_va = 0x724afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007120000" filename = "" Region: id = 21479 start_va = 0x7250000 end_va = 0x7377fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 21482 start_va = 0x7120000 end_va = 0x724bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007120000" filename = "" Region: id = 21567 start_va = 0x79c0000 end_va = 0x7eb1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000079c0000" filename = "" Region: id = 21568 start_va = 0x8480000 end_va = 0x8977fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008480000" filename = "" Region: id = 21573 start_va = 0x9580000 end_va = 0x9a81fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009580000" filename = "" Region: id = 21710 start_va = 0x7250000 end_va = 0x72d1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 21712 start_va = 0x72e0000 end_va = 0x7371fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000072e0000" filename = "" Region: id = 21714 start_va = 0x7380000 end_va = 0x7418fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007380000" filename = "" Region: id = 21732 start_va = 0x7250000 end_va = 0x72eafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 21733 start_va = 0x72f0000 end_va = 0x7386fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000072f0000" filename = "" Region: id = 21734 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21735 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21736 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21737 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21738 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21739 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21740 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21741 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21742 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21743 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21744 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21745 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21746 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21747 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21748 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21749 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21750 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21751 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21752 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21753 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21754 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 21755 start_va = 0x8d80000 end_va = 0x957ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008d80000" filename = "" Region: id = 21777 start_va = 0x7250000 end_va = 0x72e6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 21797 start_va = 0x72f0000 end_va = 0x738dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000072f0000" filename = "" Region: id = 21806 start_va = 0x7390000 end_va = 0x743afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007390000" filename = "" Region: id = 21807 start_va = 0x7250000 end_va = 0x72f5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 21813 start_va = 0x7300000 end_va = 0x73b4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007300000" filename = "" Region: id = 21815 start_va = 0x73c0000 end_va = 0x7474fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000073c0000" filename = "" Region: id = 21816 start_va = 0x7250000 end_va = 0x7306fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 21824 start_va = 0x7310000 end_va = 0x73c4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007310000" filename = "" Region: id = 21826 start_va = 0x73d0000 end_va = 0x7491fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000073d0000" filename = "" Region: id = 21828 start_va = 0x7250000 end_va = 0x7313fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 21829 start_va = 0x7320000 end_va = 0x73e5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007320000" filename = "" Region: id = 21831 start_va = 0x73f0000 end_va = 0x74c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000073f0000" filename = "" Region: id = 21833 start_va = 0x7250000 end_va = 0x7318fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 21837 start_va = 0x7320000 end_va = 0x73eafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007320000" filename = "" Region: id = 21838 start_va = 0x7250000 end_va = 0x731dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 21856 start_va = 0x7320000 end_va = 0x73f4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007320000" filename = "" Region: id = 21864 start_va = 0x7400000 end_va = 0x74d7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007400000" filename = "" Region: id = 21879 start_va = 0x7250000 end_va = 0x732afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 21895 start_va = 0x7330000 end_va = 0x740ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007330000" filename = "" Region: id = 21903 start_va = 0x7410000 end_va = 0x74fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007410000" filename = "" Region: id = 21912 start_va = 0x7250000 end_va = 0x733afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 21918 start_va = 0x7340000 end_va = 0x742efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007340000" filename = "" Region: id = 21922 start_va = 0x7430000 end_va = 0x7529fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007430000" filename = "" Region: id = 21930 start_va = 0x7250000 end_va = 0x7344fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 21932 start_va = 0x7350000 end_va = 0x744ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007350000" filename = "" Region: id = 21934 start_va = 0x7250000 end_va = 0x7349fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 21936 start_va = 0x7350000 end_va = 0x7454fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007350000" filename = "" Region: id = 21938 start_va = 0x7460000 end_va = 0x7569fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007460000" filename = "" Region: id = 21940 start_va = 0x7250000 end_va = 0x7361fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 21958 start_va = 0x7370000 end_va = 0x7486fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007370000" filename = "" Region: id = 21967 start_va = 0x7250000 end_va = 0x735dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 21988 start_va = 0x7360000 end_va = 0x7476fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007360000" filename = "" Region: id = 22007 start_va = 0x7480000 end_va = 0x759bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007480000" filename = "" Region: id = 22015 start_va = 0x7250000 end_va = 0x736ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 22019 start_va = 0x7370000 end_va = 0x7494fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007370000" filename = "" Region: id = 22028 start_va = 0x74a0000 end_va = 0x75c4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074a0000" filename = "" Region: id = 22036 start_va = 0x7250000 end_va = 0x737cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 22038 start_va = 0x7380000 end_va = 0x74affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007380000" filename = "" Region: id = 22103 start_va = 0x9580000 end_va = 0x9a81fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009580000" filename = "" Region: id = 22119 start_va = 0x8480000 end_va = 0x8976fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008480000" filename = "" Region: id = 22192 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22193 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22194 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22195 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22196 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22197 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22198 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22199 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22200 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22201 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22202 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22203 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22204 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22205 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22206 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22207 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22208 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22209 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22210 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22211 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22212 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22213 start_va = 0x8d80000 end_va = 0x957ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008d80000" filename = "" Region: id = 22214 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22215 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22216 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22217 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22218 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22219 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22220 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22221 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22222 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22223 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22224 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22225 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22273 start_va = 0x7250000 end_va = 0x72ddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 22274 start_va = 0x72e0000 end_va = 0x736efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000072e0000" filename = "" Region: id = 22275 start_va = 0x74b0000 end_va = 0x7546fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 22281 start_va = 0x7250000 end_va = 0x72dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 22282 start_va = 0x72e0000 end_va = 0x7374fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000072e0000" filename = "" Region: id = 22283 start_va = 0x74b0000 end_va = 0x7548fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 22284 start_va = 0x7250000 end_va = 0x72f8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 22285 start_va = 0x74b0000 end_va = 0x7554fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 22286 start_va = 0x7250000 end_va = 0x72f3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 22287 start_va = 0x74b0000 end_va = 0x755efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 22288 start_va = 0x7250000 end_va = 0x72fdfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 22289 start_va = 0x74b0000 end_va = 0x7560fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 22290 start_va = 0x7250000 end_va = 0x7309fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 22309 start_va = 0x74b0000 end_va = 0x7572fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 22310 start_va = 0x7250000 end_va = 0x7315fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 22317 start_va = 0x74b0000 end_va = 0x7575fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 22335 start_va = 0x7250000 end_va = 0x731efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 22336 start_va = 0x74b0000 end_va = 0x7580fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 22353 start_va = 0x7250000 end_va = 0x731ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 22354 start_va = 0x74b0000 end_va = 0x7581fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 22362 start_va = 0x7250000 end_va = 0x732ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 22367 start_va = 0x74b0000 end_va = 0x7589fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 22374 start_va = 0x7250000 end_va = 0x7334fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 22375 start_va = 0x74b0000 end_va = 0x7590fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 22378 start_va = 0x7250000 end_va = 0x7332fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 22381 start_va = 0x74b0000 end_va = 0x7595fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 22394 start_va = 0x7250000 end_va = 0x733afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 22400 start_va = 0x74b0000 end_va = 0x75a5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 22401 start_va = 0x7250000 end_va = 0x7350fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 22404 start_va = 0x74b0000 end_va = 0x75a9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 22406 start_va = 0x7250000 end_va = 0x7350fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 22423 start_va = 0x74b0000 end_va = 0x75bcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 22432 start_va = 0x7250000 end_va = 0x7351fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 22452 start_va = 0x74b0000 end_va = 0x75bafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 22464 start_va = 0x7250000 end_va = 0x7362fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 22471 start_va = 0x74b0000 end_va = 0x75cbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 22479 start_va = 0x7250000 end_va = 0x7366fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 22481 start_va = 0x74b0000 end_va = 0x75cbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 22489 start_va = 0x7250000 end_va = 0x736bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 22490 start_va = 0x74b0000 end_va = 0x75d6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 22491 start_va = 0x7250000 end_va = 0x7374fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 22495 start_va = 0x74b0000 end_va = 0x75e1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 22496 start_va = 0x7250000 end_va = 0x737bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007250000" filename = "" Region: id = 22558 start_va = 0x79c0000 end_va = 0x7eb1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000079c0000" filename = "" Region: id = 22559 start_va = 0x8d80000 end_va = 0x9281fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008d80000" filename = "" Region: id = 22571 start_va = 0x8480000 end_va = 0x8976fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008480000" filename = "" Region: id = 22578 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22579 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22580 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22581 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22582 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22583 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22584 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22585 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22586 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22587 start_va = 0x9290000 end_va = 0x9a8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000009290000" filename = "" Region: id = 22588 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22589 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22590 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22591 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22592 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22593 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22594 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22595 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22596 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22597 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22598 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22599 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22600 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22601 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22602 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22603 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22604 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22605 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22606 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22607 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22608 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 22609 start_va = 0x9290000 end_va = 0x9a8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000009290000" filename = "" Region: id = 22784 start_va = 0x74b0000 end_va = 0x7534fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 22785 start_va = 0x7540000 end_va = 0x75c7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007540000" filename = "" Region: id = 22796 start_va = 0x74b0000 end_va = 0x753afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 22797 start_va = 0x7540000 end_va = 0x75d5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007540000" filename = "" Region: id = 22798 start_va = 0x7750000 end_va = 0x77e6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 22799 start_va = 0x74b0000 end_va = 0x7552fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 22806 start_va = 0x7560000 end_va = 0x7606fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007560000" filename = "" Region: id = 22814 start_va = 0x74b0000 end_va = 0x7550fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 22815 start_va = 0x7560000 end_va = 0x760ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007560000" filename = "" Region: id = 22850 start_va = 0x7750000 end_va = 0x7803fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 22858 start_va = 0x74b0000 end_va = 0x7561fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 22859 start_va = 0x7570000 end_va = 0x761efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007570000" filename = "" Region: id = 22877 start_va = 0x74b0000 end_va = 0x756afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 22903 start_va = 0x7750000 end_va = 0x7806fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 22904 start_va = 0x74b0000 end_va = 0x7577fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 22909 start_va = 0x7750000 end_va = 0x7816fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 22916 start_va = 0x74b0000 end_va = 0x7572fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 22919 start_va = 0x7750000 end_va = 0x7823fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 22920 start_va = 0x74b0000 end_va = 0x757bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 22922 start_va = 0x7750000 end_va = 0x7824fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 22925 start_va = 0x74b0000 end_va = 0x7583fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 22927 start_va = 0x7750000 end_va = 0x782afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 22934 start_va = 0x74b0000 end_va = 0x758afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 22937 start_va = 0x7750000 end_va = 0x7838fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 22938 start_va = 0x74b0000 end_va = 0x759ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 22955 start_va = 0x7750000 end_va = 0x783efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 22966 start_va = 0x74b0000 end_va = 0x759dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 22993 start_va = 0x7750000 end_va = 0x784bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 23023 start_va = 0x74b0000 end_va = 0x75acfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 23024 start_va = 0x7750000 end_va = 0x7850fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 23044 start_va = 0x74b0000 end_va = 0x75b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 23045 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23046 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23047 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23048 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23049 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23050 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23051 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23052 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23053 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23054 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23055 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23056 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23057 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23058 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23059 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23060 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23061 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23062 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23063 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23064 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23065 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23066 start_va = 0x9290000 end_va = 0x9a8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000009290000" filename = "" Region: id = 23067 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23068 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23069 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23070 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23071 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23072 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23073 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23074 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23075 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23076 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23077 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23078 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23079 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23080 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23098 start_va = 0x7750000 end_va = 0x7859fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 23102 start_va = 0x74b0000 end_va = 0x75bdfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 23108 start_va = 0x7750000 end_va = 0x785bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 23110 start_va = 0x74b0000 end_va = 0x75c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 23111 start_va = 0x7750000 end_va = 0x786afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 23112 start_va = 0x74b0000 end_va = 0x75c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 23113 start_va = 0x7750000 end_va = 0x786efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 23114 start_va = 0x74b0000 end_va = 0x75d7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 23115 start_va = 0x7750000 end_va = 0x786dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 23140 start_va = 0x74b0000 end_va = 0x75d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 23141 start_va = 0x7750000 end_va = 0x787ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 23172 start_va = 0x74b0000 end_va = 0x75ddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000074b0000" filename = "" Region: id = 23197 start_va = 0x8480000 end_va = 0x8973fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008480000" filename = "" Region: id = 23214 start_va = 0x8d80000 end_va = 0x927ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008d80000" filename = "" Region: id = 23288 start_va = 0x7750000 end_va = 0x77d2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 23289 start_va = 0x77e0000 end_va = 0x786ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000077e0000" filename = "" Region: id = 23293 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23294 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23295 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23296 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23297 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23298 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23299 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23300 start_va = 0x9280000 end_va = 0x9a7ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000009280000" filename = "" Region: id = 23301 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23302 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23303 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23304 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23305 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23306 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23307 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23308 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23309 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23310 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23311 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23312 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23313 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23314 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23315 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23316 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23317 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23318 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23319 start_va = 0x7750000 end_va = 0x77dcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 23321 start_va = 0x77e0000 end_va = 0x7870fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000077e0000" filename = "" Region: id = 23322 start_va = 0x79c0000 end_va = 0x7a51fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000079c0000" filename = "" Region: id = 23325 start_va = 0x7750000 end_va = 0x77f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 23342 start_va = 0x79c0000 end_va = 0x7a65fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000079c0000" filename = "" Region: id = 23343 start_va = 0x7750000 end_va = 0x77f6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 23351 start_va = 0x79c0000 end_va = 0x7a69fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000079c0000" filename = "" Region: id = 23352 start_va = 0x7750000 end_va = 0x77f7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 23369 start_va = 0x79c0000 end_va = 0x7a73fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000079c0000" filename = "" Region: id = 23384 start_va = 0x7750000 end_va = 0x780cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 23394 start_va = 0x79c0000 end_va = 0x7a77fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000079c0000" filename = "" Region: id = 23401 start_va = 0x7750000 end_va = 0x7807fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 23402 start_va = 0x79c0000 end_va = 0x7a79fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000079c0000" filename = "" Region: id = 23411 start_va = 0x7750000 end_va = 0x7814fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 23412 start_va = 0x79c0000 end_va = 0x7a8efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000079c0000" filename = "" Region: id = 23417 start_va = 0x7750000 end_va = 0x7821fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 23418 start_va = 0x79c0000 end_va = 0x7a8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000079c0000" filename = "" Region: id = 23419 start_va = 0x7750000 end_va = 0x7825fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 23420 start_va = 0x79c0000 end_va = 0x7a9dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000079c0000" filename = "" Region: id = 23437 start_va = 0x7750000 end_va = 0x782cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 23438 start_va = 0x79c0000 end_va = 0x7a9afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000079c0000" filename = "" Region: id = 23447 start_va = 0x7750000 end_va = 0x783afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 23462 start_va = 0x79c0000 end_va = 0x7aa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000079c0000" filename = "" Region: id = 23479 start_va = 0x7750000 end_va = 0x783ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 23487 start_va = 0x79c0000 end_va = 0x7ab4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000079c0000" filename = "" Region: id = 23488 start_va = 0x7750000 end_va = 0x7842fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 23495 start_va = 0x79c0000 end_va = 0x7abcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000079c0000" filename = "" Region: id = 23520 start_va = 0x7750000 end_va = 0x7851fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 23523 start_va = 0x79c0000 end_va = 0x7ab9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000079c0000" filename = "" Region: id = 23552 start_va = 0x7750000 end_va = 0x7852fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 23562 start_va = 0x79c0000 end_va = 0x7ac8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000079c0000" filename = "" Region: id = 23597 start_va = 0x7750000 end_va = 0x7860fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 23618 start_va = 0x79c0000 end_va = 0x7acefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000079c0000" filename = "" Region: id = 23641 start_va = 0x7750000 end_va = 0x7863fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 23655 start_va = 0x79c0000 end_va = 0x7ad4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000079c0000" filename = "" Region: id = 23695 start_va = 0x7750000 end_va = 0x786bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 23703 start_va = 0x79c0000 end_va = 0x7ae2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000079c0000" filename = "" Region: id = 23708 start_va = 0x7750000 end_va = 0x787bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 23715 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23716 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23717 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23718 start_va = 0x9280000 end_va = 0x9a7ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000009280000" filename = "" Region: id = 23719 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23720 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23721 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23722 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23723 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23724 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23725 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23726 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23727 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23728 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23729 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23730 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23731 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23732 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23733 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23734 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23735 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23736 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23737 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23738 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23739 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 23740 start_va = 0x9280000 end_va = 0x9a7ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000009280000" filename = "" Region: id = 23741 start_va = 0x79c0000 end_va = 0x7ae1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000079c0000" filename = "" Region: id = 23749 start_va = 0x7af0000 end_va = 0x7c20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007af0000" filename = "" Region: id = 23776 start_va = 0x7750000 end_va = 0x7877fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007750000" filename = "" Region: id = 23985 start_va = 0x79c0000 end_va = 0x7eb1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000079c0000" filename = "" Region: id = 23986 start_va = 0x8480000 end_va = 0x897bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008480000" filename = "" Region: id = 24001 start_va = 0x8d80000 end_va = 0x927dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008d80000" filename = "" Region: id = 24173 start_va = 0x7ec0000 end_va = 0x7f48fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24174 start_va = 0x7f50000 end_va = 0x7fd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007f50000" filename = "" Region: id = 24184 start_va = 0x9a80000 end_va = 0x9b14fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009a80000" filename = "" Region: id = 24185 start_va = 0x7ec0000 end_va = 0x7f59fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24193 start_va = 0x7f60000 end_va = 0x7ff7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007f60000" filename = "" Region: id = 24195 start_va = 0x7ec0000 end_va = 0x7f57fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24196 start_va = 0x7f60000 end_va = 0x8000fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007f60000" filename = "" Region: id = 24202 start_va = 0x9a80000 end_va = 0x9b22fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009a80000" filename = "" Region: id = 24203 start_va = 0x7ec0000 end_va = 0x7f6efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24204 start_va = 0x7f70000 end_va = 0x801bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007f70000" filename = "" Region: id = 24216 start_va = 0x9a80000 end_va = 0x9b35fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009a80000" filename = "" Region: id = 24232 start_va = 0x7ec0000 end_va = 0x7f75fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24244 start_va = 0x9a80000 end_va = 0x9b3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009a80000" filename = "" Region: id = 24245 start_va = 0x7ec0000 end_va = 0x7f76fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24260 start_va = 0x9a80000 end_va = 0x9b3cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009a80000" filename = "" Region: id = 24279 start_va = 0x7ec0000 end_va = 0x7f83fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24280 start_va = 0x9a80000 end_va = 0x9b4afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009a80000" filename = "" Region: id = 24286 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24287 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24288 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24289 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24290 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24291 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24292 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24293 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24294 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24295 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24296 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24297 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24298 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24299 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24300 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24301 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24302 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24303 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24304 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24305 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24306 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24307 start_va = 0x9280000 end_va = 0x9a7ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000009280000" filename = "" Region: id = 24308 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24309 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24311 start_va = 0x9280000 end_va = 0x92bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009280000" filename = "" Region: id = 24312 start_va = 0x92c0000 end_va = 0x92fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000092c0000" filename = "" Region: id = 24313 start_va = 0x7ec0000 end_va = 0x7f93fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24327 start_va = 0x9300000 end_va = 0x93d5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009300000" filename = "" Region: id = 24343 start_va = 0x7ec0000 end_va = 0x7f92fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24344 start_va = 0x9300000 end_va = 0x93e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009300000" filename = "" Region: id = 24351 start_va = 0x7ec0000 end_va = 0x7f96fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24360 start_va = 0x9300000 end_va = 0x93e5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009300000" filename = "" Region: id = 24361 start_va = 0x7ec0000 end_va = 0x7faafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24368 start_va = 0x9300000 end_va = 0x93e6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009300000" filename = "" Region: id = 24371 start_va = 0x7ec0000 end_va = 0x7faafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24372 start_va = 0x9300000 end_va = 0x93f5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009300000" filename = "" Region: id = 24377 start_va = 0x7ec0000 end_va = 0x7fb6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24378 start_va = 0x9300000 end_va = 0x93f9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009300000" filename = "" Region: id = 24383 start_va = 0x7ec0000 end_va = 0x7fbbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24384 start_va = 0x9300000 end_va = 0x9404fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009300000" filename = "" Region: id = 24401 start_va = 0x7ec0000 end_va = 0x7fc2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24410 start_va = 0x9300000 end_va = 0x9401fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009300000" filename = "" Region: id = 24431 start_va = 0x7ec0000 end_va = 0x7fc6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24432 start_va = 0x9300000 end_va = 0x9411fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009300000" filename = "" Region: id = 24443 start_va = 0x7ec0000 end_va = 0x7fcefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24451 start_va = 0x9300000 end_va = 0x941ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009300000" filename = "" Region: id = 24456 start_va = 0x7ec0000 end_va = 0x7fe2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24457 start_va = 0x9300000 end_va = 0x941efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009300000" filename = "" Region: id = 24466 start_va = 0x7ec0000 end_va = 0x7fe2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24467 start_va = 0x9300000 end_va = 0x942efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009300000" filename = "" Region: id = 24468 start_va = 0x7ec0000 end_va = 0x7ff3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24470 start_va = 0x9300000 end_va = 0x9430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009300000" filename = "" Region: id = 24544 start_va = 0x8480000 end_va = 0x8979fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008480000" filename = "" Region: id = 24545 start_va = 0x8d80000 end_va = 0x927bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008d80000" filename = "" Region: id = 24571 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24572 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24573 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24574 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24575 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24576 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24577 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24578 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24579 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24580 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24581 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24582 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24583 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24584 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24585 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24586 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24587 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24588 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24589 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24590 start_va = 0x9440000 end_va = 0x9c3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000009440000" filename = "" Region: id = 24591 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24592 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24593 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24594 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24595 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24596 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24597 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24598 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24599 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24600 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24601 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24602 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24603 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24604 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24651 start_va = 0x7ec0000 end_va = 0x7f42fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24652 start_va = 0x7f50000 end_va = 0x7fdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007f50000" filename = "" Region: id = 24661 start_va = 0x7ec0000 end_va = 0x7f4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24662 start_va = 0x7f50000 end_va = 0x7feafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007f50000" filename = "" Region: id = 24665 start_va = 0x9440000 end_va = 0x94defff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009440000" filename = "" Region: id = 24666 start_va = 0x7ec0000 end_va = 0x7f5cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24674 start_va = 0x7f60000 end_va = 0x7ffafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007f60000" filename = "" Region: id = 24675 start_va = 0x9440000 end_va = 0x94ebfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009440000" filename = "" Region: id = 24676 start_va = 0x7ec0000 end_va = 0x7f6cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24677 start_va = 0x7f70000 end_va = 0x8015fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007f70000" filename = "" Region: id = 24678 start_va = 0x7ec0000 end_va = 0x7f6afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24679 start_va = 0x9440000 end_va = 0x94f6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009440000" filename = "" Region: id = 24700 start_va = 0x7ec0000 end_va = 0x7f7dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24707 start_va = 0x9440000 end_va = 0x94fbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009440000" filename = "" Region: id = 24721 start_va = 0x7ec0000 end_va = 0x7f7afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24722 start_va = 0x9440000 end_va = 0x9506fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009440000" filename = "" Region: id = 24731 start_va = 0x7ec0000 end_va = 0x7f8afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24743 start_va = 0x9440000 end_va = 0x950ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009440000" filename = "" Region: id = 24749 start_va = 0x7ec0000 end_va = 0x7f89fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24755 start_va = 0x9440000 end_va = 0x9510fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009440000" filename = "" Region: id = 24756 start_va = 0x7ec0000 end_va = 0x7f93fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24761 start_va = 0x9440000 end_va = 0x9521fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009440000" filename = "" Region: id = 24768 start_va = 0x7ec0000 end_va = 0x7fa4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24769 start_va = 0x9440000 end_va = 0x952cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009440000" filename = "" Region: id = 24770 start_va = 0x7ec0000 end_va = 0x7facfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24772 start_va = 0x9440000 end_va = 0x9533fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009440000" filename = "" Region: id = 24773 start_va = 0x7ec0000 end_va = 0x7fb3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24774 start_va = 0x9440000 end_va = 0x952ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009440000" filename = "" Region: id = 24775 start_va = 0x7ec0000 end_va = 0x7fb9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24792 start_va = 0x9440000 end_va = 0x9538fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009440000" filename = "" Region: id = 24801 start_va = 0x7ec0000 end_va = 0x7fbafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24821 start_va = 0x9440000 end_va = 0x9542fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009440000" filename = "" Region: id = 24834 start_va = 0x7ec0000 end_va = 0x7fc9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24841 start_va = 0x9440000 end_va = 0x9546fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009440000" filename = "" Region: id = 24847 start_va = 0x7ec0000 end_va = 0x7fcefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24848 start_va = 0x9440000 end_va = 0x9556fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009440000" filename = "" Region: id = 24857 start_va = 0x7ec0000 end_va = 0x7fd1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24858 start_va = 0x9440000 end_va = 0x9555fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009440000" filename = "" Region: id = 24859 start_va = 0x7ec0000 end_va = 0x7fe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24872 start_va = 0x9440000 end_va = 0x956afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009440000" filename = "" Region: id = 24886 start_va = 0x7ec0000 end_va = 0x7fe7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24893 start_va = 0x9440000 end_va = 0x9573fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009440000" filename = "" Region: id = 24899 start_va = 0x7ec0000 end_va = 0x7fe8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 24939 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24940 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24941 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24942 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24943 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24944 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24945 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24946 start_va = 0x9440000 end_va = 0x9c3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000009440000" filename = "" Region: id = 24947 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24948 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24949 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24950 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24951 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24952 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24953 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24954 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24955 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24956 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24957 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24958 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24959 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24960 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24961 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24962 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24963 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24964 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24965 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24966 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24967 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 24968 start_va = 0x9440000 end_va = 0x9c3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000009440000" filename = "" Region: id = 26024 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 26025 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 26026 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 26027 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 26028 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 26029 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 26030 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 26031 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 26032 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 26033 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 26034 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 26035 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 26036 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 26037 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 26038 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 26039 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 26040 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 26041 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 26042 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 26043 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 26044 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 26045 start_va = 0x9440000 end_va = 0x9c3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000009440000" filename = "" Region: id = 26046 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 26047 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 26048 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 26049 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 26050 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 26051 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 26052 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 26053 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27239 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27240 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27241 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27242 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27243 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27244 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27245 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27246 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27247 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27248 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27249 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27250 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27251 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27252 start_va = 0x9440000 end_va = 0x9c3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000009440000" filename = "" Region: id = 27253 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27254 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27255 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27256 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27257 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27258 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27259 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27260 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27261 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27262 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27263 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27264 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27265 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27981 start_va = 0x9440000 end_va = 0x947ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009440000" filename = "" Region: id = 27982 start_va = 0x9480000 end_va = 0x94bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009480000" filename = "" Region: id = 27983 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27984 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27985 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27986 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27987 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27988 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27989 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27990 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27991 start_va = 0x94c0000 end_va = 0x9cbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000094c0000" filename = "" Region: id = 27992 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27993 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27994 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27995 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27996 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27997 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27998 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 27999 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 28000 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 28001 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 28002 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 28003 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 28004 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 28005 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 28006 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 28007 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 28008 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 28009 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 28010 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 28011 start_va = 0x4aa0000 end_va = 0x4aa4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 28012 start_va = 0x4aa0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004aa0000" filename = "" Region: id = 28013 start_va = 0x94c0000 end_va = 0x9cbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000094c0000" filename = "" Region: id = 28585 start_va = 0x4aa0000 end_va = 0x4aa0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "counters.dat" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\INetCache\\counters.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\inetcache\\counters.dat") Region: id = 29115 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 29116 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 29117 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 29118 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 29119 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 29120 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 29121 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 29122 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 29123 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 29124 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 29125 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 29126 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 29127 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 29128 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 29129 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 29130 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 29131 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 29132 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 29133 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 29134 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 29135 start_va = 0x4ab0000 end_va = 0x4ac0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 29136 start_va = 0x94c0000 end_va = 0x9cbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000094c0000" filename = "" Region: id = 29137 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 29138 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 29139 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 29140 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 29141 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 29142 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 29143 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 29144 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 29145 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 29146 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 29849 start_va = 0x719a0000 end_va = 0x719b1fff monitored = 0 entry_point = 0x719a4510 region_type = mapped_file name = "ondemandconnroutehelper.dll" filename = "\\Windows\\SysWOW64\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\syswow64\\ondemandconnroutehelper.dll") Region: id = 29850 start_va = 0x94c0000 end_va = 0x94fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000094c0000" filename = "" Region: id = 29851 start_va = 0x9500000 end_va = 0x953ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009500000" filename = "" Region: id = 29852 start_va = 0x71970000 end_va = 0x7199efff monitored = 0 entry_point = 0x7197bb70 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 29853 start_va = 0x718d0000 end_va = 0x7196afff monitored = 0 entry_point = 0x7190f7e0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\SysWOW64\\winhttp.dll" (normalized: "c:\\windows\\syswow64\\winhttp.dll") Region: id = 30019 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 30020 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 30021 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 30022 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 30023 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 30024 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 30025 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 30026 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 30027 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 30028 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 30029 start_va = 0x4ab0000 end_va = 0x4ac0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 30030 start_va = 0x9540000 end_va = 0x9d3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000009540000" filename = "" Region: id = 30031 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 30032 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 30033 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 30034 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 30035 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 30036 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 30037 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 30038 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 30039 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 30040 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 30041 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 30042 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 30043 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 30044 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 30045 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 30046 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 30047 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 30048 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 30049 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 30050 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 30051 start_va = 0x4ab0000 end_va = 0x4ac0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 30052 start_va = 0x9540000 end_va = 0x9d3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000009540000" filename = "" Region: id = 31000 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31001 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31002 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31003 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31004 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31005 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31006 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31007 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31008 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31009 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31010 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31011 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31012 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31013 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31014 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31015 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31016 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31017 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31018 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31019 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31020 start_va = 0x4ab0000 end_va = 0x4ac0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31045 start_va = 0x71880000 end_va = 0x718cefff monitored = 0 entry_point = 0x7188d850 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 31053 start_va = 0x71870000 end_va = 0x71877fff monitored = 0 entry_point = 0x71871fc0 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 31054 start_va = 0x74ea0000 end_va = 0x74ea6fff monitored = 0 entry_point = 0x74ea1e10 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 31316 start_va = 0x9540000 end_va = 0x9d3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000009540000" filename = "" Region: id = 31317 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31318 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31319 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31320 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31321 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31322 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31323 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31324 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31325 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31326 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31327 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31328 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31329 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31330 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31331 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31332 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31333 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31334 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31335 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31336 start_va = 0x4ab0000 end_va = 0x4ab4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31337 start_va = 0x4ab0000 end_va = 0x4ac0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31338 start_va = 0x9540000 end_va = 0x9d3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000009540000" filename = "" Region: id = 31361 start_va = 0x70eb0000 end_va = 0x70f33fff monitored = 0 entry_point = 0x70ed6530 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\SysWOW64\\dnsapi.dll" (normalized: "c:\\windows\\syswow64\\dnsapi.dll") Region: id = 31362 start_va = 0x4ab0000 end_va = 0x4ab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ab0000" filename = "" Region: id = 31423 start_va = 0x70040000 end_va = 0x70047fff monitored = 0 entry_point = 0x70041920 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\SysWOW64\\rasadhlp.dll" (normalized: "c:\\windows\\syswow64\\rasadhlp.dll") Region: id = 31424 start_va = 0x6fe50000 end_va = 0x6fe96fff monitored = 0 entry_point = 0x6fe658d0 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\SysWOW64\\FWPUCLNT.DLL" (normalized: "c:\\windows\\syswow64\\fwpuclnt.dll") Region: id = 31437 start_va = 0x4ac0000 end_va = 0x4ac2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "mswsock.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\mswsock.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\mswsock.dll.mui") Region: id = 31438 start_va = 0x4ad0000 end_va = 0x4ad7fff monitored = 0 entry_point = 0x4ad19c0 region_type = mapped_file name = "wshqos.dll" filename = "\\Windows\\SysWOW64\\wshqos.dll" (normalized: "c:\\windows\\syswow64\\wshqos.dll") Region: id = 31439 start_va = 0x4ae0000 end_va = 0x4ae0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wshqos.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wshqos.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wshqos.dll.mui") Region: id = 31440 start_va = 0x4ad0000 end_va = 0x4ad7fff monitored = 0 entry_point = 0x4ad19c0 region_type = mapped_file name = "wshqos.dll" filename = "\\Windows\\SysWOW64\\wshqos.dll" (normalized: "c:\\windows\\syswow64\\wshqos.dll") Region: id = 31441 start_va = 0x4ae0000 end_va = 0x4ae0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wshqos.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wshqos.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wshqos.dll.mui") Region: id = 31442 start_va = 0x4ad0000 end_va = 0x4ad7fff monitored = 0 entry_point = 0x4ad19c0 region_type = mapped_file name = "wshqos.dll" filename = "\\Windows\\SysWOW64\\wshqos.dll" (normalized: "c:\\windows\\syswow64\\wshqos.dll") Region: id = 31443 start_va = 0x4ae0000 end_va = 0x4ae0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wshqos.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wshqos.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wshqos.dll.mui") Region: id = 31444 start_va = 0x4ad0000 end_va = 0x4ad7fff monitored = 0 entry_point = 0x4ad19c0 region_type = mapped_file name = "wshqos.dll" filename = "\\Windows\\SysWOW64\\wshqos.dll" (normalized: "c:\\windows\\syswow64\\wshqos.dll") Region: id = 31445 start_va = 0x4ae0000 end_va = 0x4ae0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wshqos.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wshqos.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wshqos.dll.mui") Region: id = 31507 start_va = 0x6fde0000 end_va = 0x6fe43fff monitored = 0 entry_point = 0x6fdfafd0 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\SysWOW64\\schannel.dll" (normalized: "c:\\windows\\syswow64\\schannel.dll") Region: id = 31521 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 31522 start_va = 0x70030000 end_va = 0x7003ffff monitored = 0 entry_point = 0x70034600 region_type = mapped_file name = "mskeyprotect.dll" filename = "\\Windows\\SysWOW64\\mskeyprotect.dll" (normalized: "c:\\windows\\syswow64\\mskeyprotect.dll") Region: id = 31523 start_va = 0x6fdc0000 end_va = 0x6fddffff monitored = 0 entry_point = 0x6fdcd120 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\SysWOW64\\ncrypt.dll" (normalized: "c:\\windows\\syswow64\\ncrypt.dll") Region: id = 31524 start_va = 0x6fd90000 end_va = 0x6fdbbfff monitored = 0 entry_point = 0x6fdabb10 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\SysWOW64\\ntasn1.dll" (normalized: "c:\\windows\\syswow64\\ntasn1.dll") Region: id = 31525 start_va = 0x4ad0000 end_va = 0x4ad0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004ad0000" filename = "" Region: id = 31532 start_va = 0x6fd60000 end_va = 0x6fd67fff monitored = 0 entry_point = 0x6fd61d70 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\SysWOW64\\dpapi.dll" (normalized: "c:\\windows\\syswow64\\dpapi.dll") Region: id = 31533 start_va = 0x74480000 end_va = 0x744c1fff monitored = 0 entry_point = 0x74496f10 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\SysWOW64\\wintrust.dll" (normalized: "c:\\windows\\syswow64\\wintrust.dll") Region: id = 31534 start_va = 0x71680000 end_va = 0x71692fff monitored = 0 entry_point = 0x71689950 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 31535 start_va = 0x706b0000 end_va = 0x706defff monitored = 0 entry_point = 0x706c95e0 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 31556 start_va = 0x9d40000 end_va = 0x9d7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009d40000" filename = "" Region: id = 31557 start_va = 0x9d80000 end_va = 0x9dbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009d80000" filename = "" Region: id = 31602 start_va = 0x6fd70000 end_va = 0x6fd89fff monitored = 0 entry_point = 0x6fd7fa70 region_type = mapped_file name = "ncryptsslp.dll" filename = "\\Windows\\SysWOW64\\ncryptsslp.dll" (normalized: "c:\\windows\\syswow64\\ncryptsslp.dll") Region: id = 31603 start_va = 0x4ad0000 end_va = 0x4ad9fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "crypt32.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\crypt32.dll.mui") Region: id = 31694 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 31695 start_va = 0x4ae0000 end_va = 0x4ae0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004ae0000" filename = "" Region: id = 31778 start_va = 0x4ae0000 end_va = 0x4aeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ae0000" filename = "" Region: id = 31779 start_va = 0x79c0000 end_va = 0x7abbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000079c0000" filename = "" Region: id = 31819 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31820 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31821 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31822 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31823 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31824 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31825 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31826 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31827 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31828 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31829 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31830 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31831 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31832 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31833 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31834 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31835 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31836 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31837 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31838 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31839 start_va = 0x4bf0000 end_va = 0x4c00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31840 start_va = 0x9540000 end_va = 0x9d3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000009540000" filename = "" Region: id = 31841 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31842 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31843 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31844 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31845 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31846 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31847 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31848 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31849 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31850 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31851 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31852 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31853 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31854 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31855 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31856 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31857 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 31858 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 32716 start_va = 0x9dc0000 end_va = 0x9dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009dc0000" filename = "" Region: id = 32717 start_va = 0x9e00000 end_va = 0x9e3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009e00000" filename = "" Region: id = 32718 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 32719 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 32720 start_va = 0x4bf0000 end_va = 0x4c00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 32721 start_va = 0x9540000 end_va = 0x9d3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000009540000" filename = "" Region: id = 32722 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 32723 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 32724 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 32725 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 32726 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 32727 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 32728 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 32729 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 32730 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 32731 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 32732 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 32733 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 32734 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 32735 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 32736 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 32737 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Region: id = 32738 start_va = 0x4bf0000 end_va = 0x4bf4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004bf0000" filename = "" Thread: id = 355 os_tid = 0x1348 [0146.299] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x75820000 [0146.300] LoadLibraryA (lpLibFileName="msvcrt.dll") returned 0x754e0000 [0146.301] GetProcAddress (hModule=0x754e0000, lpProcName="_snprintf") returned 0x75555020 [0146.301] GetProcAddress (hModule=0x754e0000, lpProcName="memchr") returned 0x75568380 [0146.301] GetProcAddress (hModule=0x754e0000, lpProcName="malloc") returned 0x75527900 [0146.301] GetProcAddress (hModule=0x754e0000, lpProcName="_errno") returned 0x75515cd0 [0146.302] GetProcAddress (hModule=0x754e0000, lpProcName="_strtoi64") returned 0x75511e60 [0146.302] GetProcAddress (hModule=0x754e0000, lpProcName="_vsnprintf") returned 0x755563d0 [0146.302] GetProcAddress (hModule=0x754e0000, lpProcName="memset") returned 0x75568c80 [0146.302] GetProcAddress (hModule=0x754e0000, lpProcName="qsort") returned 0x7553c200 [0146.302] GetProcAddress (hModule=0x754e0000, lpProcName="_ftol2_sse") returned 0x7557a580 [0146.302] GetProcAddress (hModule=0x754e0000, lpProcName="_vsnwprintf") returned 0x75556840 [0146.302] GetProcAddress (hModule=0x754e0000, lpProcName="free") returned 0x75527740 [0146.302] GetProcAddress (hModule=0x754e0000, lpProcName="_time64") returned 0x7556ea10 [0146.302] GetProcAddress (hModule=0x754e0000, lpProcName="strncpy") returned 0x75569350 [0146.302] GetProcAddress (hModule=0x754e0000, lpProcName="strchr") returned 0x75568d90 [0146.302] GetProcAddress (hModule=0x754e0000, lpProcName="strtod") returned 0x75511ba0 [0146.303] GetProcAddress (hModule=0x754e0000, lpProcName="localeconv") returned 0x7553c100 [0146.303] GetProcAddress (hModule=0x754e0000, lpProcName="memcpy") returned 0x755684a0 [0146.303] GetProcAddress (hModule=0x754e0000, lpProcName="atol") returned 0x7550fe40 [0146.303] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x75820000 [0146.303] GetProcAddress (hModule=0x75820000, lpProcName="FindNextFileW") returned 0x758469a0 [0146.303] GetProcAddress (hModule=0x75820000, lpProcName="GetTickCount") returned 0x75845eb0 [0146.303] GetProcAddress (hModule=0x75820000, lpProcName="SetThreadPriority") returned 0x75839990 [0146.303] GetProcAddress (hModule=0x75820000, lpProcName="FlushFileBuffers") returned 0x758469b0 [0146.303] GetProcAddress (hModule=0x75820000, lpProcName="LocalAlloc") returned 0x75837a30 [0146.303] GetProcAddress (hModule=0x75820000, lpProcName="GetExitCodeProcess") returned 0x7583fdb0 [0146.303] GetProcAddress (hModule=0x75820000, lpProcName="GetSystemTimeAsFileTime") returned 0x75837620 [0146.304] GetProcAddress (hModule=0x75820000, lpProcName="GetFileAttributesW") returned 0x75846a50 [0146.304] GetProcAddress (hModule=0x75820000, lpProcName="MultiByteToWideChar") returned 0x75832ad0 [0146.304] GetProcAddress (hModule=0x75820000, lpProcName="SetCurrentDirectoryA") returned 0x75862290 [0146.304] GetProcAddress (hModule=0x75820000, lpProcName="Sleep") returned 0x75837990 [0146.304] GetProcAddress (hModule=0x75820000, lpProcName="lstrcmpiW") returned 0x75837590 [0146.304] GetProcAddress (hModule=0x75820000, lpProcName="GetDriveTypeW") returned 0x75846a10 [0146.304] GetProcAddress (hModule=0x75820000, lpProcName="GetLastError") returned 0x75833870 [0146.304] GetProcAddress (hModule=0x75820000, lpProcName="CreateDirectoryW") returned 0x75846860 [0146.304] GetProcAddress (hModule=0x75820000, lpProcName="lstrcatA") returned 0x7583f640 [0146.304] GetProcAddress (hModule=0x75820000, lpProcName="CreateMutexW") returned 0x758466f0 [0146.305] GetProcAddress (hModule=0x75820000, lpProcName="GetCurrentThread") returned 0x758375f0 [0146.305] GetProcAddress (hModule=0x75820000, lpProcName="GetProcessId") returned 0x7583a6a0 [0146.305] GetProcAddress (hModule=0x75820000, lpProcName="DisconnectNamedPipe") returned 0x75860990 [0146.305] GetProcAddress (hModule=0x75820000, lpProcName="lstrcmpA") returned 0x7583cc30 [0146.306] GetProcAddress (hModule=0x75820000, lpProcName="K32GetModuleFileNameExW") returned 0x758616a0 [0146.306] GetProcAddress (hModule=0x75820000, lpProcName="MoveFileW") returned 0x7583b1d0 [0146.306] GetProcAddress (hModule=0x75820000, lpProcName="ExitThread") returned 0x776b7a80 [0146.306] GetProcAddress (hModule=0x75820000, lpProcName="GetNumberFormatA") returned 0x75876060 [0146.306] GetProcAddress (hModule=0x75820000, lpProcName="GetCurrentProcessId") returned 0x758323e0 [0146.306] GetProcAddress (hModule=0x75820000, lpProcName="SwitchToThread") returned 0x7583a690 [0146.306] GetProcAddress (hModule=0x75820000, lpProcName="GetModuleHandleW") returned 0x75839bc0 [0146.306] GetProcAddress (hModule=0x75820000, lpProcName="GetProcAddress") returned 0x758378b0 [0146.306] GetProcAddress (hModule=0x75820000, lpProcName="HeapCreate") returned 0x7583a100 [0146.307] GetProcAddress (hModule=0x75820000, lpProcName="HeapFree") returned 0x75831ba0 [0146.307] GetProcAddress (hModule=0x75820000, lpProcName="HeapAlloc") returned 0x77682bd0 [0146.307] GetProcAddress (hModule=0x75820000, lpProcName="GetModuleHandleA") returned 0x758399f0 [0146.307] GetProcAddress (hModule=0x75820000, lpProcName="LoadLibraryA") returned 0x75844bf0 [0146.307] GetProcAddress (hModule=0x75820000, lpProcName="GetCurrentProcess") returned 0x758338c0 [0146.307] GetProcAddress (hModule=0x75820000, lpProcName="lstrcatW") returned 0x7585d170 [0146.307] GetProcAddress (hModule=0x75820000, lpProcName="WideCharToMultiByte") returned 0x75833880 [0146.308] GetProcAddress (hModule=0x75820000, lpProcName="FindFirstFileW") returned 0x75846960 [0146.308] GetProcAddress (hModule=0x75820000, lpProcName="GetWindowsDirectoryW") returned 0x75845120 [0146.308] GetProcAddress (hModule=0x75820000, lpProcName="SetFileAttributesW") returned 0x75846c20 [0146.308] GetProcAddress (hModule=0x75820000, lpProcName="lstrlenW") returned 0x75833690 [0146.308] GetProcAddress (hModule=0x75820000, lpProcName="LoadLibraryW") returned 0x7583a840 [0146.308] GetProcAddress (hModule=0x75820000, lpProcName="FreeLibrary") returned 0x75839f50 [0146.308] GetProcAddress (hModule=0x75820000, lpProcName="GetCommandLineW") returned 0x7583aba0 [0146.308] GetProcAddress (hModule=0x75820000, lpProcName="GetVersionExA") returned 0x7583a700 [0146.308] GetProcAddress (hModule=0x75820000, lpProcName="GetSystemInfo") returned 0x7583a0f0 [0146.308] GetProcAddress (hModule=0x75820000, lpProcName="GetCurrentDirectoryW") returned 0x7583a9a0 [0146.308] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x74ec0000 [0146.664] GetProcAddress (hModule=0x74ec0000, lpProcName="CharUpperBuffA") returned 0x74f4aba0 [0146.664] GetProcAddress (hModule=0x74ec0000, lpProcName="CharUpperBuffW") returned 0x74ef4d90 [0146.664] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x75e00000 [0146.961] GetProcAddress (hModule=0x75e00000, lpProcName="CommandLineToArgvW") returned 0x75fabf80 [0146.972] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75a90000 [0146.979] GetProcAddress (hModule=0x75a90000, lpProcName="CoCreateInstance") returned 0x75690060 [0146.979] GetProcAddress (hModule=0x75a90000, lpProcName="CoInitializeEx") returned 0x756688d0 [0146.979] GetProcAddress (hModule=0x75a90000, lpProcName="CoSetProxyBlanket") returned 0x756660a0 [0146.980] GetProcAddress (hModule=0x75a90000, lpProcName="CoInitializeSecurity") returned 0x756d3870 [0146.980] LoadLibraryA (lpLibFileName="OLEAUT32.dll") returned 0x74bb0000 [0146.980] GetProcAddress (hModule=0x74bb0000, lpProcName=0x14) returned 0x74bc2a10 [0146.980] GetProcAddress (hModule=0x74bb0000, lpProcName=0x6) returned 0x74bc9d40 [0146.980] GetProcAddress (hModule=0x74bb0000, lpProcName=0x2) returned 0x74bc9c90 [0146.980] GetProcAddress (hModule=0x74bb0000, lpProcName=0x9) returned 0x74bc9570 [0146.981] GetProcAddress (hModule=0x74bb0000, lpProcName=0x13) returned 0x74bc25b0 [0146.981] GetProcAddress (hModule=0x74bb0000, lpProcName=0x10) returned 0x74bc6200 [0146.981] GetProcAddress (hModule=0x74bb0000, lpProcName=0x19) returned 0x74bc5830 [0146.981] HeapCreate (flOptions=0x0, dwInitialSize=0x96000, dwMaximumSize=0x0) returned 0x4d40000 [0146.984] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x100) returned 0x4dbf5a8 [0146.988] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd) returned 0x4dbf6b0 [0146.988] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x75820000 [0146.988] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x144) returned 0x4dbf6c8 [0147.002] LoadLibraryA (lpLibFileName="NTDLL.dll") returned 0x77650000 [0147.002] GetProcAddress (hModule=0x77650000, lpProcName="RtlAddVectoredExceptionHandler") returned 0x77673f90 [0147.020] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbf6b0 | out: hHeap=0x4d40000) returned 1 [0147.029] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa) returned 0x4dbf6b0 [0147.029] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77650000 [0147.030] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x40) returned 0x4dbf818 [0147.031] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbf6b0 | out: hHeap=0x4d40000) returned 1 [0147.031] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb) returned 0x4dbf6b0 [0147.031] LoadLibraryA (lpLibFileName="user32.dll") returned 0x74ec0000 [0147.031] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x6c) returned 0x4dbf860 [0147.032] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbf6b0 | out: hHeap=0x4d40000) returned 1 [0147.032] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa) returned 0x4dbf6b0 [0147.033] LoadLibraryA (lpLibFileName="gdi32.dll") returned 0x74a60000 [0147.033] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x24) returned 0x4dbf8d8 [0147.033] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbf6b0 | out: hHeap=0x4d40000) returned 1 [0147.033] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd) returned 0x4dbf6b0 [0147.033] LoadLibraryA (lpLibFileName="netapi32.dll") returned 0x743a0000 [0147.045] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x18) returned 0x4dbf908 [0147.046] LoadLibraryA (lpLibFileName="SRVCLI.dll") returned 0x6f9d0000 [0147.052] GetProcAddress (hModule=0x6f9d0000, lpProcName="NetShareEnum") returned 0x6f9d4140 [0147.052] LoadLibraryA (lpLibFileName="SAMCLI.dll") returned 0x6f9b0000 [0147.057] GetProcAddress (hModule=0x6f9b0000, lpProcName="NetUserEnum") returned 0x6f9bc010 [0147.057] LoadLibraryA (lpLibFileName="NETUTILS.dll") returned 0x6f9a0000 [0147.060] GetProcAddress (hModule=0x6f9a0000, lpProcName="NetApiBufferFree") returned 0x6f9a16d0 [0147.060] LoadLibraryA (lpLibFileName="LOGONCLI.dll") returned 0x6f970000 [0147.065] GetProcAddress (hModule=0x6f970000, lpProcName="NetGetDCName") returned 0x6f98de00 [0147.065] LoadLibraryA (lpLibFileName="WKSCLI.dll") returned 0x6f960000 [0147.140] GetProcAddress (hModule=0x6f960000, lpProcName="NetGetJoinInformation") returned 0x6f962e90 [0147.140] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbf6b0 | out: hHeap=0x4d40000) returned 1 [0147.140] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd) returned 0x4dbf6b0 [0147.140] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77260000 [0147.140] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd4) returned 0x4dbf928 [0147.143] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbf6b0 | out: hHeap=0x4d40000) returned 1 [0147.143] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc) returned 0x4dbf6b0 [0147.143] LoadLibraryA (lpLibFileName="shlwapi.dll") returned 0x75a40000 [0147.144] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x2c) returned 0x4dbfa08 [0147.144] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbf6b0 | out: hHeap=0x4d40000) returned 1 [0147.144] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc) returned 0x4dbf6b0 [0147.144] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75e00000 [0147.144] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x8) returned 0x4dbfa40 [0147.145] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbf6b0 | out: hHeap=0x4d40000) returned 1 [0147.145] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc) returned 0x4dbf6b0 [0147.145] LoadLibraryA (lpLibFileName="userenv.dll") returned 0x6f940000 [0147.150] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4) returned 0x4dbfa50 [0147.150] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbf6b0 | out: hHeap=0x4d40000) returned 1 [0147.150] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb) returned 0x4dbf6b0 [0147.150] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x77200000 [0147.155] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10) returned 0x4dbfa60 [0147.155] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbf6b0 | out: hHeap=0x4d40000) returned 1 [0147.159] GetCurrentProcess () returned 0xffffffff [0147.160] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0xcfac0 | out: TokenHandle=0xcfac0*=0x1c0) returned 1 [0147.160] GetTokenInformation (in: TokenHandle=0x1c0, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xcfaa0 | out: TokenInformation=0x0, ReturnLength=0xcfaa0) returned 0 [0147.160] GetLastError () returned 0x7a [0147.160] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x24) returned 0x4dbfa78 [0147.160] GetTokenInformation (in: TokenHandle=0x1c0, TokenInformationClass=0x1, TokenInformation=0x4dbfa78, TokenInformationLength=0x24, ReturnLength=0xcfab0 | out: TokenInformation=0x4dbfa78, ReturnLength=0xcfab0) returned 1 [0147.160] CloseHandle (hObject=0x1c0) returned 1 [0147.161] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4981644, nSize=0x105 | out: lpFilename="C:\\Windows\\SysWOW64\\wermgr.exe" (normalized: "c:\\windows\\syswow64\\wermgr.exe")) returned 0x1e [0147.161] GetVersionExA (in: lpVersionInformation=0x4980000*(dwOSVersionInfoSize=0x9c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x4980000*(dwOSVersionInfoSize=0x9c, dwMajorVersion=0xa, dwMinorVersion=0x0, dwBuildNumber=0x295a, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0147.161] GetCurrentProcessId () returned 0x1334 [0147.161] NetGetDCName (in: servername=0x0, domainname=0x0, bufptr=0xcfac0 | out: bufptr=0xcfac0) returned 0x995 [0147.234] NetGetJoinInformation (in: lpServer=0x0, lpNameBuffer=0xcfac0, BufferType=0xcfabc | out: lpNameBuffer=0xcfac0*="WORKGROUP", BufferType=0xcfabc) returned 0x0 [0147.394] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x14) returned 0x4dbfaa8 [0147.394] lstrlenW (lpString="䉁䑃䙅￿") returned 4 [0147.395] lstrlenW (lpString="䉁䑃䙅￿") returned 4 [0147.395] lstrlenW (lpString="䉁䑃䙅￿") returned 4 [0147.395] lstrlenW (lpString="䉁䑃䙅￿") returned 4 [0147.395] lstrlenW (lpString="䉁䑃䙅￿") returned 4 [0147.395] lstrlenW (lpString="䉁䑃䙅￿") returned 4 [0147.395] lstrlenW (lpString="䉁䑃䙅￿") returned 4 [0147.395] lstrlenW (lpString="䉁䑃䙅￿") returned 4 [0147.395] lstrlenW (lpString="䉁䑃䙅￿") returned 4 [0147.395] lstrlenW (lpString="䉁䑃䙅￿") returned 4 [0147.395] lstrlenW (lpString="䉁䑃䙅￿") returned 4 [0147.395] lstrlenW (lpString="䉁䑃䙅￿") returned 4 [0147.395] lstrlenW (lpString="䉁䑃䙅￿") returned 4 [0147.395] lstrlenW (lpString="䉁䑃䙅￿") returned 4 [0147.395] lstrlenW (lpString="䉁䑃䙅￿") returned 4 [0147.395] lstrlenW (lpString="䉁䑃䙅￿") returned 4 [0147.395] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x47) returned 0x4dbfac8 [0147.396] _vsnprintf (in: _DstBuf=0xcfab0, _MaxCount=0x28, _Format="{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}", _ArgList=0xcf060 | out: _DstBuf="{A310C111-CEDF-4B1D-9A50-2B2447874BB3}") returned 38 [0147.397] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfac8 | out: hHeap=0x4d40000) returned 1 [0147.397] OpenEventA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="{A310C111-CEDF-4B1D-9A50-2B2447874BB3}") returned 0x1e4 [0147.397] SetEvent (hEvent=0x1e4) returned 1 [0147.397] CloseHandle (hObject=0x1e4) returned 1 [0147.397] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x5) returned 0x4dbf6b0 [0147.397] SetCurrentDirectoryA (lpPathName="c:\\\\" (normalized: "c:")) returned 1 [0147.398] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbf6b0 | out: hHeap=0x4d40000) returned 1 [0147.398] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x110) returned 0x4dbfac8 [0147.398] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.398] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4dbfbe0 [0147.398] lstrlenW (lpString="䉁䑃䙅ҕﯠӛמ") returned 7 [0147.398] lstrlenW (lpString="䉁䑃䙅ҕ") returned 4 [0147.398] lstrlenW (lpString="䉁䑃䙅ҕ") returned 4 [0147.398] lstrlenW (lpString="䉁䑃䙅ҕ") returned 4 [0147.398] lstrlenW (lpString="䉁䑃䙅ҕ") returned 4 [0147.398] lstrlenW (lpString="䉁䑃䙅ҕ") returned 4 [0147.398] lstrlenW (lpString="䉁䑃䙅ҕ") returned 4 [0147.398] lstrlenW (lpString="䉁䑃䙅ҕ") returned 4 [0147.398] lstrlenW (lpString="䉁䑃䙅ҕ") returned 4 [0147.398] lstrlenW (lpString="䉁䑃䙅ҕ") returned 4 [0147.398] lstrlenW (lpString="䉁䑃䙅ҕ") returned 4 [0147.398] lstrlenW (lpString="䉁䑃䙅ҕ") returned 4 [0147.398] lstrlenW (lpString="䉁䑃䙅ҕ") returned 4 [0147.399] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfbe0 | out: hHeap=0x4d40000) returned 1 [0147.400] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x13) returned 0x4dbfbe0 [0147.400] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4dbfc00 [0147.400] lstrcatA (in: lpString1="", lpString2="Software\\Microsoft" | out: lpString1="Software\\Microsoft") returned="Software\\Microsoft" [0147.400] lstrcatA (in: lpString1="Software\\Microsoft", lpString2="\\" | out: lpString1="Software\\Microsoft\\") returned="Software\\Microsoft\\" [0147.400] lstrcatA (in: lpString1="Software\\Microsoft\\", lpString2="Fdircmnenyyey" | out: lpString1="Software\\Microsoft\\Fdircmnenyyey") returned="Software\\Microsoft\\Fdircmnenyyey" [0147.400] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfbe0 | out: hHeap=0x4d40000) returned 1 [0147.400] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x20019, phkResult=0xcfa78 | out: phkResult=0xcfa78*=0x0) returned 0x2 [0147.401] RegCreateKeyA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", phkResult=0xcfa84 | out: phkResult=0xcfa84*=0x1e8) returned 0x0 [0147.401] RegCloseKey (hKey=0x1e8) returned 0x0 [0147.402] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc00 | out: hHeap=0x4d40000) returned 1 [0147.405] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10) returned 0x4dbf6b0 [0147.405] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0147.405] GetFileSize (in: hFile=0x1e8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1ce00 [0147.405] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x1ce01) returned 0x4d404a0 [0147.406] ReadFile (in: hFile=0x1e8, lpBuffer=0x4d404a0, nNumberOfBytesToRead=0x1ce00, lpNumberOfBytesRead=0xcfa6c, lpOverlapped=0x0 | out: lpBuffer=0x4d404a0*, lpNumberOfBytesRead=0xcfa6c*=0x1ce00, lpOverlapped=0x0) returned 1 [0147.410] ReadFile (in: hFile=0x1e8, lpBuffer=0x4d5d2a0, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0xcfa6c, lpOverlapped=0x0 | out: lpBuffer=0x4d5d2a0*, lpNumberOfBytesRead=0xcfa6c*=0x0, lpOverlapped=0x0) returned 1 [0147.410] CloseHandle (hObject=0x1e8) returned 1 [0147.410] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x5) returned 0x4dbfbe0 [0147.410] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x5) returned 0x4dbfbf0 [0147.410] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfbe0 | out: hHeap=0x4d40000) returned 1 [0147.413] lstrlenW (lpString="䉁䑃䙅䡇䩉䱋 ") returned 7 [0147.414] GetNumberFormatA (in: Locale=0x7d3, dwFlags=0xb4, lpValue="electricmadness", lpFormat=0x0, lpNumberStr=0xcfa1c, cchNumber=34 | out: lpNumberStr="á\x81î\x11ø¶£\x0fMNm ¿)rg\x99¹}K\x07F²8d\x1d6íÛØ\x0c[q$µVtGæÂv×´2éÔ·kâõU34\x94ÌÝlÈ\x1f0b\x96\x08û`Õ*ÿ¼=¥ßÇ®è\x84½+\x98\x0e¨ø\x96\x04\x84ú\x0c") returned 0 [0147.415] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x5c) returned 0x4dbfc00 [0147.415] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x3fff) returned 0x4dbfc68 [0147.415] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x800) returned 0x4dc3c70 [0147.415] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x2001f, phkResult=0xcfa70 | out: phkResult=0xcfa70*=0x1ec) returned 0x0 [0147.416] RegQueryInfoKeyW (in: hKey=0x1ec, lpClass=0xcf838, lpcchClass=0xcfa5c, lpReserved=0x0, lpcSubKeys=0x0, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xcfa60, lpcbMaxValueNameLen=0xcfa48, lpcbMaxValueLen=0xcfa4c, lpcbSecurityDescriptor=0xcfa50, lpftLastWriteTime=0xcfa40 | out: lpClass="", lpcchClass=0xcfa5c, lpcSubKeys=0x0, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xcfa60*=0x0, lpcbMaxValueNameLen=0xcfa48, lpcbMaxValueLen=0xcfa4c, lpcbSecurityDescriptor=0xcfa50, lpftLastWriteTime=0xcfa40) returned 0x0 [0147.416] RegCloseKey (hKey=0x1ec) returned 0x0 [0147.416] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc68 | out: hHeap=0x4d40000) returned 1 [0147.422] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc3c70 | out: hHeap=0x4d40000) returned 1 [0147.423] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc00 | out: hHeap=0x4d40000) returned 1 [0147.424] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4dbfc00 [0147.424] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x20019, phkResult=0xcf8ec | out: phkResult=0xcf8ec*=0x1ec) returned 0x0 [0147.424] RegQueryValueExA (in: hKey=0x1ec, lpValueName="3665b42c", lpReserved=0x0, lpType=0xcf8e4, lpData=0x0, lpcbData=0xcf8e8*=0x0 | out: lpType=0xcf8e4*=0x0, lpData=0x0, lpcbData=0xcf8e8*=0x0) returned 0x2 [0147.424] RegCloseKey (hKey=0x1ec) returned 0x0 [0147.425] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc00 | out: hHeap=0x4d40000) returned 1 [0147.425] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x49526b2, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0xcfaa0 | out: lpThreadId=0xcfaa0*=0x4f8) returned 0x1ec [0147.426] lstrlenW (lpString="䉁䑃䙅ofile\x0c䬇Җ\x0c") returned 14 [0147.426] lstrlenW (lpString="䉁䑃䙅o") returned 4 [0147.426] lstrlenW (lpString="䉁䑃䙅o") returned 4 [0147.426] lstrlenW (lpString="䉁䑃䙅o") returned 4 [0147.426] lstrlenW (lpString="䉁䑃䙅o") returned 4 [0147.426] lstrlenW (lpString="䉁䑃䙅o") returned 4 [0147.426] lstrlenW (lpString="䉁䑃䙅o") returned 4 [0147.426] lstrlenW (lpString="䉁䑃䙅o") returned 4 [0147.427] lstrlenW (lpString="䉁䑃䙅o") returned 4 [0147.427] lstrlenW (lpString="䉁䑃䙅o") returned 4 [0147.427] lstrlenW (lpString="䉁䑃䙅o") returned 4 [0147.427] lstrlenW (lpString="䉁䑃䙅o") returned 4 [0147.427] lstrlenW (lpString="䉁䑃䙅o") returned 4 [0147.427] lstrlenW (lpString="䉁䑃䙅o") returned 4 [0147.427] lstrlenW (lpString="䉁䑃䙅o") returned 4 [0147.427] lstrlenW (lpString="䉁䑃䙅o") returned 4 [0147.427] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x47) returned 0x4dbfc00 [0147.427] _vsnprintf (in: _DstBuf=0xcfa7c, _MaxCount=0x28, _Format="{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}", _ArgList=0xcf028 | out: _DstBuf="{5085B591-93ED-4978-9582-6C11B50A806A}") returned 38 [0147.428] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc00 | out: hHeap=0x4d40000) returned 1 [0147.428] OpenEventA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="{5085B591-93ED-4978-9582-6C11B50A806A}") returned 0x0 [0147.428] lstrlenW (lpString="䉁䑃䙅ӕ(") returned 5 [0147.428] lstrlenW (lpString="䉁䑃䙅ӕ") returned 4 [0147.428] lstrlenW (lpString="䉁䑃䙅ӕ") returned 4 [0147.428] lstrlenW (lpString="䉁䑃䙅ӕ") returned 4 [0147.428] lstrlenW (lpString="䉁䑃䙅ӕ") returned 4 [0147.428] lstrlenW (lpString="䉁䑃䙅ӕ") returned 4 [0147.428] lstrlenW (lpString="䉁䑃䙅ӕ") returned 4 [0147.428] lstrlenW (lpString="䉁䑃䙅ӕ") returned 4 [0147.428] lstrlenW (lpString="䉁䑃䙅ӕ") returned 4 [0147.428] lstrlenW (lpString="䉁䑃䙅ӕ") returned 4 [0147.429] lstrlenW (lpString="䉁䑃䙅ӕ") returned 4 [0147.429] lstrlenW (lpString="䉁䑃䙅ӕ") returned 4 [0147.429] lstrlenW (lpString="䉁䑃䙅ӕ") returned 4 [0147.429] lstrlenW (lpString="䉁䑃䙅ӕ") returned 4 [0147.429] lstrlenW (lpString="䉁䑃䙅ӕ") returned 4 [0147.429] lstrlenW (lpString="䉁䑃䙅ӕ") returned 4 [0147.429] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x47) returned 0x4dbfc00 [0147.429] _vsnprintf (in: _DstBuf=0xcfa40, _MaxCount=0x28, _Format="{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}", _ArgList=0xcefe8 | out: _DstBuf="{DE3A2553-AB1B-4C85-9686-F3F136EBACE2}") returned 38 [0147.430] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc00 | out: hHeap=0x4d40000) returned 1 [0147.472] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x2e) returned 0x4dbfc00 [0147.472] lstrcatA (in: lpString1="", lpString2="Global" | out: lpString1="Global") returned="Global" [0147.472] lstrcatA (in: lpString1="Global", lpString2="\\" | out: lpString1="Global\\") returned="Global\\" [0147.472] lstrcatA (in: lpString1="Global\\", lpString2="{DE3A2553-AB1B-4C85-9686-F3F136EBACE2}" | out: lpString1="Global\\{DE3A2553-AB1B-4C85-9686-F3F136EBACE2}") returned="Global\\{DE3A2553-AB1B-4C85-9686-F3F136EBACE2}" [0147.472] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=1, lpName="Global\\{DE3A2553-AB1B-4C85-9686-F3F136EBACE2}") returned 0x1e8 [0147.472] GetLastError () returned 0x0 [0147.472] CloseHandle (hObject=0x1e8) returned 1 [0147.473] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=1, lpName="{DE3A2553-AB1B-4C85-9686-F3F136EBACE2}") returned 0x1e8 [0147.473] GetLastError () returned 0x0 [0147.473] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc00 | out: hHeap=0x4d40000) returned 1 [0147.473] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4dbfc00 [0147.473] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x20019, phkResult=0xcf8e4 | out: phkResult=0xcf8e4*=0x1f0) returned 0x0 [0147.474] RegQueryValueExA (in: hKey=0x1f0, lpValueName="abb28c95", lpReserved=0x0, lpType=0xcf8dc, lpData=0x0, lpcbData=0xcf8e0*=0x0 | out: lpType=0xcf8dc*=0x0, lpData=0x0, lpcbData=0xcf8e0*=0x0) returned 0x2 [0147.474] RegCloseKey (hKey=0x1f0) returned 0x0 [0147.474] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc00 | out: hHeap=0x4d40000) returned 1 [0147.474] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10) returned 0x4dbfc00 [0147.474] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0147.474] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd) returned 0x4dbfc18 [0147.484] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x1a) returned 0x4dbfc30 [0147.484] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x4dbfc18, cbMultiByte=-1, lpWideCharStr=0x4dbfc30, cchWideChar=13 | out: lpWideCharStr="Component_07") returned 13 [0147.484] lstrlenW (lpString="䉁䑃䙅ӛ￿￿ﰰÛ器\x0c\x03ҖوҘ\x1e") returned 15 [0147.484] FindResourceW (hModule=0x4950000, lpName="Component_07", lpType=0xa) returned 0x0 [0147.484] lstrlenW (lpString="䉁䑃䙅") returned 3 [0147.484] FindResourceW (hModule=0x4950000, lpName="Component_07", lpType=0x3) returned 0x0 [0147.484] lstrlenW (lpString="䉁䑃䙅") returned 3 [0147.484] FindResourceW (hModule=0x4950000, lpName="Component_07", lpType=0x2) returned 0x4972068 [0147.484] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc30 | out: hHeap=0x4d40000) returned 1 [0147.484] SizeofResource (hModule=0x4950000, hResInfo=0x4972068) returned 0x57 [0147.485] LoadResource (hModule=0x4950000, hResInfo=0x4972068) returned 0x49720bc [0147.485] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x59) returned 0x4dbfc30 [0147.485] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc18 | out: hHeap=0x4d40000) returned 1 [0147.485] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x29) returned 0x4dbfc98 [0147.485] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x448) returned 0x4dbfcd0 [0147.485] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x57) returned 0x4dc0120 [0147.485] lstrlenW (lpString="䉁䑃䙅䡇䩉䱋\x14") returned 7 [0147.485] lstrlenW (lpString="䉁䑃䙅䡇䩉䱋\x14") returned 7 [0147.486] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc98 | out: hHeap=0x4d40000) returned 1 [0147.486] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x448) returned 0x4dc0180 [0147.486] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x43) returned 0x4dc05d0 [0147.486] lstrlenW (lpString="䉁䑃䙅䡇䩉䱋\x14") returned 7 [0147.486] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xfa0) returned 0x4dc0620 [0147.486] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd) returned 0x4dbfc18 [0147.486] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe) returned 0x4dbfc98 [0147.486] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x8) returned 0x4dbfbe0 [0147.486] SetLastError (dwErrCode=0x0) [0147.486] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x8) returned 0x4dbfcb0 [0147.486] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x9) returned 0x4dc15c8 [0147.486] SetLastError (dwErrCode=0x0) [0147.486] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10) returned 0x4dc15e0 [0147.486] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfcb0 | out: hHeap=0x4d40000) returned 1 [0147.486] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb) returned 0x4dbfcb0 [0147.486] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc18 | out: hHeap=0x4d40000) returned 1 [0147.486] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc98 | out: hHeap=0x4d40000) returned 1 [0147.487] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc05d0 | out: hHeap=0x4d40000) returned 1 [0147.487] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc0620 | out: hHeap=0x4d40000) returned 1 [0147.487] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc0180 | out: hHeap=0x4d40000) returned 1 [0147.488] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc0120 | out: hHeap=0x4d40000) returned 1 [0147.488] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfcd0 | out: hHeap=0x4d40000) returned 1 [0147.488] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc30 | out: hHeap=0x4d40000) returned 1 [0147.488] GetNumberFormatA (in: Locale=0x7d3, dwFlags=0xb4, lpValue="electricmadness", lpFormat=0x0, lpNumberStr=0xcf9fc, cchNumber=34 | out: lpNumberStr="þÿÿÿ(ú\x0c") returned 0 [0147.489] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa) returned 0x4dbfc18 [0147.489] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x5a) returned 0x4dbfc30 [0147.489] lstrcatW (in: lpString1="", lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0147.489] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpString2=".cfg" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe.cfg") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe.cfg" [0147.489] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc18 | out: hHeap=0x4d40000) returned 1 [0147.489] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe.cfg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe.cfg")) returned 0xffffffff [0147.489] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc30 | out: hHeap=0x4d40000) returned 1 [0147.489] GetKeyboardLayoutList (in: nBuff=64, lpList=0xcf940 | out: lpList=0xcf940) returned 1 [0147.495] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20) returned 0x4dbfc18 [0147.495] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc18 | out: hHeap=0x4d40000) returned 1 [0147.495] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20) returned 0x4dbfc18 [0147.495] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc18 | out: hHeap=0x4d40000) returned 1 [0147.495] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20) returned 0x4dbfc18 [0147.496] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc18 | out: hHeap=0x4d40000) returned 1 [0147.496] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20) returned 0x4dbfc18 [0147.496] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc18 | out: hHeap=0x4d40000) returned 1 [0147.496] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20) returned 0x4dbfc18 [0147.496] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc18 | out: hHeap=0x4d40000) returned 1 [0147.496] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20) returned 0x4dbfc18 [0147.496] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc18 | out: hHeap=0x4d40000) returned 1 [0147.497] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20) returned 0x4dbfc18 [0147.497] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc18 | out: hHeap=0x4d40000) returned 1 [0147.497] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20) returned 0x4dbfc18 [0147.497] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc18 | out: hHeap=0x4d40000) returned 1 [0147.497] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20) returned 0x4dbfc18 [0147.497] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc18 | out: hHeap=0x4d40000) returned 1 [0147.497] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20) returned 0x4dbfc18 [0147.498] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc18 | out: hHeap=0x4d40000) returned 1 [0147.498] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20) returned 0x4dbfc18 [0147.498] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc18 | out: hHeap=0x4d40000) returned 1 [0147.498] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20) returned 0x4dbfc18 [0147.498] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc18 | out: hHeap=0x4d40000) returned 1 [0147.498] GetComputerNameW (in: lpBuffer=0xcf5ec, nSize=0xcf7f0 | out: lpBuffer="XC64ZB", nSize=0xcf7f0) returned 1 [0147.498] GetNumberFormatA (in: Locale=0x7d3, dwFlags=0xb4, lpValue="electricmadness", lpFormat=0x0, lpNumberStr=0xcf16c, cchNumber=34 | out: lpNumberStr="ìõ\x0c") returned 0 [0147.499] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa) returned 0x4dbfc18 [0147.499] GetVolumeInformationW (in: lpRootPathName="c:\\\\", lpVolumeNameBuffer=0xcf1ec, nVolumeNameSize=0x100, lpVolumeSerialNumber=0xcf7f4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0xcf3ec, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xcf7f4*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0147.499] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc18 | out: hHeap=0x4d40000) returned 1 [0147.499] _vsnwprintf (in: _Buffer=0xcf80c, _BufferCount=0xfa, _Format="%u", _ArgList=0xcf1dc | out: _Buffer="203980600") returned 9 [0147.499] lstrcatW (in: lpString1="XC64ZB203980600", lpString2="" | out: lpString1="XC64ZB203980600") returned="XC64ZB203980600" [0147.499] CharUpperBuffW (in: lpsz="XC64ZB203980600", cchLength=0xf | out: lpsz="XC64ZB203980600") returned 0xf [0147.499] lstrlenW (lpString="䉁䑃䙅Ұ䲜үÎ") returned 7 [0147.499] lstrlenW (lpString="䉁䑃䙅Ұ") returned 4 [0147.499] lstrlenW (lpString="䉁䑃䙅Ұ") returned 4 [0147.499] lstrlenW (lpString="䉁䑃䙅Ұ") returned 4 [0147.500] lstrlenW (lpString="䉁䑃䙅Ұ") returned 4 [0147.500] lstrlenW (lpString="䉁䑃䙅Ұ") returned 4 [0147.500] lstrlenW (lpString="䉁䑃䙅Ұ") returned 4 [0147.500] lstrlenW (lpString="䉁䑃䙅Ұ") returned 4 [0147.500] lstrlenW (lpString="䉁䑃䙅Ұ") returned 4 [0147.500] lstrlenW (lpString="䉁䑃䙅Ұ") returned 4 [0147.500] lstrlenW (lpString="䉁䑃䙅Ұ") returned 4 [0147.500] lstrlenW (lpString="䉁䑃䙅Ұ") returned 4 [0147.500] lstrlenW (lpString="䉁䑃䙅Ұ") returned 4 [0147.500] lstrlenW (lpString="䉁䑃䙅Ұ") returned 4 [0147.500] lstrlenW (lpString="䉁䑃䙅Ұ") returned 4 [0147.500] lstrlenW (lpString="䉁䑃䙅Ұ") returned 4 [0147.500] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x47) returned 0x4dbfc18 [0147.500] _vsnprintf (in: _DstBuf=0xcfa40, _MaxCount=0x28, _Format="{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}", _ArgList=0xcefb8 | out: _DstBuf="{61969771-19E3-435D-AE55-CFB18F1249EF}") returned 38 [0147.501] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc18 | out: hHeap=0x4d40000) returned 1 [0147.501] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=1, lpName="{61969771-19E3-435D-AE55-CFB18F1249EF}") returned 0x1f0 [0147.501] GetLastError () returned 0x0 [0147.501] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd) returned 0x4dbfc18 [0147.501] LoadLibraryA (lpLibFileName="wtsapi32.dll") returned 0x6f930000 [0147.512] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10) returned 0x4dbfc30 [0147.512] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc18 | out: hHeap=0x4d40000) returned 1 [0147.512] EqualSid (pSid1=0x4dbfa80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), pSid2=0x4dbfa80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65))) returned 1 [0147.512] AllocateAndInitializeSid (in: pIdentifierAuthority=0xcf77c, nSubAuthorityCount=0x1, nSubAuthority0=0x12, nSubAuthority1=0x0, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0xcf784 | out: pSid=0xcf784*=0x4afb688*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12)) returned 1 [0147.512] EqualSid (pSid1=0x4dbfa80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), pSid2=0x4afb688*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12)) returned 0 [0147.512] ConvertSidToStringSidW (in: Sid=0x4dbfa80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), StringSid=0xcf780 | out: StringSid=0xcf780*="S-1-5-21-1560258661-3990802383-1811730007-1000") returned 1 [0147.512] GetNumberFormatA (in: Locale=0x7d3, dwFlags=0xb4, lpValue="electricmadness", lpFormat=0x0, lpNumberStr=0xcf6f8, cchNumber=34 | out: lpNumberStr="") returned 0 [0147.512] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x72) returned 0x4dbfcd0 [0147.512] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd0) returned 0x4dbfd50 [0147.512] lstrcatW (in: lpString1="", lpString2="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList" | out: lpString1="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList") returned="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList" [0147.512] lstrcatW (in: lpString1="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList", lpString2="\\" | out: lpString1="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\") returned="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\" [0147.512] lstrcatW (in: lpString1="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\", lpString2="S-1-5-21-1560258661-3990802383-1811730007-1000" | out: lpString1="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-1560258661-3990802383-1811730007-1000") returned="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-1560258661-3990802383-1811730007-1000" [0147.513] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfcd0 | out: hHeap=0x4d40000) returned 1 [0147.513] GetNumberFormatA (in: Locale=0x7d3, dwFlags=0xb4, lpValue="electricmadness", lpFormat=0x0, lpNumberStr=0xcf6e0, cchNumber=34 | out: lpNumberStr="g") returned 0 [0147.513] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x22) returned 0x4dbfc48 [0147.513] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-1560258661-3990802383-1811730007-1000", ulOptions=0x0, samDesired=0x20019, phkResult=0xcf758 | out: phkResult=0xcf758*=0x1f4) returned 0x0 [0147.514] RegQueryValueExW (in: hKey=0x1f4, lpValueName="ProfileImagePath", lpReserved=0x0, lpType=0xcf750, lpData=0x0, lpcbData=0xcf754*=0x0 | out: lpType=0xcf750*=0x2, lpData=0x0, lpcbData=0xcf754*=0x2c) returned 0x0 [0147.514] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x2c) returned 0x4dbfc78 [0147.514] RegQueryValueExW (in: hKey=0x1f4, lpValueName="ProfileImagePath", lpReserved=0x0, lpType=0x0, lpData=0x4dbfc78, lpcbData=0xcf754*=0x2c | out: lpType=0x0, lpData=0x4dbfc78*=0x43, lpcbData=0xcf754*=0x2c) returned 0x0 [0147.514] RegCloseKey (hKey=0x1f4) returned 0x0 [0147.514] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc48 | out: hHeap=0x4d40000) returned 1 [0147.514] PathUnquoteSpacesW (in: lpsz="C:\\Users\\RDhJ0CNFevzX" | out: lpsz="C:\\Users\\RDhJ0CNFevzX") returned 0 [0147.514] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\RDhJ0CNFevzX", lpDst=0xcf7e0, nSize=0x105 | out: lpDst="C:\\Users\\RDhJ0CNFevzX") returned 0x16 [0147.514] LocalFree (hMem=0x4b02428) returned 0x0 [0147.515] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc78 | out: hHeap=0x4d40000) returned 1 [0147.515] GetComputerNameW (in: lpBuffer=0xcf374, nSize=0xcf578 | out: lpBuffer="XC64ZB", nSize=0xcf578) returned 1 [0147.515] GetNumberFormatA (in: Locale=0x7d3, dwFlags=0xb4, lpValue="electricmadness", lpFormat=0x0, lpNumberStr=0xceef4, cchNumber=34 | out: lpNumberStr="tó\x0c") returned 0 [0147.515] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa) returned 0x4dbfc18 [0147.515] GetVolumeInformationW (in: lpRootPathName="c:\\\\", lpVolumeNameBuffer=0xcef74, nVolumeNameSize=0x100, lpVolumeSerialNumber=0xcf57c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0xcf174, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0xcf57c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0147.515] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc18 | out: hHeap=0x4d40000) returned 1 [0147.515] _vsnwprintf (in: _Buffer=0xcf594, _BufferCount=0xfa, _Format="%u", _ArgList=0xcef64 | out: _Buffer="203980600") returned 9 [0147.515] lstrcatW (in: lpString1="XC64ZB203980600", lpString2="RDhJ0CNFevzX" | out: lpString1="XC64ZB203980600RDhJ0CNFevzX") returned="XC64ZB203980600RDhJ0CNFevzX" [0147.515] CharUpperBuffW (in: lpsz="XC64ZB203980600RDhJ0CNFevzX", cchLength=0x1b | out: lpsz="XC64ZB203980600RDHJ0CNFEVZX") returned 0x1b [0147.515] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4dbfc48 [0147.515] lstrlenW (lpString="䉁䑃䙅Җ\x0c醺\x95\x0c큈ҕ\x0c\x05") returned 15 [0147.516] lstrlenW (lpString="䉁䑃䙅䆫\x0c큈\x95\x0c큯ҕ\x0c") returned 14 [0147.516] lstrlenW (lpString="䉁䑃䙅䆫") returned 4 [0147.516] lstrlenW (lpString="䉁䑃䙅䆫") returned 4 [0147.516] lstrlenW (lpString="䉁䑃䙅䆫") returned 4 [0147.516] lstrlenW (lpString="䉁䑃䙅䆫") returned 4 [0147.516] lstrlenW (lpString="䉁䑃䙅䆫") returned 4 [0147.516] lstrlenW (lpString="䉁䑃䙅䆫") returned 4 [0147.516] lstrlenW (lpString="䉁䑃䙅䆫") returned 4 [0147.516] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc48 | out: hHeap=0x4d40000) returned 1 [0147.516] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x12) returned 0x4dbfc48 [0147.516] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcf7b0, cbMultiByte=-1, lpWideCharStr=0x4dbfc48, cchWideChar=9 | out: lpWideCharStr="fdircmne") returned 9 [0147.516] GetNumberFormatA (in: Locale=0x7d3, dwFlags=0xb4, lpValue="electricmadness", lpFormat=0x0, lpNumberStr=0xcf708, cchNumber=34 | out: lpNumberStr="\x09") returned 0 [0147.516] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa) returned 0x4dbfc18 [0147.516] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x1a) returned 0x4dbfc68 [0147.516] lstrcatW (in: lpString1="", lpString2="fdircmne" | out: lpString1="fdircmne") returned="fdircmne" [0147.517] lstrcatW (in: lpString1="fdircmne", lpString2=".dll" | out: lpString1="fdircmne.dll") returned="fdircmne.dll" [0147.517] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc18 | out: hHeap=0x4d40000) returned 1 [0147.517] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc48 | out: hHeap=0x4d40000) returned 1 [0147.517] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x1b) returned 0x4dbfcd0 [0147.517] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb) returned 0x4dbfc18 [0147.517] lstrlenW (lpString="䉁䑃䙅Җ\x0c醺\x95\x0c튨ҕ\x0c") returned 14 [0147.517] lstrlenW (lpString="䉁䑃䙅Җ") returned 4 [0147.517] lstrlenW (lpString="䉁䑃䙅Җ") returned 4 [0147.517] lstrlenW (lpString="䉁䑃䙅Җ") returned 4 [0147.517] lstrlenW (lpString="䉁䑃䙅Җ") returned 4 [0147.517] lstrlenW (lpString="䉁䑃䙅Җ") returned 4 [0147.517] lstrlenW (lpString="䉁䑃䙅Җ") returned 4 [0147.517] lstrlenW (lpString="䉁䑃䙅Җ") returned 4 [0147.517] lstrlenW (lpString="䉁䑃䙅Җ") returned 4 [0147.517] lstrlenW (lpString="䉁䑃䙅Җ") returned 4 [0147.517] lstrlenW (lpString="䉁䑃䙅Җ") returned 4 [0147.517] lstrlenW (lpString="䉁䑃䙅Җ") returned 4 [0147.517] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfcd0 | out: hHeap=0x4d40000) returned 1 [0147.517] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc18 | out: hHeap=0x4d40000) returned 1 [0147.518] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4dbfcd0 [0147.518] lstrlenW (lpString="䉁䑃䙅") returned 3 [0147.518] lstrlenW (lpString="䉁䑃䙅頀氼䆁\x0c\x0c턊ҕ\x0c") returned 14 [0147.518] lstrlenW (lpString="䉁䑃䙅頀") returned 4 [0147.518] lstrlenW (lpString="䉁䑃䙅頀") returned 4 [0147.518] lstrlenW (lpString="䉁䑃䙅頀") returned 4 [0147.518] lstrlenW (lpString="䉁䑃䙅頀") returned 4 [0147.518] lstrlenW (lpString="䉁䑃䙅頀") returned 4 [0147.518] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfcd0 | out: hHeap=0x4d40000) returned 1 [0147.518] AllocateAndInitializeSid (in: pIdentifierAuthority=0xcf334, nSubAuthorityCount=0x1, nSubAuthority0=0x12, nSubAuthority1=0x0, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0xcf33c | out: pSid=0xcf33c*=0x4afb508*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12)) returned 1 [0147.518] EqualSid (pSid1=0x4dbfa80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), pSid2=0x4afb508*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12)) returned 0 [0147.518] ConvertSidToStringSidW (in: Sid=0x4dbfa80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), StringSid=0xcf338 | out: StringSid=0xcf338*="S-1-5-21-1560258661-3990802383-1811730007-1000") returned 1 [0147.518] GetNumberFormatA (in: Locale=0x7d3, dwFlags=0xb4, lpValue="electricmadness", lpFormat=0x0, lpNumberStr=0xcf2b0, cchNumber=34 | out: lpNumberStr="") returned 0 [0147.518] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x72) returned 0x4dbfcd0 [0147.519] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd0) returned 0x4dbfe28 [0147.519] lstrcatW (in: lpString1="", lpString2="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList" | out: lpString1="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList") returned="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList" [0147.519] lstrcatW (in: lpString1="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList", lpString2="\\" | out: lpString1="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\") returned="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\" [0147.519] lstrcatW (in: lpString1="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\", lpString2="S-1-5-21-1560258661-3990802383-1811730007-1000" | out: lpString1="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-1560258661-3990802383-1811730007-1000") returned="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-1560258661-3990802383-1811730007-1000" [0147.519] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfcd0 | out: hHeap=0x4d40000) returned 1 [0147.519] GetNumberFormatA (in: Locale=0x7d3, dwFlags=0xb4, lpValue="electricmadness", lpFormat=0x0, lpNumberStr=0xcf298, cchNumber=34 | out: lpNumberStr="g") returned 0 [0147.519] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x22) returned 0x4dbfcd0 [0147.519] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-1560258661-3990802383-1811730007-1000", ulOptions=0x0, samDesired=0x20019, phkResult=0xcf310 | out: phkResult=0xcf310*=0x1f4) returned 0x0 [0147.519] RegQueryValueExW (in: hKey=0x1f4, lpValueName="ProfileImagePath", lpReserved=0x0, lpType=0xcf308, lpData=0x0, lpcbData=0xcf30c*=0x0 | out: lpType=0xcf308*=0x2, lpData=0x0, lpcbData=0xcf30c*=0x2c) returned 0x0 [0147.519] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x2c) returned 0x4dbfd00 [0147.519] RegQueryValueExW (in: hKey=0x1f4, lpValueName="ProfileImagePath", lpReserved=0x0, lpType=0x0, lpData=0x4dbfd00, lpcbData=0xcf30c*=0x2c | out: lpType=0x0, lpData=0x4dbfd00*=0x43, lpcbData=0xcf30c*=0x2c) returned 0x0 [0147.519] RegCloseKey (hKey=0x1f4) returned 0x0 [0147.520] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfcd0 | out: hHeap=0x4d40000) returned 1 [0147.520] PathUnquoteSpacesW (in: lpsz="C:\\Users\\RDhJ0CNFevzX" | out: lpsz="C:\\Users\\RDhJ0CNFevzX") returned 0 [0147.520] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\RDhJ0CNFevzX", lpDst=0xcf34c, nSize=0x104 | out: lpDst="C:\\Users\\RDhJ0CNFevzX") returned 0x16 [0147.520] LocalFree (hMem=0x4b02428) returned 0x0 [0147.520] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfd00 | out: hHeap=0x4d40000) returned 1 [0147.520] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x1, pszPath=0xcef2c | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming") returned 0x0 [0147.561] GetCurrentThread () returned 0xfffffffe [0147.562] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x8, OpenAsSelf=0, TokenHandle=0xcef14 | out: TokenHandle=0xcef14*=0x0) returned 0 [0147.562] GetLastError () returned 0x3f0 [0147.562] GetCurrentProcess () returned 0xffffffff [0147.562] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0xcef14 | out: TokenHandle=0xcef14*=0x1f4) returned 1 [0147.562] GetUserProfileDirectoryW () returned 0x1 [0147.562] CloseHandle (hObject=0x1f4) returned 1 [0147.562] GetNumberFormatA (in: Locale=0x7d3, dwFlags=0xb4, lpValue="electricmadness", lpFormat=0x0, lpNumberStr=0xcf2d4, cchNumber=34 | out: lpNumberStr="") returned 0 [0147.563] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x14) returned 0x4dbfc48 [0147.563] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x6e) returned 0x4dbfcd0 [0147.563] lstrcatW (in: lpString1="", lpString2="C:\\Users\\RDhJ0CNFevzX" | out: lpString1="C:\\Users\\RDhJ0CNFevzX") returned="C:\\Users\\RDhJ0CNFevzX" [0147.563] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\") returned="C:\\Users\\RDhJ0CNFevzX\\" [0147.563] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\", lpString2="AppData\\Roaming" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming") returned="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming" [0147.563] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\") returned="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\" [0147.563] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\", lpString2="Microsoft" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft") returned="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft" [0147.563] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\") returned="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\" [0147.563] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\", lpString2="Ikuqna" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Ikuqna") returned="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Ikuqna" [0147.563] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc48 | out: hHeap=0x4d40000) returned 1 [0147.563] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Ikuqna" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\ikuqna")) returned 0xffffffff [0147.563] CreateDirectoryW (lpPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Ikuqna" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\ikuqna"), lpSecurityAttributes=0x0) returned 1 [0147.575] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Ikuqna" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\ikuqna")) returned 0x10 [0147.575] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x88) returned 0x4dbff00 [0147.575] lstrcatW (in: lpString1="", lpString2="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Ikuqna" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Ikuqna") returned="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Ikuqna" [0147.575] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Ikuqna", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Ikuqna\\") returned="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Ikuqna\\" [0147.575] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Ikuqna\\", lpString2="fdircmne.dll" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Ikuqna\\fdircmne.dll") returned="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Ikuqna\\fdircmne.dll" [0147.575] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x6e) returned 0x4dbff90 [0147.575] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x88) returned 0x4dc0008 [0147.575] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x110) returned 0x4dc0098 [0147.575] lstrlenW (lpString="䉁䑃䙅") returned 3 [0147.575] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4dc01b0 [0147.575] lstrlenW (lpString="䉁䑃䙅ҕưӜמ") returned 7 [0147.575] lstrlenW (lpString="䉁䑃䙅ҕ") returned 4 [0147.575] lstrlenW (lpString="䉁䑃䙅ҕ") returned 4 [0147.576] lstrlenW (lpString="䉁䑃䙅ҕ") returned 4 [0147.576] lstrlenW (lpString="䉁䑃䙅ҕ") returned 4 [0147.576] lstrlenW (lpString="䉁䑃䙅ҕ") returned 4 [0147.576] lstrlenW (lpString="䉁䑃䙅ҕ") returned 4 [0147.576] lstrlenW (lpString="䉁䑃䙅ҕ") returned 4 [0147.576] lstrlenW (lpString="䉁䑃䙅ҕ") returned 4 [0147.576] lstrlenW (lpString="䉁䑃䙅ҕ") returned 4 [0147.576] lstrlenW (lpString="䉁䑃䙅ҕ") returned 4 [0147.576] lstrlenW (lpString="䉁䑃䙅ҕ") returned 4 [0147.576] lstrlenW (lpString="䉁䑃䙅ҕ") returned 4 [0147.576] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc01b0 | out: hHeap=0x4d40000) returned 1 [0147.577] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x13) returned 0x4dbfc48 [0147.577] EqualSid (pSid1=0x4dbfa80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), pSid2=0x4dbfa80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65))) returned 1 [0147.577] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4dc01b0 [0147.577] lstrcatA (in: lpString1="", lpString2="Software\\Microsoft" | out: lpString1="Software\\Microsoft") returned="Software\\Microsoft" [0147.577] lstrcatA (in: lpString1="Software\\Microsoft", lpString2="\\" | out: lpString1="Software\\Microsoft\\") returned="Software\\Microsoft\\" [0147.577] lstrcatA (in: lpString1="Software\\Microsoft\\", lpString2="Fdircmnenyyey" | out: lpString1="Software\\Microsoft\\Fdircmnenyyey") returned="Software\\Microsoft\\Fdircmnenyyey" [0147.577] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc48 | out: hHeap=0x4d40000) returned 1 [0147.577] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x20019, phkResult=0xcf760 | out: phkResult=0xcf760*=0x1f4) returned 0x0 [0147.577] RegCloseKey (hKey=0x1f4) returned 0x0 [0147.577] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc01b0 | out: hHeap=0x4d40000) returned 1 [0147.577] lstrlenW (lpString="䉁䑃䙅Ӕ\x0c\x98Ü\x0c놖ҕ\x0c") returned 14 [0147.577] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x5e) returned 0x4dc01b0 [0147.577] lstrlenW (lpString="䉁䑃䙅\x0c⯾睨\x08") returned 7 [0147.578] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.578] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.578] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.578] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.578] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.578] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.578] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.578] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.578] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.578] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.578] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.578] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.578] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.578] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.578] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.578] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.578] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.579] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.579] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.579] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.579] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.579] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.579] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.579] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.579] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.579] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.579] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.579] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.579] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.579] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.579] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.579] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.579] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.580] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.580] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.580] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.580] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.580] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.580] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.580] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.580] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.580] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.580] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.580] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.580] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.580] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.580] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.580] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.580] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.581] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.581] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.581] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.581] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.581] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.581] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.581] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.581] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.581] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.581] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.581] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.581] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.581] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.581] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.581] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.582] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.582] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.582] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.582] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.582] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.582] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.582] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.582] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.582] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.582] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.582] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.582] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.582] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.582] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.582] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.583] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.583] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.583] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.583] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.583] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.583] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.583] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.583] lstrlenW (lpString="䉁䑃䙅䡇䩉䱋\x14") returned 7 [0147.583] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4dc0218 [0147.583] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x2, phkResult=0xcf76c | out: phkResult=0xcf76c*=0x1f4) returned 0x0 [0147.583] RegSetValueExA (in: hKey=0x1f4, lpValueName="9e2d5cdb", Reserved=0x0, dwType=0x3, lpData=0x4dc01b0*, cbData=0x5e | out: lpData=0x4dc01b0*) returned 0x0 [0147.584] RegCloseKey (hKey=0x1f4) returned 0x0 [0147.584] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc0218 | out: hHeap=0x4d40000) returned 1 [0147.585] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc01b0 | out: hHeap=0x4d40000) returned 1 [0147.585] lstrlenW (lpString="䉁䑃䙅Ӕ") returned 4 [0147.585] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc0) returned 0x4dc01b0 [0147.585] lstrlenW (lpString="䉁䑃䙅\x0c⯾睨\x08") returned 7 [0147.585] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.585] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.585] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.585] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.585] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.585] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.585] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.585] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.585] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.585] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.585] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.586] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.586] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.586] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.586] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.586] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.586] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.586] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.586] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.586] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.587] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.587] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.587] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.587] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.587] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.587] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.587] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.587] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.587] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.587] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.587] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.587] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.587] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.587] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.587] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.587] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.587] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.588] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.588] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.588] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.588] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.588] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.588] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.588] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.588] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.588] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.588] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.588] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.588] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.588] lstrlenW (lpString="䉁䑃䙅䡇䩉䱋\x14") returned 7 [0147.588] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4dc0278 [0147.588] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x2, phkResult=0xcf774 | out: phkResult=0xcf774*=0x1f4) returned 0x0 [0147.589] RegSetValueExA (in: hKey=0x1f4, lpValueName="abb28c95", Reserved=0x0, dwType=0x3, lpData=0x4dc01b0*, cbData=0xc0 | out: lpData=0x4dc01b0*) returned 0x0 [0147.589] RegCloseKey (hKey=0x1f4) returned 0x0 [0147.589] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc0278 | out: hHeap=0x4d40000) returned 1 [0147.589] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc01b0 | out: hHeap=0x4d40000) returned 1 [0147.589] lstrlenW (lpString="䉁䑃䙅ӜɸӜ\x98Ü\x0c놖ҕ\x0c") returned 14 [0147.590] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x3a) returned 0x4dc01b0 [0147.590] lstrlenW (lpString="䉁䑃䙅\x0c⯾睨\x08") returned 7 [0147.590] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.590] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.590] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.590] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.590] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.590] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.590] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.590] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.590] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.590] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.590] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.590] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.590] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.590] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.591] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.591] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.591] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.591] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.591] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.591] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.591] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.591] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.591] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.591] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.591] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.591] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.591] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.591] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.591] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.591] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.591] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.591] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.592] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.592] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.592] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.592] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.592] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.592] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.592] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.592] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.592] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.592] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.592] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.592] lstrlenW (lpString="䉁䑃䙅䡇䩉䱋\x14") returned 7 [0147.592] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4dc01f8 [0147.592] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x2, phkResult=0xcf764 | out: phkResult=0xcf764*=0x1f4) returned 0x0 [0147.592] RegSetValueExA (in: hKey=0x1f4, lpValueName="a9f3ace9", Reserved=0x0, dwType=0x3, lpData=0x4dc01b0*, cbData=0x3a | out: lpData=0x4dc01b0*) returned 0x0 [0147.593] RegCloseKey (hKey=0x1f4) returned 0x0 [0147.593] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc01f8 | out: hHeap=0x4d40000) returned 1 [0147.593] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc01b0 | out: hHeap=0x4d40000) returned 1 [0147.593] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4dc01b0 [0147.593] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x20019, phkResult=0xcf5d0 | out: phkResult=0xcf5d0*=0x1f4) returned 0x0 [0147.594] RegQueryValueExA (in: hKey=0x1f4, lpValueName="114fcb8c", lpReserved=0x0, lpType=0xcf5c8, lpData=0x0, lpcbData=0xcf5cc*=0x0 | out: lpType=0xcf5c8*=0x0, lpData=0x0, lpcbData=0xcf5cc*=0x0) returned 0x2 [0147.594] RegCloseKey (hKey=0x1f4) returned 0x0 [0147.594] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc01b0 | out: hHeap=0x4d40000) returned 1 [0147.594] SetLastError (dwErrCode=0xd) [0147.594] GetLastError () returned 0xd [0147.594] lstrlenW (lpString="䉁䑃䙅ӜǸӜ\x98Ü\x0c놖ҕ\x0c") returned 14 [0147.594] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x54) returned 0x4dc01b0 [0147.594] lstrlenW (lpString="䉁䑃䙅\x0c⯾睨\x08") returned 7 [0147.594] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.594] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.594] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.594] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.595] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.595] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.595] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.595] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.595] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.595] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.595] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.595] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.595] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.595] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.595] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.595] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.595] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.595] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.595] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.595] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.596] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.596] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.596] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.596] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.596] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.596] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.596] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.596] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.596] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.596] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.596] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.596] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.596] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.596] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.596] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.596] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.596] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.597] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.597] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.597] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.597] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.597] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.597] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.597] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.597] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.597] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.597] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.597] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.597] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.597] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.597] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.597] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.597] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.597] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.598] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.598] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.598] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.598] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.598] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.598] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.598] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.598] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.598] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.598] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.598] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.598] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.598] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.598] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.598] lstrlenW (lpString="䉁䑃䙅䡇䩉䱋\x14") returned 7 [0147.598] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4dc0210 [0147.598] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x2, phkResult=0xcf754 | out: phkResult=0xcf754*=0x1f4) returned 0x0 [0147.599] RegSetValueExA (in: hKey=0x1f4, lpValueName="114fcb8c", Reserved=0x0, dwType=0x3, lpData=0x4dc01b0*, cbData=0x54 | out: lpData=0x4dc01b0*) returned 0x0 [0147.599] RegCloseKey (hKey=0x1f4) returned 0x0 [0147.599] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc0210 | out: hHeap=0x4d40000) returned 1 [0147.600] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc01b0 | out: hHeap=0x4d40000) returned 1 [0147.600] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4dc01b0 [0147.600] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x20019, phkResult=0xcf5d0 | out: phkResult=0xcf5d0*=0x1f4) returned 0x0 [0147.600] RegQueryValueExA (in: hKey=0x1f4, lpValueName="6c478406", lpReserved=0x0, lpType=0xcf5c8, lpData=0x0, lpcbData=0xcf5cc*=0x0 | out: lpType=0xcf5c8*=0x0, lpData=0x0, lpcbData=0xcf5cc*=0x0) returned 0x2 [0147.600] RegCloseKey (hKey=0x1f4) returned 0x0 [0147.601] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc01b0 | out: hHeap=0x4d40000) returned 1 [0147.601] SetLastError (dwErrCode=0x0) [0147.601] lstrlenW (lpString="䉁䑃䙅") returned 3 [0147.601] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x71) returned 0x4dc01b0 [0147.601] lstrlenW (lpString="䉁䑃䙅\x0c⯾睨\x08") returned 7 [0147.601] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.601] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.601] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.601] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.601] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.601] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.601] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.601] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.601] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.601] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.602] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.602] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.603] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.603] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.603] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.603] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.603] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.603] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.603] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.603] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.603] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.603] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.603] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.603] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.603] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.603] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.604] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.604] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.604] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.604] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.604] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.604] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.604] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.604] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.604] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.604] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.604] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.604] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.604] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.604] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.604] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.604] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.604] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.604] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.605] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.605] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.605] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.605] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.605] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.605] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.605] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.605] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.605] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.605] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.605] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.605] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.605] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.605] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.605] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.605] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.605] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.605] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.606] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.606] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.606] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.606] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.606] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.606] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.606] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.606] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.606] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.606] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.606] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.606] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.606] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.606] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.606] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.606] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.606] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.606] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.607] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.607] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.607] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.607] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.607] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.607] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.607] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.607] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.607] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.607] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.607] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.607] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.607] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.607] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.607] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.607] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.607] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.607] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.608] lstrlenW (lpString="䉁䑃䙅䡇䩉䱋\x14") returned 7 [0147.608] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4dc0230 [0147.608] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x2, phkResult=0xcf74c | out: phkResult=0xcf74c*=0x1f4) returned 0x0 [0147.608] RegSetValueExA (in: hKey=0x1f4, lpValueName="6c478406", Reserved=0x0, dwType=0x3, lpData=0x4dc01b0*, cbData=0x71 | out: lpData=0x4dc01b0*) returned 0x0 [0147.608] RegCloseKey (hKey=0x1f4) returned 0x0 [0147.609] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc0230 | out: hHeap=0x4d40000) returned 1 [0147.610] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc01b0 | out: hHeap=0x4d40000) returned 1 [0147.610] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcf780 | out: lpSystemTimeAsFileTime=0xcf780*(dwLowDateTime=0xb7da0b0, dwHighDateTime=0x1d99f3b)) [0147.610] lstrlenW (lpString="䉁䑃䙅ӛ\x01") returned 5 [0147.610] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x38) returned 0x4dc01b0 [0147.610] lstrlenW (lpString="䉁䑃䙅\x0c⯾睨\x08") returned 7 [0147.610] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.610] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.610] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.610] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.610] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.610] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.610] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.610] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.610] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.610] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.610] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.610] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.611] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.611] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.611] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.611] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.611] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.611] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.611] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.611] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.611] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.611] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.611] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.611] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.611] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.611] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.611] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.611] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.611] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.611] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.612] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.612] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.612] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.612] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.612] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.612] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.612] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.612] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.612] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.612] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.612] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0147.612] lstrlenW (lpString="䉁䑃䙅䡇䩉䱋\x14") returned 7 [0147.612] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4dc01f0 [0147.612] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x2, phkResult=0xcf774 | out: phkResult=0xcf774*=0x1f4) returned 0x0 [0147.612] RegSetValueExA (in: hKey=0x1f4, lpValueName="d4fbe363", Reserved=0x0, dwType=0x3, lpData=0x4dc01b0*, cbData=0x38 | out: lpData=0x4dc01b0*) returned 0x0 [0147.613] RegCloseKey (hKey=0x1f4) returned 0x0 [0147.613] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc01f0 | out: hHeap=0x4d40000) returned 1 [0147.614] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc01b0 | out: hHeap=0x4d40000) returned 1 [0147.614] WTSEnumerateSessionsW (in: hServer=0x0, Reserved=0x0, Version=0x1, ppSessionInfo=0xcfa24, pCount=0xcfa28 | out: ppSessionInfo=0xcfa24, pCount=0xcfa28) returned 1 [0147.649] NetUserEnum (in: servername=0x0, level=0x0, filter=0x2, bufptr=0xcf9e4, prefmaxlen=0xffffffff, entriesread=0xcf9d8, totalentries=0xcf9d0, resume_handle=0xcf9d4 | out: bufptr=0xcf9e4*=([0]=0x4b07820*(usri0_name="Administrator"), [1]=0x4b07824*(usri0_name="DefaultAccount"), [2]=0x4b07828*(usri0_name="Guest"), [3]=0x4b0782c*(usri0_name="RDhJ0CNFevzX")), entriesread=0xcf9d8*=0x4, totalentries=0xcf9d0, resume_handle=0xcf9d4) returned 0x0 [0147.841] LookupAccountNameW (in: lpSystemName=0x0, lpAccountName="Administrator", Sid=0x0, cbSid=0xcf9dc, ReferencedDomainName=0x0, cchReferencedDomainName=0xcf9e0, peUse=0xcf9cc | out: Sid=0x0, cbSid=0xcf9dc, ReferencedDomainName=0x0, cchReferencedDomainName=0xcf9e0, peUse=0xcf9cc) returned 0 [0147.844] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x1d) returned 0x4dc01b0 [0147.844] LookupAccountNameW (in: lpSystemName=0x0, lpAccountName="Administrator", Sid=0x4dc01b0, cbSid=0xcf9dc, ReferencedDomainName=0xcf7cc, cchReferencedDomainName=0xcf9e0, peUse=0xcf9cc | out: Sid=0x4dc01b0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), cbSid=0xcf9dc, ReferencedDomainName="XC64ZB", cchReferencedDomainName=0xcf9e0, peUse=0xcf9cc) returned 1 [0147.846] EqualSid (pSid1=0x4dc01b0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), pSid2=0x4dbfa80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65))) returned 0 [0147.846] EqualSid (pSid1=0x4dc01b0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), pSid2=0x4dbfa80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65))) returned 0 [0147.846] AllocateAndInitializeSid (in: pIdentifierAuthority=0xcf514, nSubAuthorityCount=0x1, nSubAuthority0=0x12, nSubAuthority1=0x0, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0xcf51c | out: pSid=0xcf51c*=0x4afb7f0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12)) returned 1 [0147.846] EqualSid (pSid1=0x4dc01b0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), pSid2=0x4afb7f0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12)) returned 0 [0147.846] ConvertSidToStringSidW (in: Sid=0x4dc01b0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), StringSid=0xcf518 | out: StringSid=0xcf518*="S-1-5-21-1560258661-3990802383-1811730007-500") returned 1 [0147.846] GetNumberFormatA (in: Locale=0x7d3, dwFlags=0xb4, lpValue="electricmadness", lpFormat=0x0, lpNumberStr=0xcf490, cchNumber=34 | out: lpNumberStr="") returned 0 [0147.846] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x72) returned 0x4dc01d8 [0147.846] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xce) returned 0x4dc0258 [0147.846] lstrcatW (in: lpString1="", lpString2="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList" | out: lpString1="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList") returned="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList" [0147.846] lstrcatW (in: lpString1="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList", lpString2="\\" | out: lpString1="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\") returned="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\" [0147.846] lstrcatW (in: lpString1="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\", lpString2="S-1-5-21-1560258661-3990802383-1811730007-500" | out: lpString1="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-1560258661-3990802383-1811730007-500") returned="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-1560258661-3990802383-1811730007-500" [0147.847] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc01d8 | out: hHeap=0x4d40000) returned 1 [0147.847] GetNumberFormatA (in: Locale=0x7d3, dwFlags=0xb4, lpValue="electricmadness", lpFormat=0x0, lpNumberStr=0xcf478, cchNumber=34 | out: lpNumberStr="f") returned 0 [0147.847] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x22) returned 0x4dc01d8 [0147.847] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-1560258661-3990802383-1811730007-500", ulOptions=0x0, samDesired=0x20019, phkResult=0xcf4f0 | out: phkResult=0xcf4f0*=0x0) returned 0x2 [0147.848] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc01d8 | out: hHeap=0x4d40000) returned 1 [0147.848] LocalFree (hMem=0x4b05b48) returned 0x0 [0147.848] Sleep (dwMilliseconds=0xa) [0147.912] LookupAccountNameW (in: lpSystemName=0x0, lpAccountName="DefaultAccount", Sid=0x0, cbSid=0xcf9dc, ReferencedDomainName=0x0, cchReferencedDomainName=0xcf9e0, peUse=0xcf9cc | out: Sid=0x0, cbSid=0xcf9dc, ReferencedDomainName=0x0, cchReferencedDomainName=0xcf9e0, peUse=0xcf9cc) returned 0 [0147.916] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x1d) returned 0x4dc01d8 [0147.916] LookupAccountNameW (in: lpSystemName=0x0, lpAccountName="DefaultAccount", Sid=0x4dc01d8, cbSid=0xcf9dc, ReferencedDomainName=0xcf7cc, cchReferencedDomainName=0xcf9e0, peUse=0xcf9cc | out: Sid=0x4dc01d8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), cbSid=0xcf9dc, ReferencedDomainName="XC64ZB", cchReferencedDomainName=0xcf9e0, peUse=0xcf9cc) returned 1 [0147.917] EqualSid (pSid1=0x4dc01d8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), pSid2=0x4dbfa80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65))) returned 0 [0147.917] EqualSid (pSid1=0x4dc01d8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), pSid2=0x4dbfa80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65))) returned 0 [0147.917] AllocateAndInitializeSid (in: pIdentifierAuthority=0xcf514, nSubAuthorityCount=0x1, nSubAuthority0=0x12, nSubAuthority1=0x0, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0xcf51c | out: pSid=0xcf51c*=0x4afb790*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12)) returned 1 [0147.917] EqualSid (pSid1=0x4dc01d8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), pSid2=0x4afb790*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12)) returned 0 [0147.917] ConvertSidToStringSidW (in: Sid=0x4dc01d8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), StringSid=0xcf518 | out: StringSid=0xcf518*="S-1-5-21-1560258661-3990802383-1811730007-503") returned 1 [0147.917] GetNumberFormatA (in: Locale=0x7d3, dwFlags=0xb4, lpValue="electricmadness", lpFormat=0x0, lpNumberStr=0xcf490, cchNumber=34 | out: lpNumberStr="") returned 0 [0147.918] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x72) returned 0x4dc0330 [0147.918] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xce) returned 0x4dc03b0 [0147.918] lstrcatW (in: lpString1="", lpString2="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList" | out: lpString1="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList") returned="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList" [0147.918] lstrcatW (in: lpString1="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList", lpString2="\\" | out: lpString1="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\") returned="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\" [0147.918] lstrcatW (in: lpString1="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\", lpString2="S-1-5-21-1560258661-3990802383-1811730007-503" | out: lpString1="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-1560258661-3990802383-1811730007-503") returned="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-1560258661-3990802383-1811730007-503" [0147.918] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc0330 | out: hHeap=0x4d40000) returned 1 [0147.918] GetNumberFormatA (in: Locale=0x7d3, dwFlags=0xb4, lpValue="electricmadness", lpFormat=0x0, lpNumberStr=0xcf478, cchNumber=34 | out: lpNumberStr="f") returned 0 [0147.918] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x22) returned 0x4dc0200 [0147.918] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-1560258661-3990802383-1811730007-503", ulOptions=0x0, samDesired=0x20019, phkResult=0xcf4f0 | out: phkResult=0xcf4f0*=0x0) returned 0x2 [0147.919] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc0200 | out: hHeap=0x4d40000) returned 1 [0147.919] LocalFree (hMem=0x4b05b48) returned 0x0 [0147.919] Sleep (dwMilliseconds=0xa) [0147.983] LookupAccountNameW (in: lpSystemName=0x0, lpAccountName="Guest", Sid=0x0, cbSid=0xcf9dc, ReferencedDomainName=0x0, cchReferencedDomainName=0xcf9e0, peUse=0xcf9cc | out: Sid=0x0, cbSid=0xcf9dc, ReferencedDomainName=0x0, cchReferencedDomainName=0xcf9e0, peUse=0xcf9cc) returned 0 [0147.985] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x1d) returned 0x4dc0200 [0147.985] LookupAccountNameW (in: lpSystemName=0x0, lpAccountName="Guest", Sid=0x4dc0200, cbSid=0xcf9dc, ReferencedDomainName=0xcf7cc, cchReferencedDomainName=0xcf9e0, peUse=0xcf9cc | out: Sid=0x4dc0200*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), cbSid=0xcf9dc, ReferencedDomainName="XC64ZB", cchReferencedDomainName=0xcf9e0, peUse=0xcf9cc) returned 1 [0147.986] EqualSid (pSid1=0x4dc0200*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), pSid2=0x4dbfa80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65))) returned 0 [0147.987] EqualSid (pSid1=0x4dc0200*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), pSid2=0x4dbfa80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65))) returned 0 [0147.987] AllocateAndInitializeSid (in: pIdentifierAuthority=0xcf514, nSubAuthorityCount=0x1, nSubAuthority0=0x12, nSubAuthority1=0x0, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0xcf51c | out: pSid=0xcf51c*=0x4afb760*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12)) returned 1 [0147.987] EqualSid (pSid1=0x4dc0200*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), pSid2=0x4afb760*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12)) returned 0 [0147.987] ConvertSidToStringSidW (in: Sid=0x4dc0200*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), StringSid=0xcf518 | out: StringSid=0xcf518*="S-1-5-21-1560258661-3990802383-1811730007-501") returned 1 [0147.987] GetNumberFormatA (in: Locale=0x7d3, dwFlags=0xb4, lpValue="electricmadness", lpFormat=0x0, lpNumberStr=0xcf490, cchNumber=34 | out: lpNumberStr="") returned 0 [0147.987] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x72) returned 0x4dc0330 [0147.987] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xce) returned 0x4dc0488 [0147.987] lstrcatW (in: lpString1="", lpString2="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList" | out: lpString1="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList") returned="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList" [0147.987] lstrcatW (in: lpString1="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList", lpString2="\\" | out: lpString1="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\") returned="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\" [0147.987] lstrcatW (in: lpString1="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\", lpString2="S-1-5-21-1560258661-3990802383-1811730007-501" | out: lpString1="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-1560258661-3990802383-1811730007-501") returned="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-1560258661-3990802383-1811730007-501" [0147.988] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc0330 | out: hHeap=0x4d40000) returned 1 [0147.988] GetNumberFormatA (in: Locale=0x7d3, dwFlags=0xb4, lpValue="electricmadness", lpFormat=0x0, lpNumberStr=0xcf478, cchNumber=34 | out: lpNumberStr="f") returned 0 [0147.988] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x22) returned 0x4dc0228 [0147.988] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-1560258661-3990802383-1811730007-501", ulOptions=0x0, samDesired=0x20019, phkResult=0xcf4f0 | out: phkResult=0xcf4f0*=0x0) returned 0x2 [0147.988] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc0228 | out: hHeap=0x4d40000) returned 1 [0147.988] LocalFree (hMem=0x4b05b48) returned 0x0 [0147.988] Sleep (dwMilliseconds=0xa) [0148.073] LookupAccountNameW (in: lpSystemName=0x0, lpAccountName="RDhJ0CNFevzX", Sid=0x0, cbSid=0xcf9dc, ReferencedDomainName=0x0, cchReferencedDomainName=0xcf9e0, peUse=0xcf9cc | out: Sid=0x0, cbSid=0xcf9dc, ReferencedDomainName=0x0, cchReferencedDomainName=0xcf9e0, peUse=0xcf9cc) returned 0 [0148.074] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x1d) returned 0x4dc0228 [0148.074] LookupAccountNameW (in: lpSystemName=0x0, lpAccountName="RDhJ0CNFevzX", Sid=0x4dc0228, cbSid=0xcf9dc, ReferencedDomainName=0xcf7cc, cchReferencedDomainName=0xcf9e0, peUse=0xcf9cc | out: Sid=0x4dc0228*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), cbSid=0xcf9dc, ReferencedDomainName="XC64ZB", cchReferencedDomainName=0xcf9e0, peUse=0xcf9cc) returned 1 [0148.076] EqualSid (pSid1=0x4dc0228*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), pSid2=0x4dbfa80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65))) returned 1 [0148.076] Sleep (dwMilliseconds=0xa) [0148.156] NetApiBufferFree (Buffer=0x4b07820) returned 0x0 [0148.156] NetGetDCName (in: servername=0x0, domainname=0x0, bufptr=0xcf9fc | out: bufptr=0xcf9fc) returned 0x995 [0148.157] WTSFreeMemory (pMemory=0x4afbf80) [0148.158] GetNumberFormatA (in: Locale=0x7d3, dwFlags=0xb4, lpValue="electricmadness", lpFormat=0x0, lpNumberStr=0xcf994, cchNumber=34 | out: lpNumberStr="Åß\x98o") returned 0 [0148.158] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa) returned 0x4dbfc18 [0148.158] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x5a) returned 0x4dc0330 [0148.158] lstrcatW (in: lpString1="", lpString2="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0148.158] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", lpString2=".cfg" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe.cfg") returned="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe.cfg" [0148.158] GetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe.cfg" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe.cfg")) returned 0xffffffff [0148.159] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc0330 | out: hHeap=0x4d40000) returned 1 [0148.159] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc18 | out: hHeap=0x4d40000) returned 1 [0148.159] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbff90 | out: hHeap=0x4d40000) returned 1 [0148.159] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc0008 | out: hHeap=0x4d40000) returned 1 [0148.159] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc15c8 | out: hHeap=0x4d40000) returned 1 [0148.159] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfcb0 | out: hHeap=0x4d40000) returned 1 [0148.159] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc15e0 | out: hHeap=0x4d40000) returned 1 [0148.160] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfbe0 | out: hHeap=0x4d40000) returned 1 [0148.160] GetNumberFormatA (in: Locale=0x7d3, dwFlags=0xb4, lpValue="electricmadness", lpFormat=0x0, lpNumberStr=0xcfa28, cchNumber=34 | out: lpNumberStr="\\\x92\x95\x04") returned 0 [0148.160] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x5c) returned 0x4dc0330 [0148.160] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x3fff) returned 0x4dc0560 [0148.160] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x800) returned 0x4dc4568 [0148.160] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x2001f, phkResult=0xcfa7c | out: phkResult=0xcfa7c*=0x210) returned 0x0 [0148.160] RegQueryInfoKeyW (in: hKey=0x210, lpClass=0xcf844, lpcchClass=0xcfa68, lpReserved=0x0, lpcSubKeys=0x0, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xcfa6c, lpcbMaxValueNameLen=0xcfa54, lpcbMaxValueLen=0xcfa58, lpcbSecurityDescriptor=0xcfa5c, lpftLastWriteTime=0xcfa4c | out: lpClass="", lpcchClass=0xcfa68, lpcSubKeys=0x0, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xcfa6c*=0x0, lpcbMaxValueNameLen=0xcfa54, lpcbMaxValueLen=0xcfa58, lpcbSecurityDescriptor=0xcfa5c, lpftLastWriteTime=0xcfa4c) returned 0x0 [0148.160] RegCloseKey (hKey=0x210) returned 0x0 [0148.161] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc0560 | out: hHeap=0x4d40000) returned 1 [0148.162] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc4568 | out: hHeap=0x4d40000) returned 1 [0148.163] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc0330 | out: hHeap=0x4d40000) returned 1 [0148.163] RtlAddVectoredExceptionHandler (FirstHandler=0x1, VectoredHandler=0x4951154) returned 0x4afb778 [0148.163] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4dbfc90 [0148.163] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x20019, phkResult=0xcf8b8 | out: phkResult=0xcf8b8*=0x210) returned 0x0 [0148.164] RegQueryValueExA (in: hKey=0x210, lpValueName="59d85448", lpReserved=0x0, lpType=0xcf8b0, lpData=0x0, lpcbData=0xcf8b4*=0x0 | out: lpType=0xcf8b0*=0x0, lpData=0x0, lpcbData=0xcf8b4*=0x0) returned 0x2 [0148.164] RegCloseKey (hKey=0x210) returned 0x0 [0148.164] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc90 | out: hHeap=0x4d40000) returned 1 [0148.164] GetKeyboardLayoutList (in: nBuff=64, lpList=0xcf940 | out: lpList=0xcf940) returned 1 [0148.165] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20) returned 0x4dbfc90 [0148.166] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc90 | out: hHeap=0x4d40000) returned 1 [0148.166] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20) returned 0x4dbfc90 [0148.167] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc90 | out: hHeap=0x4d40000) returned 1 [0148.167] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20) returned 0x4dbfc90 [0148.167] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc90 | out: hHeap=0x4d40000) returned 1 [0148.167] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20) returned 0x4dbfc90 [0148.167] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc90 | out: hHeap=0x4d40000) returned 1 [0148.167] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20) returned 0x4dbfc90 [0148.168] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc90 | out: hHeap=0x4d40000) returned 1 [0148.168] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20) returned 0x4dbfc90 [0148.168] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc90 | out: hHeap=0x4d40000) returned 1 [0148.168] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20) returned 0x4dbfc90 [0148.168] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc90 | out: hHeap=0x4d40000) returned 1 [0148.169] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20) returned 0x4dbfc90 [0148.169] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc90 | out: hHeap=0x4d40000) returned 1 [0148.169] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20) returned 0x4dbfc90 [0148.169] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc90 | out: hHeap=0x4d40000) returned 1 [0148.169] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20) returned 0x4dbfc90 [0148.170] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc90 | out: hHeap=0x4d40000) returned 1 [0148.170] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20) returned 0x4dbfc90 [0148.170] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc90 | out: hHeap=0x4d40000) returned 1 [0148.170] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20) returned 0x4dbfc90 [0148.171] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc90 | out: hHeap=0x4d40000) returned 1 [0148.171] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfa58 | out: lpSystemTimeAsFileTime=0xcfa58*(dwLowDateTime=0xbd37494, dwHighDateTime=0x1d99f3b)) [0148.171] lstrlenW (lpString="䉁䑃䙅") returned 3 [0148.171] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x56) returned 0x4dc0330 [0148.171] lstrlenW (lpString="䉁䑃䙅\x0c⯾睨\x08") returned 7 [0148.171] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.171] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.171] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.171] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.171] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.171] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.171] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.172] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.172] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.172] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.172] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.172] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.172] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.172] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.172] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.172] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.172] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.172] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.172] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.172] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.172] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.172] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.172] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.172] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.172] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.173] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.173] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.173] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.173] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.173] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.173] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.173] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.173] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.173] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.173] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.173] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.173] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.173] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.173] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.173] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.173] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.173] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.173] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.174] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.174] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.174] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.174] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.174] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.174] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.174] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.174] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.174] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.174] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.174] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.174] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.174] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.174] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.174] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.174] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.174] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.174] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.175] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.175] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.175] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.175] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.175] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.175] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.175] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.175] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.175] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.175] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.175] lstrlenW (lpString="䉁䑃䙅䡇䩉䱋\x14") returned 7 [0148.175] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4dbfc90 [0148.175] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x2, phkResult=0xcfa3c | out: phkResult=0xcfa3c*=0x210) returned 0x0 [0148.175] RegSetValueExA (in: hKey=0x210, lpValueName="130eebf0", Reserved=0x0, dwType=0x3, lpData=0x4dc0330*, cbData=0x56 | out: lpData=0x4dc0330*) returned 0x0 [0148.176] RegCloseKey (hKey=0x210) returned 0x0 [0148.176] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc90 | out: hHeap=0x4d40000) returned 1 [0148.177] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc0330 | out: hHeap=0x4d40000) returned 1 [0148.177] lstrlenW (lpString="䉁䑃䙅") returned 3 [0148.177] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x47) returned 0x4dc0330 [0148.177] lstrlenW (lpString="䉁䑃䙅\x0c⯾睨\x08") returned 7 [0148.177] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.177] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.177] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.177] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.177] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.177] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.177] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.178] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.178] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.178] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.178] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.178] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.178] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.178] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.178] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.178] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.178] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.178] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.178] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.178] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.178] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.178] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.178] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.178] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.178] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.179] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.179] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.179] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.179] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.179] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.179] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.179] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.179] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.179] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.179] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.179] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.179] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.179] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.179] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.179] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.179] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.179] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.179] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.180] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.180] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.180] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.180] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.180] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.180] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.180] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.180] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.180] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.180] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.180] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.180] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.180] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0148.180] lstrlenW (lpString="䉁䑃䙅䡇䩉䱋\x14") returned 7 [0148.181] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4dc0380 [0148.181] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x2, phkResult=0xcfa34 | out: phkResult=0xcfa34*=0x210) returned 0x0 [0148.181] RegSetValueExA (in: hKey=0x210, lpValueName="e164332d", Reserved=0x0, dwType=0x3, lpData=0x4dc0330*, cbData=0x47 | out: lpData=0x4dc0330*) returned 0x0 [0148.181] RegCloseKey (hKey=0x210) returned 0x0 [0148.182] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc0380 | out: hHeap=0x4d40000) returned 1 [0148.182] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc0330 | out: hHeap=0x4d40000) returned 1 [0148.182] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc) returned 0x4dbfc18 [0148.182] LoadLibraryA (lpLibFileName="wininet.dll") returned 0x719f0000 [0148.392] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x54) returned 0x4dc0330 [0148.392] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc18 | out: hHeap=0x4d40000) returned 1 [0148.392] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb) returned 0x4dbfc18 [0148.392] LoadLibraryA (lpLibFileName="urlmon.dll") returned 0x71c00000 [0148.409] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4) returned 0x4dbfbe0 [0148.409] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc18 | out: hHeap=0x4d40000) returned 1 [0148.409] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x101) returned 0x4dc0560 [0148.411] ObtainUserAgentString (in: dwOption=0x0, pszUAOut=0x4dc0560, cbSize=0xcfa60 | out: pszUAOut="Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko", cbSize=0xcfa60) returned 0x0 [0149.037] lstrlenW (lpString="䉁䑃䙅\x0c㦪痒") returned 6 [0149.037] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.037] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.037] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.037] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.037] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.037] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.037] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.037] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.037] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.037] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.037] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.037] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.037] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.037] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.037] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.037] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x47) returned 0x4dbff90 [0149.037] _vsnprintf (in: _DstBuf=0xcfa78, _MaxCount=0x28, _Format="{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}", _ArgList=0xcf020 | out: _DstBuf="{6AFE5B87-2B59-4F71-8E8E-673538106992}") returned 38 [0149.038] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbff90 | out: hHeap=0x4d40000) returned 1 [0149.038] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName="{6AFE5B87-2B59-4F71-8E8E-673538106992}") returned 0x230 [0149.038] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x234 [0149.038] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x1000) returned 0x4dc0670 [0149.039] WaitForSingleObject (hHandle=0x234, dwMilliseconds=0x7530) returned 0x0 [0149.039] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=1, lpName=0x0) returned 0x250 [0149.039] GetLastError () returned 0x0 [0149.039] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x495ebc9, lpParameter=0x4dc0670, dwCreationFlags=0x0, lpThreadId=0x4dc0674 | out: lpThreadId=0x4dc0674*=0xcf0) returned 0x254 [0149.046] SetThreadPriority (hThread=0x254, nPriority=-1) returned 1 [0149.046] ReleaseMutex (hMutex=0x250) returned 1 [0149.046] ReleaseMutex (hMutex=0x234) returned 1 [0149.048] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x258 [0149.049] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x25c [0149.049] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4) returned 0x4dbfc18 [0149.049] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4) returned 0x4dc0390 [0149.049] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc18 | out: hHeap=0x4d40000) returned 1 [0149.049] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x100) returned 0x4dbff90 [0149.049] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x401) returned 0x4dc1678 [0149.052] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc) returned 0x4dbfc18 [0149.052] LoadLibraryA (lpLibFileName="crypt32.dll") returned 0x77350000 [0149.111] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc) returned 0x4dbfc48 [0149.112] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc18 | out: hHeap=0x4d40000) returned 1 [0149.112] WaitForSingleObject (hHandle=0x234, dwMilliseconds=0x7530) returned 0x0 [0149.112] WaitForSingleObject (hHandle=0x254, dwMilliseconds=0x0) returned 0x102 [0149.112] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=1, lpName=0x0) returned 0x264 [0149.112] GetLastError () returned 0x0 [0149.112] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x495ebc9, lpParameter=0x4dc0690, dwCreationFlags=0x0, lpThreadId=0x4dc0694 | out: lpThreadId=0x4dc0694*=0x9c8) returned 0x268 [0149.112] SetThreadPriority (hThread=0x268, nPriority=-1) returned 1 [0149.112] ReleaseMutex (hMutex=0x264) returned 1 [0149.112] ReleaseMutex (hMutex=0x234) returned 1 [0149.116] lstrlenW (lpString="䉁䑃䙅Ā\x0c\x0c\x0c䬇Җ\x0c") returned 14 [0149.116] lstrlenW (lpString="䉁䑃䙅Ā") returned 4 [0149.116] lstrlenW (lpString="䉁䑃䙅Ā") returned 4 [0149.116] lstrlenW (lpString="䉁䑃䙅Ā") returned 4 [0149.116] lstrlenW (lpString="䉁䑃䙅Ā") returned 4 [0149.116] lstrlenW (lpString="䉁䑃䙅Ā") returned 4 [0149.116] lstrlenW (lpString="䉁䑃䙅Ā") returned 4 [0149.116] lstrlenW (lpString="䉁䑃䙅Ā") returned 4 [0149.116] lstrlenW (lpString="䉁䑃䙅Ā") returned 4 [0149.116] lstrlenW (lpString="䉁䑃䙅Ā") returned 4 [0149.117] lstrlenW (lpString="䉁䑃䙅Ā") returned 4 [0149.117] lstrlenW (lpString="䉁䑃䙅Ā") returned 4 [0149.117] lstrlenW (lpString="䉁䑃䙅Ā") returned 4 [0149.117] lstrlenW (lpString="䉁䑃䙅Ā") returned 4 [0149.117] lstrlenW (lpString="䉁䑃䙅Ā") returned 4 [0149.117] lstrlenW (lpString="䉁䑃䙅Ā") returned 4 [0149.117] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x47) returned 0x4dc1a88 [0149.117] _vsnprintf (in: _DstBuf=0xcfa1c, _MaxCount=0x28, _Format="{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}", _ArgList=0xcefc8 | out: _DstBuf="{FBF42900-CA81-4232-AFB3-BE8085500C4A}") returned 38 [0149.117] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc1a88 | out: hHeap=0x4d40000) returned 1 [0149.118] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa) returned 0x4dbfc18 [0149.118] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x30) returned 0x4dbfc90 [0149.118] lstrcatA (in: lpString1="", lpString2="\\\\.\\pipe\\" | out: lpString1="\\\\.\\pipe\\") returned="\\\\.\\pipe\\" [0149.118] lstrcatA (in: lpString1="\\\\.\\pipe\\", lpString2="{FBF42900-CA81-4232-AFB3-BE8085500C4A}" | out: lpString1="\\\\.\\pipe\\{FBF42900-CA81-4232-AFB3-BE8085500C4A}") returned="\\\\.\\pipe\\{FBF42900-CA81-4232-AFB3-BE8085500C4A}" [0149.118] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc18 | out: hHeap=0x4d40000) returned 1 [0149.118] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa00000) returned 0x670f020 [0149.151] AllocateAndInitializeSid (in: pIdentifierAuthority=0xcfa28, nSubAuthorityCount=0x1, nSubAuthority0=0x0, nSubAuthority1=0x0, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0xcfa34 | out: pSid=0xcfa34*=0x4b064d0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0)) returned 1 [0149.152] AllocateAndInitializeSid (in: pIdentifierAuthority=0xcfa20, nSubAuthorityCount=0x2, nSubAuthority0=0x2, nSubAuthority1=0x1, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0xcfa38 | out: pSid=0xcfa38*=0x4b064a0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0xf), SubAuthority=([0]=0x2, [1]=0x0))) returned 1 [0149.152] SetEntriesInAclA () returned 0x0 [0149.156] LocalAlloc (uFlags=0x40, uBytes=0x14) returned 0x4b02238 [0149.156] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x4b02238, dwRevision=0x1 | out: pSecurityDescriptor=0x4b02238) returned 1 [0149.156] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0x4b02238, bDaclPresent=1, pDacl=0x4afdb90, bDaclDefaulted=0 | out: pSecurityDescriptor=0x4b02238) returned 1 [0149.157] CreateNamedPipeA (lpName="\\\\.\\pipe\\{FBF42900-CA81-4232-AFB3-BE8085500C4A}" (normalized: "\\device\\namedpipe\\{fbf42900-ca81-4232-afb3-be8085500c4a}"), dwOpenMode=0x80003, dwPipeMode=0x6, nMaxInstances=0xff, nOutBufferSize=0xa00000, nInBufferSize=0xa00000, nDefaultTimeOut=0x0, lpSecurityAttributes=0xcfa58) returned 0x28c [0149.157] GetNumberFormatA (in: Locale=0x7d3, dwFlags=0xb4, lpValue="electricmadness", lpFormat=0x0, lpNumberStr=0xcf9b4, cchNumber=34 | out: lpNumberStr="0îlw\rÛEãþÿÿÿèù\x0c") returned 0 [0149.157] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20) returned 0x4dc1a88 [0149.157] ConvertStringSecurityDescriptorToSecurityDescriptorW (in: StringSecurityDescriptor="S:(ML;;NW;;;LW)", StringSDRevision=0x1, SecurityDescriptor=0xcfa40, SecurityDescriptorSize=0x0 | out: SecurityDescriptor=0xcfa40*=0x0*(Revision=0x1, Sbz1=0x0, Control=0x8010, Owner=0x0*(Revision=0x0, SubAuthorityCount=0x0, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0), SubAuthority=0x14), Group=0x0*(Revision=0x0, SubAuthorityCount=0x0, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x14, [3]=0x0, [4]=0x0, [5]=0x0), SubAuthority=0x0), Sacl=0x14*(AclRevision=0x14, Sbz1=0x0, AclSize=0x0, AceCount=0x0, Sbz2=0x0), Dacl=0x0*(AclRevision=0x0, Sbz1=0x0, AclSize=0x0, AceCount=0x2, Sbz2=0x1c)), SecurityDescriptorSize=0x0) returned 1 [0149.159] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x4b01948, lpbSaclPresent=0xcfa34, pSacl=0xcfa3c, lpbSaclDefaulted=0xcfa38 | out: lpbSaclPresent=0xcfa34, pSacl=0xcfa3c, lpbSaclDefaulted=0xcfa38) returned 1 [0149.159] SetSecurityInfo () returned 0x0 [0149.160] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc1a88 | out: hHeap=0x4d40000) returned 1 [0149.160] WaitForSingleObject (hHandle=0x234, dwMilliseconds=0x7530) returned 0x0 [0149.160] WaitForSingleObject (hHandle=0x254, dwMilliseconds=0x0) returned 0x102 [0149.161] WaitForSingleObject (hHandle=0x268, dwMilliseconds=0x0) returned 0x102 [0149.161] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=1, lpName=0x0) returned 0x290 [0149.161] GetLastError () returned 0x0 [0149.161] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x495ebc9, lpParameter=0x4dc06b0, dwCreationFlags=0x0, lpThreadId=0x4dc06b4 | out: lpThreadId=0x4dc06b4*=0xd20) returned 0x294 [0149.161] SetThreadPriority (hThread=0x294, nPriority=-1) returned 1 [0149.161] ReleaseMutex (hMutex=0x290) returned 1 [0149.161] ReleaseMutex (hMutex=0x234) returned 1 [0149.162] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc90 | out: hHeap=0x4d40000) returned 1 [0149.162] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4dbfc90 [0149.162] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x20019, phkResult=0xcf898 | out: phkResult=0xcf898*=0x298) returned 0x0 [0149.162] RegQueryValueExA (in: hKey=0x298, lpValueName="e3251351", lpReserved=0x0, lpType=0xcf890, lpData=0x0, lpcbData=0xcf894*=0x0 | out: lpType=0xcf890*=0x0, lpData=0x0, lpcbData=0xcf894*=0x0) returned 0x2 [0149.162] RegCloseKey (hKey=0x298) returned 0x0 [0149.162] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc90 | out: hHeap=0x4d40000) returned 1 [0149.162] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20) returned 0x4dbfc90 [0149.162] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x40) returned 0x4dc1a88 [0149.163] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc90 | out: hHeap=0x4d40000) returned 1 [0149.163] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4dbfc90 [0149.163] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x20019, phkResult=0xcf8b0 | out: phkResult=0xcf8b0*=0x298) returned 0x0 [0149.163] RegQueryValueExA (in: hKey=0x298, lpValueName="9e2d5cdb", lpReserved=0x0, lpType=0xcf8a8, lpData=0x0, lpcbData=0xcf8ac*=0x0 | out: lpType=0xcf8a8*=0x3, lpData=0x0, lpcbData=0xcf8ac*=0x5e) returned 0x0 [0149.163] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x5f) returned 0x4dc1ad0 [0149.163] RegQueryValueExA (in: hKey=0x298, lpValueName="9e2d5cdb", lpReserved=0x0, lpType=0xcf8a8, lpData=0x4dc1ad0, lpcbData=0xcf8ac*=0x5e | out: lpType=0xcf8a8*=0x3, lpData=0x4dc1ad0*, lpcbData=0xcf8ac*=0x5e) returned 0x0 [0149.163] RegCloseKey (hKey=0x298) returned 0x0 [0149.163] lstrlenW (lpString="䉁䑃䙅䡇䩉䱋\x14") returned 7 [0149.163] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x3) returned 0x4dbfcc0 [0149.163] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc1ad0 | out: hHeap=0x4d40000) returned 1 [0149.163] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc90 | out: hHeap=0x4d40000) returned 1 [0149.163] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4) returned 0x4dc03a0 [0149.163] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x1) returned 0x4dbfc18 [0149.164] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc18 | out: hHeap=0x4d40000) returned 1 [0149.164] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc03a0 | out: hHeap=0x4d40000) returned 1 [0149.164] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfcc0 | out: hHeap=0x4d40000) returned 1 [0149.231] lstrlenW (lpString="䉁䑃䙅") returned 3 [0149.231] lstrlenW (lpString="䉁䑃䙅") returned 3 [0149.231] lstrlenW (lpString="䉁䑃䙅") returned 3 [0149.231] lstrlenW (lpString="䉁䑃䙅") returned 3 [0149.231] lstrlenW (lpString="䉁䑃䙅") returned 3 [0149.231] lstrlenW (lpString="䉁䑃䙅") returned 3 [0149.231] lstrlenW (lpString="䉁䑃䙅") returned 3 [0149.231] lstrlenW (lpString="䉁䑃䙅") returned 3 [0149.231] lstrlenW (lpString="䉁䑃䙅") returned 3 [0149.231] lstrlenW (lpString="䉁䑃䙅") returned 3 [0149.231] lstrlenW (lpString="䉁䑃䙅") returned 3 [0149.231] lstrlenW (lpString="䉁䑃䙅") returned 3 [0149.231] lstrlenW (lpString="䉁䑃䙅") returned 3 [0149.231] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x88) returned 0x4dc1ad0 [0149.231] lstrcatW (in: lpString1="", lpString2="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Ikuqna" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Ikuqna") returned="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Ikuqna" [0149.231] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Ikuqna", lpString2="\\" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Ikuqna\\") returned="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Ikuqna\\" [0149.231] lstrcatW (in: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Ikuqna\\", lpString2="tozrlqis.mdj" | out: lpString1="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Ikuqna\\tozrlqis.mdj") returned="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Ikuqna\\tozrlqis.mdj" [0149.232] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x448) returned 0x4dc1b60 [0149.232] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Microsoft\\Ikuqna\\tozrlqis.mdj" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\microsoft\\ikuqna\\tozrlqis.mdj"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0149.233] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc1b60 | out: hHeap=0x4d40000) returned 1 [0149.233] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc1ad0 | out: hHeap=0x4d40000) returned 1 [0149.233] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfa60 | out: lpSystemTimeAsFileTime=0xcfa60*(dwLowDateTime=0xc75afe2, dwHighDateTime=0x1d99f3b)) [0149.233] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4dbfc90 [0149.233] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x20019, phkResult=0xcf878 | out: phkResult=0xcf878*=0x298) returned 0x0 [0149.233] RegQueryValueExA (in: hKey=0x298, lpValueName="d4fbe363", lpReserved=0x0, lpType=0xcf870, lpData=0x0, lpcbData=0xcf874*=0x0 | out: lpType=0xcf870*=0x3, lpData=0x0, lpcbData=0xcf874*=0x38) returned 0x0 [0149.233] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x39) returned 0x4dc1ad0 [0149.233] RegQueryValueExA (in: hKey=0x298, lpValueName="d4fbe363", lpReserved=0x0, lpType=0xcf870, lpData=0x4dc1ad0, lpcbData=0xcf874*=0x38 | out: lpType=0xcf870*=0x3, lpData=0x4dc1ad0*, lpcbData=0xcf874*=0x38) returned 0x0 [0149.233] RegCloseKey (hKey=0x298) returned 0x0 [0149.233] lstrlenW (lpString="䉁䑃䙅䡇䩉䱋\x14") returned 7 [0149.234] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa) returned 0x4dbfc18 [0149.234] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc1ad0 | out: hHeap=0x4d40000) returned 1 [0149.234] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc90 | out: hHeap=0x4d40000) returned 1 [0149.234] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc18 | out: hHeap=0x4d40000) returned 1 [0149.234] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfa18 | out: lpSystemTimeAsFileTime=0xcfa18*(dwLowDateTime=0xc75afe2, dwHighDateTime=0x1d99f3b)) [0149.234] WaitForSingleObject (hHandle=0x234, dwMilliseconds=0x7530) returned 0x0 [0149.234] WaitForSingleObject (hHandle=0x254, dwMilliseconds=0x0) returned 0x102 [0149.234] WaitForSingleObject (hHandle=0x268, dwMilliseconds=0x0) returned 0x102 [0149.234] WaitForSingleObject (hHandle=0x294, dwMilliseconds=0x0) returned 0x102 [0149.235] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc) returned 0x4dbfc18 [0149.235] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=1, lpName=0x0) returned 0x298 [0149.235] GetLastError () returned 0x0 [0149.235] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x495ebc9, lpParameter=0x4dc06d0, dwCreationFlags=0x0, lpThreadId=0x4dc06d4 | out: lpThreadId=0x4dc06d4*=0xd04) returned 0x29c [0149.235] SetThreadPriority (hThread=0x29c, nPriority=-1) returned 1 [0149.235] ReleaseMutex (hMutex=0x298) returned 1 [0149.235] ReleaseMutex (hMutex=0x234) returned 1 [0149.235] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc8) returned 0x4dc1ad0 [0149.235] _vsnprintf (in: _DstBuf=0x4dc1ad0, _MaxCount=0xc8, _Format="%u;%u;%u", _ArgList=0xcfa1c | out: _DstBuf="180;1;0") returned 7 [0149.235] lstrcatA (in: lpString1="180;1;0", lpString2="|" | out: lpString1="180;1;0|") returned="180;1;0|" [0149.236] _vsnprintf (in: _DstBuf=0x4dc1ad8, _MaxCount=0xc0, _Format="%u;%u;%u", _ArgList=0xcfa1c | out: _DstBuf="180;21;1686800497") returned 17 [0149.236] lstrlenW (lpString="䉁䑃䙅Ӕ⢑") returned 5 [0149.236] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x77) returned 0x4dc1ba0 [0149.236] lstrlenW (lpString="䉁䑃䙅\x0c⯾睨\x08") returned 7 [0149.236] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.236] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.236] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.236] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.236] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.236] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.236] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.236] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.236] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.236] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.236] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.236] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.236] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.236] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.236] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.236] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.236] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.237] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.237] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.237] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.237] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.237] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.237] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.237] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.237] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.237] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.237] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.237] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.237] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.237] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.237] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.237] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.237] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.237] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.237] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.237] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.237] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.237] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.237] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.238] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.238] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.238] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.238] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.238] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.238] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.238] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.238] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.238] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.238] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.238] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.238] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.238] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.238] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.238] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.238] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.238] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.238] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.238] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.238] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.238] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.238] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.239] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.239] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.239] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.239] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.239] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.239] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.239] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.239] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.239] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.239] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.239] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.239] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.239] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.239] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.239] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.239] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.239] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.239] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.239] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.239] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.239] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.239] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.240] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.240] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.240] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0149.240] lstrlenW (lpString="䉁䑃䙅䡇䩉䱋\x14") returned 7 [0149.240] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4dbfc90 [0149.240] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x2, phkResult=0xcf9fc | out: phkResult=0xcf9fc*=0x2a0) returned 0x0 [0149.240] RegSetValueExA (in: hKey=0x2a0, lpValueName="9e2d5cdb", Reserved=0x0, dwType=0x3, lpData=0x4dc1ba0*, cbData=0x77 | out: lpData=0x4dc1ba0*) returned 0x0 [0149.240] RegCloseKey (hKey=0x2a0) returned 0x0 [0149.240] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc90 | out: hHeap=0x4d40000) returned 1 [0149.241] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc1ba0 | out: hHeap=0x4d40000) returned 1 [0149.241] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc1ad0 | out: hHeap=0x4d40000) returned 1 [0149.241] WaitForSingleObject (hHandle=0x230, dwMilliseconds=0xfa0) returned 0x102 [0159.284] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfa60 | out: lpSystemTimeAsFileTime=0xcfa60*(dwLowDateTime=0x1272f0ac, dwHighDateTime=0x1d99f3b)) [0159.284] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4c30340 [0159.288] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x20019, phkResult=0xcf878 | out: phkResult=0xcf878*=0x250) returned 0x0 [0159.288] RegQueryValueExA (in: hKey=0x250, lpValueName="d4fbe363", lpReserved=0x0, lpType=0xcf870, lpData=0x0, lpcbData=0xcf874*=0x0 | out: lpType=0xcf870*=0x3, lpData=0x0, lpcbData=0xcf874*=0x38) returned 0x0 [0159.289] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x39) returned 0x4c30450 [0159.289] RegQueryValueExA (in: hKey=0x250, lpValueName="d4fbe363", lpReserved=0x0, lpType=0xcf870, lpData=0x4c30450, lpcbData=0xcf874*=0x38 | out: lpType=0xcf870*=0x3, lpData=0x4c30450*, lpcbData=0xcf874*=0x38) returned 0x0 [0159.289] RegCloseKey (hKey=0x250) returned 0x0 [0159.290] lstrlenW (lpString="䉁䑃䙅䡇䩉䱋\x14") returned 7 [0159.290] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa) returned 0x4dca820 [0159.291] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0159.291] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30340 | out: hHeap=0x4d40000) returned 1 [0159.291] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dca820 | out: hHeap=0x4d40000) returned 1 [0159.291] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfa18 | out: lpSystemTimeAsFileTime=0xcfa18*(dwLowDateTime=0x12751044, dwHighDateTime=0x1d99f3b)) [0159.292] WaitForSingleObject (hHandle=0x230, dwMilliseconds=0xfa0) returned 0x102 [0169.354] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfa60 | out: lpSystemTimeAsFileTime=0xcfa60*(dwLowDateTime=0x18746795, dwHighDateTime=0x1d99f3b)) [0169.357] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4c30340 [0169.358] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x20019, phkResult=0xcf878 | out: phkResult=0xcf878*=0x2b4) returned 0x0 [0169.358] RegQueryValueExA (in: hKey=0x2b4, lpValueName="d4fbe363", lpReserved=0x0, lpType=0xcf870, lpData=0x0, lpcbData=0xcf874*=0x0 | out: lpType=0xcf870*=0x3, lpData=0x0, lpcbData=0xcf874*=0x38) returned 0x0 [0169.358] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x39) returned 0x4c30450 [0169.358] RegQueryValueExA (in: hKey=0x2b4, lpValueName="d4fbe363", lpReserved=0x0, lpType=0xcf870, lpData=0x4c30450, lpcbData=0xcf874*=0x38 | out: lpType=0xcf870*=0x3, lpData=0x4c30450*, lpcbData=0xcf874*=0x38) returned 0x0 [0169.358] RegCloseKey (hKey=0x2b4) returned 0x0 [0169.359] lstrlenW (lpString="䉁䑃䙅䡇䩉䱋\x14") returned 7 [0169.359] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa) returned 0x4dca8e0 [0169.359] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0169.360] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30340 | out: hHeap=0x4d40000) returned 1 [0169.360] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dca8e0 | out: hHeap=0x4d40000) returned 1 [0169.360] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfa18 | out: lpSystemTimeAsFileTime=0xcfa18*(dwLowDateTime=0x18746795, dwHighDateTime=0x1d99f3b)) [0169.361] WaitForSingleObject (hHandle=0x230, dwMilliseconds=0xfa0) returned 0x102 [0179.522] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfa60 | out: lpSystemTimeAsFileTime=0xcfa60*(dwLowDateTime=0x1e82209b, dwHighDateTime=0x1d99f3b)) [0179.526] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4c30160 [0179.526] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x20019, phkResult=0xcf878 | out: phkResult=0xcf878*=0x250) returned 0x0 [0179.527] RegQueryValueExA (in: hKey=0x250, lpValueName="d4fbe363", lpReserved=0x0, lpType=0xcf870, lpData=0x0, lpcbData=0xcf874*=0x0 | out: lpType=0xcf870*=0x3, lpData=0x0, lpcbData=0xcf874*=0x38) returned 0x0 [0179.527] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x39) returned 0x4dcae38 [0179.527] RegQueryValueExA (in: hKey=0x250, lpValueName="d4fbe363", lpReserved=0x0, lpType=0xcf870, lpData=0x4dcae38, lpcbData=0xcf874*=0x38 | out: lpType=0xcf870*=0x3, lpData=0x4dcae38*, lpcbData=0xcf874*=0x38) returned 0x0 [0179.527] RegCloseKey (hKey=0x250) returned 0x0 [0179.527] lstrlenW (lpString="䉁䑃䙅䡇䩉䱋\x14") returned 7 [0179.527] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa) returned 0x4dca790 [0179.528] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dcae38 | out: hHeap=0x4d40000) returned 1 [0179.539] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30160 | out: hHeap=0x4d40000) returned 1 [0179.541] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dca790 | out: hHeap=0x4d40000) returned 1 [0179.541] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfa18 | out: lpSystemTimeAsFileTime=0xcfa18*(dwLowDateTime=0x1e86eb98, dwHighDateTime=0x1d99f3b)) [0179.541] WaitForSingleObject (hHandle=0x230, dwMilliseconds=0xfa0) returned 0x102 [0189.735] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfa60 | out: lpSystemTimeAsFileTime=0xcfa60*(dwLowDateTime=0x249901b9, dwHighDateTime=0x1d99f3b)) [0189.738] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4c30310 [0189.738] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x20019, phkResult=0xcf878 | out: phkResult=0xcf878*=0x250) returned 0x0 [0189.738] RegQueryValueExA (in: hKey=0x250, lpValueName="d4fbe363", lpReserved=0x0, lpType=0xcf870, lpData=0x0, lpcbData=0xcf874*=0x0 | out: lpType=0xcf870*=0x3, lpData=0x0, lpcbData=0xcf874*=0x38) returned 0x0 [0189.738] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x39) returned 0x4dc1bc8 [0189.739] RegQueryValueExA (in: hKey=0x250, lpValueName="d4fbe363", lpReserved=0x0, lpType=0xcf870, lpData=0x4dc1bc8, lpcbData=0xcf874*=0x38 | out: lpType=0xcf870*=0x3, lpData=0x4dc1bc8*, lpcbData=0xcf874*=0x38) returned 0x0 [0189.739] RegCloseKey (hKey=0x250) returned 0x0 [0189.739] lstrlenW (lpString="䉁䑃䙅䡇䩉䱋\x14") returned 7 [0189.739] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa) returned 0x4dca790 [0189.739] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc1bc8 | out: hHeap=0x4d40000) returned 1 [0189.740] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30310 | out: hHeap=0x4d40000) returned 1 [0189.742] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dca790 | out: hHeap=0x4d40000) returned 1 [0189.742] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfa18 | out: lpSystemTimeAsFileTime=0xcfa18*(dwLowDateTime=0x249b6381, dwHighDateTime=0x1d99f3b)) [0189.742] WaitForSingleObject (hHandle=0x230, dwMilliseconds=0xfa0) returned 0x102 [0199.833] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfa60 | out: lpSystemTimeAsFileTime=0xcfa60*(dwLowDateTime=0x2a9d691e, dwHighDateTime=0x1d99f3b)) [0199.833] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4c300a0 [0199.833] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x20019, phkResult=0xcf878 | out: phkResult=0xcf878*=0x2b0) returned 0x0 [0199.833] RegQueryValueExA (in: hKey=0x2b0, lpValueName="d4fbe363", lpReserved=0x0, lpType=0xcf870, lpData=0x0, lpcbData=0xcf874*=0x0 | out: lpType=0xcf870*=0x3, lpData=0x0, lpcbData=0xcf874*=0x38) returned 0x0 [0199.834] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x39) returned 0x4dcae38 [0199.834] RegQueryValueExA (in: hKey=0x2b0, lpValueName="d4fbe363", lpReserved=0x0, lpType=0xcf870, lpData=0x4dcae38, lpcbData=0xcf874*=0x38 | out: lpType=0xcf870*=0x3, lpData=0x4dcae38*, lpcbData=0xcf874*=0x38) returned 0x0 [0199.834] RegCloseKey (hKey=0x2b0) returned 0x0 [0199.839] lstrlenW (lpString="䉁䑃䙅䡇䩉䱋\x14") returned 7 [0199.839] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa) returned 0x4dca790 [0199.840] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dcae38 | out: hHeap=0x4d40000) returned 1 [0199.857] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c300a0 | out: hHeap=0x4d40000) returned 1 [0199.857] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dca790 | out: hHeap=0x4d40000) returned 1 [0199.857] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfa18 | out: lpSystemTimeAsFileTime=0xcfa18*(dwLowDateTime=0x2aa22dfb, dwHighDateTime=0x1d99f3b)) [0199.857] WaitForSingleObject (hHandle=0x230, dwMilliseconds=0xfa0) returned 0x102 [0209.915] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfa60 | out: lpSystemTimeAsFileTime=0xcfa60*(dwLowDateTime=0x30a19774, dwHighDateTime=0x1d99f3b)) [0209.918] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4c302e0 [0209.919] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x20019, phkResult=0xcf878 | out: phkResult=0xcf878*=0x1d8) returned 0x0 [0209.920] RegQueryValueExA (in: hKey=0x1d8, lpValueName="d4fbe363", lpReserved=0x0, lpType=0xcf870, lpData=0x0, lpcbData=0xcf874*=0x0 | out: lpType=0xcf870*=0x3, lpData=0x0, lpcbData=0xcf874*=0x38) returned 0x0 [0209.920] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x39) returned 0x8020048 [0209.920] RegQueryValueExA (in: hKey=0x1d8, lpValueName="d4fbe363", lpReserved=0x0, lpType=0xcf870, lpData=0x8020048, lpcbData=0xcf874*=0x38 | out: lpType=0xcf870*=0x3, lpData=0x8020048*, lpcbData=0xcf874*=0x38) returned 0x0 [0209.920] RegCloseKey (hKey=0x1d8) returned 0x0 [0209.921] lstrlenW (lpString="䉁䑃䙅䡇䩉䱋\x14") returned 7 [0209.921] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa) returned 0x4dca820 [0209.922] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8020048 | out: hHeap=0x4d40000) returned 1 [0209.923] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c302e0 | out: hHeap=0x4d40000) returned 1 [0209.923] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dca820 | out: hHeap=0x4d40000) returned 1 [0209.923] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfa18 | out: lpSystemTimeAsFileTime=0xcfa18*(dwLowDateTime=0x30a19774, dwHighDateTime=0x1d99f3b)) [0209.924] WaitForSingleObject (hHandle=0x230, dwMilliseconds=0xfa0) returned 0x102 [0220.032] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfa60 | out: lpSystemTimeAsFileTime=0xcfa60*(dwLowDateTime=0x36a8270f, dwHighDateTime=0x1d99f3b)) [0220.036] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4c30070 [0220.037] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x20019, phkResult=0xcf878 | out: phkResult=0xcf878*=0x1d8) returned 0x0 [0220.040] RegQueryValueExA (in: hKey=0x1d8, lpValueName="d4fbe363", lpReserved=0x0, lpType=0xcf870, lpData=0x0, lpcbData=0xcf874*=0x0 | out: lpType=0xcf870*=0x3, lpData=0x0, lpcbData=0xcf874*=0x38) returned 0x0 [0220.040] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x39) returned 0x89e4058 [0220.040] RegQueryValueExA (in: hKey=0x1d8, lpValueName="d4fbe363", lpReserved=0x0, lpType=0xcf870, lpData=0x89e4058, lpcbData=0xcf874*=0x38 | out: lpType=0xcf870*=0x3, lpData=0x89e4058*, lpcbData=0xcf874*=0x38) returned 0x0 [0220.041] RegCloseKey (hKey=0x1d8) returned 0x0 [0220.041] lstrlenW (lpString="䉁䑃䙅䡇䩉䱋\x14") returned 7 [0220.042] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa) returned 0x4dca868 [0220.042] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x89e4058 | out: hHeap=0x4d40000) returned 1 [0220.043] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30070 | out: hHeap=0x4d40000) returned 1 [0220.043] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dca868 | out: hHeap=0x4d40000) returned 1 [0220.043] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfa18 | out: lpSystemTimeAsFileTime=0xcfa18*(dwLowDateTime=0x36aa8a35, dwHighDateTime=0x1d99f3b)) [0220.044] WaitForSingleObject (hHandle=0x230, dwMilliseconds=0xfa0) returned 0x102 [0230.150] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfa60 | out: lpSystemTimeAsFileTime=0xcfa60*(dwLowDateTime=0x3cb0cb8a, dwHighDateTime=0x1d99f3b)) [0230.154] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4c30070 [0230.154] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x20019, phkResult=0xcf878 | out: phkResult=0xcf878*=0x2b0) returned 0x0 [0230.155] RegQueryValueExA (in: hKey=0x2b0, lpValueName="d4fbe363", lpReserved=0x0, lpType=0xcf870, lpData=0x0, lpcbData=0xcf874*=0x0 | out: lpType=0xcf870*=0x3, lpData=0x0, lpcbData=0xcf874*=0x38) returned 0x0 [0230.155] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x39) returned 0x4dcae38 [0230.155] RegQueryValueExA (in: hKey=0x2b0, lpValueName="d4fbe363", lpReserved=0x0, lpType=0xcf870, lpData=0x4dcae38, lpcbData=0xcf874*=0x38 | out: lpType=0xcf870*=0x3, lpData=0x4dcae38*, lpcbData=0xcf874*=0x38) returned 0x0 [0230.155] RegCloseKey (hKey=0x2b0) returned 0x0 [0230.156] lstrlenW (lpString="䉁䑃䙅䡇䩉䱋\x14") returned 7 [0230.156] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa) returned 0x4dca820 [0230.157] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dcae38 | out: hHeap=0x4d40000) returned 1 [0230.173] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30070 | out: hHeap=0x4d40000) returned 1 [0230.173] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dca820 | out: hHeap=0x4d40000) returned 1 [0230.173] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfa18 | out: lpSystemTimeAsFileTime=0xcfa18*(dwLowDateTime=0x3cb32f0a, dwHighDateTime=0x1d99f3b)) [0230.174] WaitForSingleObject (hHandle=0x230, dwMilliseconds=0xfa0) returned 0x102 [0240.488] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfa60 | out: lpSystemTimeAsFileTime=0xcfa60*(dwLowDateTime=0x42d94a72, dwHighDateTime=0x1d99f3b)) [0240.492] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4c30100 [0240.501] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x20019, phkResult=0xcf878 | out: phkResult=0xcf878*=0x250) returned 0x0 [0240.502] RegQueryValueExA (in: hKey=0x250, lpValueName="d4fbe363", lpReserved=0x0, lpType=0xcf870, lpData=0x0, lpcbData=0xcf874*=0x0 | out: lpType=0xcf870*=0x3, lpData=0x0, lpcbData=0xcf874*=0x38) returned 0x0 [0240.502] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x39) returned 0x8020048 [0240.502] RegQueryValueExA (in: hKey=0x250, lpValueName="d4fbe363", lpReserved=0x0, lpType=0xcf870, lpData=0x8020048, lpcbData=0xcf874*=0x38 | out: lpType=0xcf870*=0x3, lpData=0x8020048*, lpcbData=0xcf874*=0x38) returned 0x0 [0240.502] RegCloseKey (hKey=0x250) returned 0x0 [0240.504] lstrlenW (lpString="䉁䑃䙅䡇䩉䱋\x14") returned 7 [0240.504] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa) returned 0x4dca850 [0240.505] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8020048 | out: hHeap=0x4d40000) returned 1 [0240.506] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30100 | out: hHeap=0x4d40000) returned 1 [0240.506] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dca850 | out: hHeap=0x4d40000) returned 1 [0240.506] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfa18 | out: lpSystemTimeAsFileTime=0xcfa18*(dwLowDateTime=0x42dbba7e, dwHighDateTime=0x1d99f3b)) [0240.508] WaitForSingleObject (hHandle=0x234, dwMilliseconds=0x7530) returned 0x0 [0240.508] WaitForSingleObject (hHandle=0x254, dwMilliseconds=0x0) returned 0x102 [0240.508] WaitForSingleObject (hHandle=0x268, dwMilliseconds=0x0) returned 0x102 [0240.508] WaitForSingleObject (hHandle=0x294, dwMilliseconds=0x0) returned 0x102 [0240.508] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc) returned 0x4dca850 [0240.508] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=1, lpName=0x0) returned 0x250 [0240.508] GetLastError () returned 0x0 [0240.508] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x495ebc9, lpParameter=0x4dc06d0, dwCreationFlags=0x0, lpThreadId=0x4dc06d4 | out: lpThreadId=0x4dc06d4*=0xe1c) returned 0x1d8 [0240.524] SetThreadPriority (hThread=0x1d8, nPriority=-1) returned 1 [0240.560] ReleaseMutex (hMutex=0x250) returned 1 [0240.560] ReleaseMutex (hMutex=0x234) returned 1 [0240.560] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc8) returned 0x8020048 [0240.560] _vsnprintf (in: _DstBuf=0x8020048, _MaxCount=0xc8, _Format="%u;%u;%u", _ArgList=0xcfa1c | out: _DstBuf="180;1;0") returned 7 [0240.561] lstrcatA (in: lpString1="180;1;0", lpString2="|" | out: lpString1="180;1;0|") returned="180;1;0|" [0240.561] _vsnprintf (in: _DstBuf=0x8020050, _MaxCount=0xc0, _Format="%u;%u;%u", _ArgList=0xcfa1c | out: _DstBuf="180;21;1686800682") returned 17 [0240.564] lstrlenW (lpString="䉁䑃䙅\x0c鉜ҕ靖Û林\x0c놖ҕ\x0c") returned 14 [0240.565] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x77) returned 0x8020118 [0240.565] lstrlenW (lpString="䉁䑃䙅\x0c⯾睨\x08") returned 7 [0240.565] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.565] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.565] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.565] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.565] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.566] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.566] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.566] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.566] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.566] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.566] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.566] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.566] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.566] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.566] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.566] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.567] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.567] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.567] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.567] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.567] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.567] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.567] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.567] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.567] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.567] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.568] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.568] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.568] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.568] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.568] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.568] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.568] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.568] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.568] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.569] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.569] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.569] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.569] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.569] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.573] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.573] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.573] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.573] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.573] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.574] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.574] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.574] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.574] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.574] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.574] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.574] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.574] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.574] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.575] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.575] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.575] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.575] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.575] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.575] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.575] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.575] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.575] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.575] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.576] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.576] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.576] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.576] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.576] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.576] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.576] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.576] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.576] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.577] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.577] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.577] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.577] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.577] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.577] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.577] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.577] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.578] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.578] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.578] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.578] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.578] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0240.578] lstrlenW (lpString="䉁䑃䙅䡇䩉䱋\x14") returned 7 [0240.578] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4c301f0 [0240.578] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x2, phkResult=0xcf9fc | out: phkResult=0xcf9fc*=0x1fc) returned 0x0 [0240.579] RegSetValueExA (in: hKey=0x1fc, lpValueName="9e2d5cdb", Reserved=0x0, dwType=0x3, lpData=0x8020118*, cbData=0x77 | out: lpData=0x8020118*) returned 0x0 [0240.579] RegCloseKey (hKey=0x1fc) returned 0x0 [0240.580] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c301f0 | out: hHeap=0x4d40000) returned 1 [0240.580] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8020118 | out: hHeap=0x4d40000) returned 1 [0240.581] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8020048 | out: hHeap=0x4d40000) returned 1 [0240.581] WaitForSingleObject (hHandle=0x230, dwMilliseconds=0xfa0) returned 0x102 [0250.644] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfa60 | out: lpSystemTimeAsFileTime=0xcfa60*(dwLowDateTime=0x48e703d6, dwHighDateTime=0x1d99f3b)) [0250.644] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4c300d0 [0250.644] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x20019, phkResult=0xcf878 | out: phkResult=0xcf878*=0x2a0) returned 0x0 [0250.645] RegQueryValueExA (in: hKey=0x2a0, lpValueName="d4fbe363", lpReserved=0x0, lpType=0xcf870, lpData=0x0, lpcbData=0xcf874*=0x0 | out: lpType=0xcf870*=0x3, lpData=0x0, lpcbData=0xcf874*=0x38) returned 0x0 [0250.645] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x39) returned 0x4dc1bc8 [0250.645] RegQueryValueExA (in: hKey=0x2a0, lpValueName="d4fbe363", lpReserved=0x0, lpType=0xcf870, lpData=0x4dc1bc8, lpcbData=0xcf874*=0x38 | out: lpType=0xcf870*=0x3, lpData=0x4dc1bc8*, lpcbData=0xcf874*=0x38) returned 0x0 [0250.645] RegCloseKey (hKey=0x2a0) returned 0x0 [0250.650] lstrlenW (lpString="䉁䑃䙅䡇䩉䱋\x14") returned 7 [0250.650] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa) returned 0x4dca8e0 [0250.650] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc1bc8 | out: hHeap=0x4d40000) returned 1 [0250.651] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c300d0 | out: hHeap=0x4d40000) returned 1 [0250.651] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dca8e0 | out: hHeap=0x4d40000) returned 1 [0250.651] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfa18 | out: lpSystemTimeAsFileTime=0xcfa18*(dwLowDateTime=0x48e96ada, dwHighDateTime=0x1d99f3b)) [0250.652] WaitForSingleObject (hHandle=0x230, dwMilliseconds=0xfa0) returned 0x102 [0260.698] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfa60 | out: lpSystemTimeAsFileTime=0xcfa60*(dwLowDateTime=0x4ee4b450, dwHighDateTime=0x1d99f3b)) [0260.699] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4c30400 [0260.706] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x20019, phkResult=0xcf878 | out: phkResult=0xcf878*=0x1d8) returned 0x0 [0260.707] RegQueryValueExA (in: hKey=0x1d8, lpValueName="d4fbe363", lpReserved=0x0, lpType=0xcf870, lpData=0x0, lpcbData=0xcf874*=0x0 | out: lpType=0xcf870*=0x3, lpData=0x0, lpcbData=0xcf874*=0x38) returned 0x0 [0260.707] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x39) returned 0x4dc1bc8 [0260.707] RegQueryValueExA (in: hKey=0x1d8, lpValueName="d4fbe363", lpReserved=0x0, lpType=0xcf870, lpData=0x4dc1bc8, lpcbData=0xcf874*=0x38 | out: lpType=0xcf870*=0x3, lpData=0x4dc1bc8*, lpcbData=0xcf874*=0x38) returned 0x0 [0260.707] RegCloseKey (hKey=0x1d8) returned 0x0 [0260.708] lstrlenW (lpString="䉁䑃䙅䡇䩉䱋\x14") returned 7 [0260.708] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa) returned 0x4dca790 [0260.709] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc1bc8 | out: hHeap=0x4d40000) returned 1 [0260.710] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30400 | out: hHeap=0x4d40000) returned 1 [0260.710] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dca790 | out: hHeap=0x4d40000) returned 1 [0260.710] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfa18 | out: lpSystemTimeAsFileTime=0xcfa18*(dwLowDateTime=0x4ee78c6b, dwHighDateTime=0x1d99f3b)) [0260.711] WaitForSingleObject (hHandle=0x234, dwMilliseconds=0x7530) returned 0x0 [0260.711] WaitForSingleObject (hHandle=0x254, dwMilliseconds=0x0) returned 0x102 [0260.711] WaitForSingleObject (hHandle=0x268, dwMilliseconds=0x0) returned 0x102 [0260.711] WaitForSingleObject (hHandle=0x294, dwMilliseconds=0x0) returned 0x102 [0260.711] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc) returned 0x4dca820 [0260.711] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=1, lpName=0x0) returned 0x1d8 [0260.711] GetLastError () returned 0x0 [0260.711] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x495ebc9, lpParameter=0x4dc06d0, dwCreationFlags=0x0, lpThreadId=0x4dc06d4 | out: lpThreadId=0x4dc06d4*=0x13e8) returned 0x2a0 [0260.712] SetThreadPriority (hThread=0x2a0, nPriority=-1) returned 1 [0260.712] ReleaseMutex (hMutex=0x1d8) returned 1 [0260.712] ReleaseMutex (hMutex=0x234) returned 1 [0260.726] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc8) returned 0x4dc1bc8 [0260.726] _vsnprintf (in: _DstBuf=0x4dc1bc8, _MaxCount=0xc8, _Format="%u;%u;%u", _ArgList=0xcfa1c | out: _DstBuf="180;1;1686800747") returned 16 [0260.726] lstrcatA (in: lpString1="180;1;1686800747", lpString2="|" | out: lpString1="180;1;1686800747|") returned="180;1;1686800747|" [0260.726] _vsnprintf (in: _DstBuf=0x4dc1bd9, _MaxCount=0xb7, _Format="%u;%u;%u", _ArgList=0xcfa1c | out: _DstBuf="180;21;1686800682") returned 17 [0260.727] lstrlenW (lpString="䉁䑃䙅\x0c鉜ҕ靖Û林\x0c놖ҕ\x0c") returned 14 [0260.728] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x80) returned 0x4dc1c98 [0260.728] lstrlenW (lpString="䉁䑃䙅\x0c⯾睨\x08") returned 7 [0260.728] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.728] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.729] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.729] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.729] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.729] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.729] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.729] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.730] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.730] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.730] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.730] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.730] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.731] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.731] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.731] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.731] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.731] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.731] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.732] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.732] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.732] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.732] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.732] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.732] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.732] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.733] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.733] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.733] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.733] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.734] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.737] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.737] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.737] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.737] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.738] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.738] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.738] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.738] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.738] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.738] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.739] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.739] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.739] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.739] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.739] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.740] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.740] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.740] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.740] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.740] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.740] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.741] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.741] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.741] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.741] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.741] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.741] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.741] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.742] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.742] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.742] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.742] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.742] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.742] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.742] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.742] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.743] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.743] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.743] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.743] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.743] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.743] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.743] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.743] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.744] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.744] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.744] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.744] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.744] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.744] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.744] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.744] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.745] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.745] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.745] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0260.745] lstrlenW (lpString="䉁䑃䙅䡇䩉䱋\x14") returned 7 [0260.745] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4c30340 [0260.745] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x2, phkResult=0xcf9fc | out: phkResult=0xcf9fc*=0x250) returned 0x0 [0260.745] RegSetValueExA (in: hKey=0x250, lpValueName="9e2d5cdb", Reserved=0x0, dwType=0x3, lpData=0x4dc1c98*, cbData=0x80 | out: lpData=0x4dc1c98*) returned 0x0 [0260.746] RegCloseKey (hKey=0x250) returned 0x0 [0260.746] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30340 | out: hHeap=0x4d40000) returned 1 [0260.747] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc1c98 | out: hHeap=0x4d40000) returned 1 [0260.747] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc1bc8 | out: hHeap=0x4d40000) returned 1 [0260.891] WaitForSingleObject (hHandle=0x230, dwMilliseconds=0xfa0) returned 0x102 [0270.967] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfa60 | out: lpSystemTimeAsFileTime=0xcfa60*(dwLowDateTime=0x55057dfb, dwHighDateTime=0x1d99f3b)) [0270.970] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4c302e0 [0270.970] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x20019, phkResult=0xcf878 | out: phkResult=0xcf878*=0x2cc) returned 0x0 [0270.970] RegQueryValueExA (in: hKey=0x2cc, lpValueName="d4fbe363", lpReserved=0x0, lpType=0xcf870, lpData=0x0, lpcbData=0xcf874*=0x0 | out: lpType=0xcf870*=0x3, lpData=0x0, lpcbData=0xcf874*=0x38) returned 0x0 [0270.971] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x39) returned 0x4dc2050 [0270.971] RegQueryValueExA (in: hKey=0x2cc, lpValueName="d4fbe363", lpReserved=0x0, lpType=0xcf870, lpData=0x4dc2050, lpcbData=0xcf874*=0x38 | out: lpType=0xcf870*=0x3, lpData=0x4dc2050*, lpcbData=0xcf874*=0x38) returned 0x0 [0270.971] RegCloseKey (hKey=0x2cc) returned 0x0 [0270.971] lstrlenW (lpString="䉁䑃䙅䡇䩉䱋\x14") returned 7 [0270.971] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa) returned 0x4dc1df8 [0270.972] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc2050 | out: hHeap=0x4d40000) returned 1 [0270.973] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c302e0 | out: hHeap=0x4d40000) returned 1 [0270.973] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc1df8 | out: hHeap=0x4d40000) returned 1 [0270.973] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfa18 | out: lpSystemTimeAsFileTime=0xcfa18*(dwLowDateTime=0x55057dfb, dwHighDateTime=0x1d99f3b)) [0270.973] WaitForSingleObject (hHandle=0x230, dwMilliseconds=0xfa0) returned 0x102 [0288.727] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfa60 | out: lpSystemTimeAsFileTime=0xcfa60*(dwLowDateTime=0x5f9aed75, dwHighDateTime=0x1d99f3b)) [0288.728] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4c30400 [0288.731] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x20019, phkResult=0xcf878 | out: phkResult=0xcf878*=0x370) returned 0x0 [0288.731] RegQueryValueExA (in: hKey=0x370, lpValueName="d4fbe363", lpReserved=0x0, lpType=0xcf870, lpData=0x0, lpcbData=0xcf874*=0x0 | out: lpType=0xcf870*=0x3, lpData=0x0, lpcbData=0xcf874*=0x38) returned 0x0 [0288.731] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x39) returned 0x4dc2050 [0288.731] RegQueryValueExA (in: hKey=0x370, lpValueName="d4fbe363", lpReserved=0x0, lpType=0xcf870, lpData=0x4dc2050, lpcbData=0xcf874*=0x38 | out: lpType=0xcf870*=0x3, lpData=0x4dc2050*, lpcbData=0xcf874*=0x38) returned 0x0 [0288.731] RegCloseKey (hKey=0x370) returned 0x0 [0288.732] lstrlenW (lpString="䉁䑃䙅䡇䩉䱋\x14") returned 7 [0288.732] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa) returned 0x4dc1cc0 [0288.733] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc2050 | out: hHeap=0x4d40000) returned 1 [0288.734] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30400 | out: hHeap=0x4d40000) returned 1 [0288.734] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc1cc0 | out: hHeap=0x4d40000) returned 1 [0288.734] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfa18 | out: lpSystemTimeAsFileTime=0xcfa18*(dwLowDateTime=0x5f9aed75, dwHighDateTime=0x1d99f3b)) [0288.735] WaitForSingleObject (hHandle=0x230, dwMilliseconds=0xfa0) returned 0x102 [0298.729] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfa60 | out: lpSystemTimeAsFileTime=0xcfa60*(dwLowDateTime=0x65915f57, dwHighDateTime=0x1d99f3b)) [0298.730] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4c30130 [0298.734] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x20019, phkResult=0xcf878 | out: phkResult=0xcf878*=0x320) returned 0x0 [0298.734] RegQueryValueExA (in: hKey=0x320, lpValueName="d4fbe363", lpReserved=0x0, lpType=0xcf870, lpData=0x0, lpcbData=0xcf874*=0x0 | out: lpType=0xcf870*=0x3, lpData=0x0, lpcbData=0xcf874*=0x38) returned 0x0 [0298.734] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x39) returned 0x4dc2050 [0298.735] RegQueryValueExA (in: hKey=0x320, lpValueName="d4fbe363", lpReserved=0x0, lpType=0xcf870, lpData=0x4dc2050, lpcbData=0xcf874*=0x38 | out: lpType=0xcf870*=0x3, lpData=0x4dc2050*, lpcbData=0xcf874*=0x38) returned 0x0 [0298.735] RegCloseKey (hKey=0x320) returned 0x0 [0298.735] lstrlenW (lpString="䉁䑃䙅䡇䩉䱋\x14") returned 7 [0298.735] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa) returned 0x4dc1ea0 [0298.737] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc2050 | out: hHeap=0x4d40000) returned 1 [0298.738] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30130 | out: hHeap=0x4d40000) returned 1 [0298.738] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc1ea0 | out: hHeap=0x4d40000) returned 1 [0298.738] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfa18 | out: lpSystemTimeAsFileTime=0xcfa18*(dwLowDateTime=0x65915f57, dwHighDateTime=0x1d99f3b)) [0298.739] WaitForSingleObject (hHandle=0x230, dwMilliseconds=0xfa0) Thread: id = 413 os_tid = 0xab0 Thread: id = 417 os_tid = 0x4f8 [0147.565] Sleep (dwMilliseconds=0xfa0) [0151.731] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xf0) returned 0x4dc1ad0 [0151.731] GetDC (hWnd=0x0) returned 0x20109ec [0151.732] CreateCompatibleDC (hdc=0x20109ec) returned 0x2b0109af [0151.732] GetDeviceCaps (hdc=0x20109ec, index=8) returned 1440 [0151.732] GetDeviceCaps (hdc=0x20109ec, index=10) returned 900 [0151.732] CreateCompatibleBitmap (hdc=0x20109ec, cx=1440, cy=900) returned 0xd0509cc [0151.765] SelectObject (hdc=0x2b0109af, h=0xd0509cc) returned 0x185000f [0151.765] BitBlt (hdc=0x2b0109af, x=0, y=0, cx=1440, cy=900, hdcSrc=0x20109ec, x1=0, y1=0, rop=0xcc0020) returned 1 [0152.600] GetCursorInfo (in: pci=0x4cf95c | out: pci=0x4cf95c) returned 1 [0152.853] CopyIcon (hIcon=0x10019) returned 0x270153 [0152.855] GetIconInfo (in: hIcon=0x270153, piconinfo=0x4cf908 | out: piconinfo=0x4cf908) returned 1 [0152.855] GetObjectW (in: h=0xf050a4b, c=24, pv=0x4cf91c | out: pv=0x4cf91c) returned 24 [0152.855] DrawIconEx (hdc=0x2b0109af, xLeft=682, yTop=445, hIcon=0x10019, cxWidth=32, cyWidth=32, istepIfAniCur=0x0, hbrFlickerFreeDraw=0x0, diFlags=0x3) returned 1 [0152.856] SelectObject (hdc=0x2b0109af, h=0x185000f) returned 0xd0509cc [0152.856] GetObjectW (in: h=0xd0509cc, c=24, pv=0x4cf8f0 | out: pv=0x4cf8f0) returned 24 [0152.856] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4f1a00) returned 0x762a020 [0152.872] GetDIBits (in: hdc=0x2b0109af, hbm=0xd0509cc, start=0x0, cLines=0x384, lpvBits=0x762a020, lpbmi=0x4cf934, usage=0x0 | out: lpvBits=0x762a020, lpbmi=0x4cf934) returned 900 [0153.104] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4f1a36) returned 0x7b20020 [0153.484] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4000) returned 0x4dc1bc8 [0153.487] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x16c4) returned 0x4dc5bd0 [0153.487] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4d5d2b0 [0153.489] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4d6d2b8 [0153.490] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4d7d2c0 [0153.491] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4d8d2c8 [0153.494] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8d2c8, _Size=0x2 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0153.494] memcpy (in: _Dst=0x4d5d2b0, _Src=0x7b20020, _Size=0x10000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0153.495] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0153.495] memcpy (in: _Dst=0x4d652b0, _Src=0x7b30020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0153.497] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0153.497] memcpy (in: _Dst=0x4d652b0, _Src=0x7b38020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0153.498] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0153.498] memcpy (in: _Dst=0x4d652b0, _Src=0x7b40020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0153.499] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0153.499] memcpy (in: _Dst=0x4d652b0, _Src=0x7b48020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0153.500] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0153.500] memcpy (in: _Dst=0x4d652b0, _Src=0x7b50020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0153.500] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0153.500] memcpy (in: _Dst=0x4d652b0, _Src=0x7b58020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0153.501] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0153.501] memcpy (in: _Dst=0x4d652b0, _Src=0x7b60020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0153.501] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0153.501] memcpy (in: _Dst=0x4d652b0, _Src=0x7b68020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0153.502] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0153.502] memcpy (in: _Dst=0x4d652b0, _Src=0x7b70020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0153.502] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0153.502] memcpy (in: _Dst=0x4d652b0, _Src=0x7b78020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0153.503] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0153.503] memcpy (in: _Dst=0x4d652b0, _Src=0x7b80020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0153.504] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0153.504] memcpy (in: _Dst=0x4d652b0, _Src=0x7b88020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0153.506] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0153.506] memcpy (in: _Dst=0x4d652b0, _Src=0x7b90020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0153.759] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0153.759] memcpy (in: _Dst=0x4d652b0, _Src=0x7b98020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0153.762] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0153.762] memcpy (in: _Dst=0x4d652b0, _Src=0x7ba0020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0153.763] memcpy (in: _Dst=0x4dc1bca, _Src=0x4d8d2c8, _Size=0x3ffe | out: _Dst=0x4dc1bca) returned 0x4dc1bca [0153.763] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4001) returned 0x4dc72a0 [0153.763] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d912c6, _Size=0x1323 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0153.764] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0153.764] memcpy (in: _Dst=0x4d652b0, _Src=0x7ba8020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0153.765] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0153.765] memcpy (in: _Dst=0x4d652b0, _Src=0x7bb0020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0153.767] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0153.767] memcpy (in: _Dst=0x4d652b0, _Src=0x7bb8020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0153.768] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0153.769] memcpy (in: _Dst=0x4d652b0, _Src=0x7bc0020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0153.770] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0153.770] memcpy (in: _Dst=0x4d652b0, _Src=0x7bc8020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0153.771] memcpy (in: _Dst=0x4dc2eeb, _Src=0x4d8d2c8, _Size=0x2cdd | out: _Dst=0x4dc2eeb) returned 0x4dc2eeb [0153.771] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x8001) returned 0x4dcb2b0 [0153.773] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc72a0 | out: hHeap=0x4d40000) returned 1 [0153.773] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8ffa5, _Size=0x1e8e | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0153.775] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0153.775] memcpy (in: _Dst=0x4d652b0, _Src=0x7bd0020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0153.776] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0153.776] memcpy (in: _Dst=0x4d652b0, _Src=0x7bd8020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0153.778] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0153.778] memcpy (in: _Dst=0x4d652b0, _Src=0x7be0020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0153.780] memcpy (in: _Dst=0x4dc3a56, _Src=0x4d8d2c8, _Size=0x2172 | out: _Dst=0x4dc3a56) returned 0x4dc3a56 [0153.780] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc001) returned 0x4d9d2d0 [0153.782] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dcb2b0 | out: hHeap=0x4d40000) returned 1 [0153.783] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8f43a, _Size=0x2503 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0153.783] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0153.783] memcpy (in: _Dst=0x4d652b0, _Src=0x7be8020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0153.785] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0153.785] memcpy (in: _Dst=0x4d652b0, _Src=0x7bf0020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0153.786] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0153.786] memcpy (in: _Dst=0x4d652b0, _Src=0x7bf8020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0153.789] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0153.789] memcpy (in: _Dst=0x4d652b0, _Src=0x7c00020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0153.849] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0153.849] memcpy (in: _Dst=0x4d652b0, _Src=0x7c08020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0153.851] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0153.851] memcpy (in: _Dst=0x4d652b0, _Src=0x7c10020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0154.060] memcpy (in: _Dst=0x4dc40cb, _Src=0x4d8d2c8, _Size=0x1afd | out: _Dst=0x4dc40cb) returned 0x4dc40cb [0154.060] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10001) returned 0x4da92e0 [0154.063] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d9d2d0 | out: hHeap=0x4d40000) returned 1 [0154.064] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8edc5, _Size=0x2977 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0154.065] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0154.065] memcpy (in: _Dst=0x4d652b0, _Src=0x7c18020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0154.068] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0154.068] memcpy (in: _Dst=0x4d652b0, _Src=0x7c20020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0154.072] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0154.072] memcpy (in: _Dst=0x4d652b0, _Src=0x7c28020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0154.077] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0154.077] memcpy (in: _Dst=0x4d652b0, _Src=0x7c30020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0154.082] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0154.082] memcpy (in: _Dst=0x4d652b0, _Src=0x7c38020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0154.088] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0154.088] memcpy (in: _Dst=0x4d652b0, _Src=0x7c40020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0154.093] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0154.093] memcpy (in: _Dst=0x4d652b0, _Src=0x7c48020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0154.096] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0154.096] memcpy (in: _Dst=0x4d652b0, _Src=0x7c50020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0154.097] memcpy (in: _Dst=0x4dc453f, _Src=0x4d8d2c8, _Size=0x1689 | out: _Dst=0x4dc453f) returned 0x4dc453f [0154.097] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x14001) returned 0x4c30048 [0154.101] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4da92e0 | out: hHeap=0x4d40000) returned 1 [0154.277] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8e951, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0154.277] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x18001) returned 0x4d9d2d0 [0154.280] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30048 | out: hHeap=0x4d40000) returned 1 [0154.281] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d92951, _Size=0x1410 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0154.282] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0154.282] memcpy (in: _Dst=0x4d652b0, _Src=0x7c58020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0154.283] memcpy (in: _Dst=0x4dc2fd8, _Src=0x4d8d2c8, _Size=0x2bf0 | out: _Dst=0x4dc2fd8) returned 0x4dc2fd8 [0154.283] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x1c001) returned 0x4c30048 [0154.287] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d9d2d0 | out: hHeap=0x4d40000) returned 1 [0154.288] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8feb8, _Size=0x29cf | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0154.289] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0154.289] memcpy (in: _Dst=0x4d652b0, _Src=0x7c60020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0154.290] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0154.291] memcpy (in: _Dst=0x4d652b0, _Src=0x7c68020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0154.292] memcpy (in: _Dst=0x4dc4597, _Src=0x4d8d2c8, _Size=0x1631 | out: _Dst=0x4dc4597) returned 0x4dc4597 [0154.292] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20001) returned 0x4d9d2d0 [0154.295] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30048 | out: hHeap=0x4d40000) returned 1 [0154.297] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8e8f9, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0154.297] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x24001) returned 0x4c30048 [0154.301] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d9d2d0 | out: hHeap=0x4d40000) returned 1 [0154.303] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d928f9, _Size=0x438 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0154.303] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0154.303] memcpy (in: _Dst=0x4d652b0, _Src=0x7c70020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0154.304] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0154.304] memcpy (in: _Dst=0x4d652b0, _Src=0x7c78020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0154.307] memcpy (in: _Dst=0x4dc2000, _Src=0x4d8d2c8, _Size=0x3bc8 | out: _Dst=0x4dc2000) returned 0x4dc2000 [0154.307] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x28001) returned 0x4c54058 [0154.311] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30048 | out: hHeap=0x4d40000) returned 1 [0154.312] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d90e90, _Size=0x203c | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0154.313] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0154.313] memcpy (in: _Dst=0x4d652b0, _Src=0x7c80020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0154.314] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0154.314] memcpy (in: _Dst=0x4d652b0, _Src=0x7c88020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0154.315] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0154.315] memcpy (in: _Dst=0x4d652b0, _Src=0x7c90020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0154.316] memcpy (in: _Dst=0x4dc3c04, _Src=0x4d8d2c8, _Size=0x1fc4 | out: _Dst=0x4dc3c04) returned 0x4dc3c04 [0154.316] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x2c001) returned 0x4c7c068 [0154.321] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c54058 | out: hHeap=0x4d40000) returned 1 [0154.573] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8f28c, _Size=0x3f31 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0154.574] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0154.574] memcpy (in: _Dst=0x4d652b0, _Src=0x7c98020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0154.575] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0154.576] memcpy (in: _Dst=0x4d652b0, _Src=0x7ca0020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0154.577] memcpy (in: _Dst=0x4dc5af9, _Src=0x4d8d2c8, _Size=0xcf | out: _Dst=0x4dc5af9) returned 0x4dc5af9 [0154.577] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x30001) returned 0x4c30048 [0154.583] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c7c068 | out: hHeap=0x4d40000) returned 1 [0154.585] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8d397, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0154.585] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x34001) returned 0x4c60058 [0154.597] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30048 | out: hHeap=0x4d40000) returned 1 [0154.599] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d91397, _Size=0x2152 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0154.600] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0154.600] memcpy (in: _Dst=0x4d652b0, _Src=0x7ca8020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0154.604] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0154.604] memcpy (in: _Dst=0x4d652b0, _Src=0x7cb0020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0154.605] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0154.605] memcpy (in: _Dst=0x4d652b0, _Src=0x7cb8020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0154.606] memcpy (in: _Dst=0x4dc3d1a, _Src=0x4d8d2c8, _Size=0x1eae | out: _Dst=0x4dc3d1a) returned 0x4dc3d1a [0154.606] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x38001) returned 0x4c94068 [0154.613] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c60058 | out: hHeap=0x4d40000) returned 1 [0154.616] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8f176, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0154.616] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x3c001) returned 0x4c30048 [0155.290] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c94068 | out: hHeap=0x4d40000) returned 1 [0155.296] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d93176, _Size=0x861 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0155.297] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0155.297] memcpy (in: _Dst=0x4d652b0, _Src=0x7cc0020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0155.299] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0155.299] memcpy (in: _Dst=0x4d652b0, _Src=0x7cc8020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0155.300] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0155.300] memcpy (in: _Dst=0x4d652b0, _Src=0x7cd0020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0155.301] memcpy (in: _Dst=0x4dc2429, _Src=0x4d8d2c8, _Size=0x379f | out: _Dst=0x4dc2429) returned 0x4dc2429 [0155.301] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x40001) returned 0x4c6c058 [0155.317] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30048 | out: hHeap=0x4d40000) returned 1 [0155.575] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d90a67, _Size=0x335d | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0155.576] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0155.576] memcpy (in: _Dst=0x4d652b0, _Src=0x7cd8020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0155.577] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0155.578] memcpy (in: _Dst=0x4d652b0, _Src=0x7ce0020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0155.579] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0155.579] memcpy (in: _Dst=0x4d652b0, _Src=0x7ce8020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0155.580] memcpy (in: _Dst=0x4dc4f25, _Src=0x4d8d2c8, _Size=0xca3 | out: _Dst=0x4dc4f25) returned 0x4dc4f25 [0155.580] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x44001) returned 0x4cac068 [0155.587] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c6c058 | out: hHeap=0x4d40000) returned 1 [0155.591] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8df6b, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0155.591] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x48001) returned 0x4c30048 [0155.597] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4cac068 | out: hHeap=0x4d40000) returned 1 [0155.597] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d91f6b, _Size=0x1e7a | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0155.598] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0155.598] memcpy (in: _Dst=0x4d652b0, _Src=0x7cf0020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0155.600] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0155.600] memcpy (in: _Dst=0x4d652b0, _Src=0x7cf8020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0155.601] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0155.602] memcpy (in: _Dst=0x4d652b0, _Src=0x7d00020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0155.607] memcpy (in: _Dst=0x4dc3a42, _Src=0x4d8d2c8, _Size=0x2186 | out: _Dst=0x4dc3a42) returned 0x4dc3a42 [0155.607] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4c001) returned 0x4c78058 [0155.611] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30048 | out: hHeap=0x4d40000) returned 1 [0155.611] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8f44e, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0155.612] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x50001) returned 0x8020048 [0155.875] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c78058 | out: hHeap=0x4d40000) returned 1 [0155.880] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d9344e, _Size=0xade | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0155.881] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0155.881] memcpy (in: _Dst=0x4d652b0, _Src=0x7d08020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0155.884] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0155.884] memcpy (in: _Dst=0x4d652b0, _Src=0x7d10020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0155.886] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0155.886] memcpy (in: _Dst=0x4d652b0, _Src=0x7d18020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0155.888] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0155.888] memcpy (in: _Dst=0x4d652b0, _Src=0x7d20020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0155.890] memcpy (in: _Dst=0x4dc26a6, _Src=0x4d8d2c8, _Size=0x3522 | out: _Dst=0x4dc26a6) returned 0x4dc26a6 [0155.890] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x54001) returned 0x4c30048 [0155.899] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8020048 | out: hHeap=0x4d40000) returned 1 [0155.899] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d907ea, _Size=0x3e1f | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0155.901] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0155.901] memcpy (in: _Dst=0x4d652b0, _Src=0x7d28020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0155.903] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0155.903] memcpy (in: _Dst=0x4d652b0, _Src=0x7d30020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0155.906] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0155.906] memcpy (in: _Dst=0x4d652b0, _Src=0x7d38020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0155.908] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0155.908] memcpy (in: _Dst=0x4d652b0, _Src=0x7d40020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0155.910] memcpy (in: _Dst=0x4dc59e7, _Src=0x4d8d2c8, _Size=0x1e1 | out: _Dst=0x4dc59e7) returned 0x4dc59e7 [0155.910] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x58001) returned 0x4c84058 [0156.139] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30048 | out: hHeap=0x4d40000) returned 1 [0156.139] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8d4a9, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0156.139] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x5c001) returned 0x8020048 [0156.146] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c84058 | out: hHeap=0x4d40000) returned 1 [0156.152] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d914a9, _Size=0x32f5 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0156.154] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0156.154] memcpy (in: _Dst=0x4d652b0, _Src=0x7d48020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0156.157] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0156.157] memcpy (in: _Dst=0x4d652b0, _Src=0x7d50020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0156.161] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0156.161] memcpy (in: _Dst=0x4d652b0, _Src=0x7d58020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0156.164] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0156.165] memcpy (in: _Dst=0x4d652b0, _Src=0x7d60020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0156.165] memcpy (in: _Dst=0x4dc4ebd, _Src=0x4d8d2c8, _Size=0xd0b | out: _Dst=0x4dc4ebd) returned 0x4dc4ebd [0156.165] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x60001) returned 0x4c30048 [0156.177] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8020048 | out: hHeap=0x4d40000) returned 1 [0156.386] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8dfd3, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0156.386] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x64001) returned 0x4c90058 [0156.429] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30048 | out: hHeap=0x4d40000) returned 1 [0156.667] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d91fd3, _Size=0x2744 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0156.670] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0156.670] memcpy (in: _Dst=0x4d652b0, _Src=0x7d68020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0156.672] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0156.673] memcpy (in: _Dst=0x4d652b0, _Src=0x7d70020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0156.675] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0156.675] memcpy (in: _Dst=0x4d652b0, _Src=0x7d78020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0156.677] memcpy (in: _Dst=0x4dc430c, _Src=0x4d8d2c8, _Size=0x18bc | out: _Dst=0x4dc430c) returned 0x4dc430c [0156.677] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x68001) returned 0x8020048 [0156.690] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c90058 | out: hHeap=0x4d40000) returned 1 [0156.699] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8eb84, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0156.699] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x6c001) returned 0x4c30048 [0156.713] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8020048 | out: hHeap=0x4d40000) returned 1 [0156.951] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d92b84, _Size=0x1d9b | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0156.952] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0156.952] memcpy (in: _Dst=0x4d652b0, _Src=0x7d80020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0156.955] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0156.955] memcpy (in: _Dst=0x4d652b0, _Src=0x7d88020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0156.958] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0156.958] memcpy (in: _Dst=0x4d652b0, _Src=0x7d90020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0156.961] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0156.961] memcpy (in: _Dst=0x4d652b0, _Src=0x7d98020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0156.962] memcpy (in: _Dst=0x4dc3963, _Src=0x4d8d2c8, _Size=0x2265 | out: _Dst=0x4dc3963) returned 0x4dc3963 [0156.962] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x70001) returned 0x4c9c058 [0156.973] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30048 | out: hHeap=0x4d40000) returned 1 [0156.973] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8f52d, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0156.973] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x74001) returned 0x8020048 [0156.978] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c9c058 | out: hHeap=0x4d40000) returned 1 [0156.985] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d9352d, _Size=0x1257 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0156.987] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0156.987] memcpy (in: _Dst=0x4d652b0, _Src=0x7da0020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0156.990] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0156.990] memcpy (in: _Dst=0x4d652b0, _Src=0x7da8020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0157.200] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0157.200] memcpy (in: _Dst=0x4d652b0, _Src=0x7db0020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0157.201] memcpy (in: _Dst=0x4dc2e1f, _Src=0x4d8d2c8, _Size=0x2da9 | out: _Dst=0x4dc2e1f) returned 0x4dc2e1f [0157.201] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x78001) returned 0x4c30048 [0157.212] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8020048 | out: hHeap=0x4d40000) returned 1 [0157.219] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d90071, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0157.220] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x7c001) returned 0x4ca8058 [0157.235] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30048 | out: hHeap=0x4d40000) returned 1 [0157.235] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d94071, _Size=0x5be | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0157.236] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0157.236] memcpy (in: _Dst=0x4d652b0, _Src=0x7db8020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0157.239] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0157.239] memcpy (in: _Dst=0x4d652b0, _Src=0x7dc0020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0157.242] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0157.242] memcpy (in: _Dst=0x4d652b0, _Src=0x7dc8020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0157.378] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0157.378] memcpy (in: _Dst=0x4d652b0, _Src=0x7dd0020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0157.379] memcpy (in: _Dst=0x4dc2186, _Src=0x4d8d2c8, _Size=0x3a42 | out: _Dst=0x4dc2186) returned 0x4dc2186 [0157.379] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x80001) returned 0x6635020 [0157.390] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4ca8058 | out: hHeap=0x4d40000) returned 1 [0157.396] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d90d0a, _Size=0x3e63 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0157.398] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0157.398] memcpy (in: _Dst=0x4d652b0, _Src=0x7dd8020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0157.401] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0157.401] memcpy (in: _Dst=0x4d652b0, _Src=0x7de0020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0157.403] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0157.403] memcpy (in: _Dst=0x4d652b0, _Src=0x7de8020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0157.405] memcpy (in: _Dst=0x4dc5a2b, _Src=0x4d8d2c8, _Size=0x19d | out: _Dst=0x4dc5a2b) returned 0x4dc5a2b [0157.405] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x84001) returned 0x8226020 [0157.417] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x6635020 | out: hHeap=0x4d40000) returned 1 [0157.533] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8d465, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0157.533] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x88001) returned 0x6637020 [0157.546] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8226020 | out: hHeap=0x4d40000) returned 1 [0157.549] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d91465, _Size=0x3504 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0157.550] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0157.550] memcpy (in: _Dst=0x4d652b0, _Src=0x7df0020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0157.553] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0157.553] memcpy (in: _Dst=0x4d652b0, _Src=0x7df8020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0157.556] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0157.556] memcpy (in: _Dst=0x4d652b0, _Src=0x7e00020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0157.558] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0157.558] memcpy (in: _Dst=0x4d652b0, _Src=0x7e08020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0157.559] memcpy (in: _Dst=0x4dc50cc, _Src=0x4d8d2c8, _Size=0xafc | out: _Dst=0x4dc50cc) returned 0x4dc50cc [0157.559] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x8c001) returned 0x8224020 [0157.571] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x6637020 | out: hHeap=0x4d40000) returned 1 [0157.689] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8ddc4, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0157.689] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x90001) returned 0x663d020 [0157.702] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8224020 | out: hHeap=0x4d40000) returned 1 [0157.707] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d91dc4, _Size=0x2b9e | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0157.709] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0157.709] memcpy (in: _Dst=0x4d652b0, _Src=0x7e10020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0157.713] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0157.713] memcpy (in: _Dst=0x4d652b0, _Src=0x7e18020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0157.715] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0157.715] memcpy (in: _Dst=0x4d652b0, _Src=0x7e20020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0157.717] memcpy (in: _Dst=0x4dc4766, _Src=0x4d8d2c8, _Size=0x1462 | out: _Dst=0x4dc4766) returned 0x4dc4766 [0157.717] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x94001) returned 0x822f020 [0157.893] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x663d020 | out: hHeap=0x4d40000) returned 1 [0157.900] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8e72a, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0157.900] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x98001) returned 0x663a020 [0157.915] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x822f020 | out: hHeap=0x4d40000) returned 1 [0157.920] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d9272a, _Size=0x1ff2 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0157.921] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0157.922] memcpy (in: _Dst=0x4d652b0, _Src=0x7e28020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0157.923] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0157.924] memcpy (in: _Dst=0x4d652b0, _Src=0x7e30020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0157.926] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0157.926] memcpy (in: _Dst=0x4d652b0, _Src=0x7e38020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0157.928] memcpy (in: _Dst=0x4dc3bba, _Src=0x4d8d2c8, _Size=0x200e | out: _Dst=0x4dc3bba) returned 0x4dc3bba [0157.928] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x9c001) returned 0x822c020 [0158.020] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x663a020 | out: hHeap=0x4d40000) returned 1 [0158.024] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8f2d6, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0158.024] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa0001) returned 0x663f020 [0158.038] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x822c020 | out: hHeap=0x4d40000) returned 1 [0158.050] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d932d6, _Size=0x17b2 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0158.050] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0158.050] memcpy (in: _Dst=0x4d652b0, _Src=0x7e40020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0158.052] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0158.052] memcpy (in: _Dst=0x4d652b0, _Src=0x7e48020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0158.054] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0158.054] memcpy (in: _Dst=0x4d652b0, _Src=0x7e50020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0158.183] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0158.183] memcpy (in: _Dst=0x4d652b0, _Src=0x7e58020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0158.184] memcpy (in: _Dst=0x4dc337a, _Src=0x4d8d2c8, _Size=0x284e | out: _Dst=0x4dc337a) returned 0x4dc337a [0158.184] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa4001) returned 0x822c020 [0158.202] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x663f020 | out: hHeap=0x4d40000) returned 1 [0158.211] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8fb16, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0158.211] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa8001) returned 0x6634020 [0158.228] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x822c020 | out: hHeap=0x4d40000) returned 1 [0158.342] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d93b16, _Size=0x9f9 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0158.343] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0158.344] memcpy (in: _Dst=0x4d652b0, _Src=0x7e60020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0158.346] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0158.346] memcpy (in: _Dst=0x4d652b0, _Src=0x7e68020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0158.348] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0158.348] memcpy (in: _Dst=0x4d652b0, _Src=0x7e70020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0158.348] memcpy (in: _Dst=0x4dc25c1, _Src=0x4d8d2c8, _Size=0x3607 | out: _Dst=0x4dc25c1) returned 0x4dc25c1 [0158.349] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xac001) returned 0x822b020 [0158.364] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x6634020 | out: hHeap=0x4d40000) returned 1 [0158.369] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d908cf, _Size=0x3c69 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0158.371] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0158.371] memcpy (in: _Dst=0x4d652b0, _Src=0x7e78020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0158.373] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0158.373] memcpy (in: _Dst=0x4d652b0, _Src=0x7e80020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0158.376] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0158.376] memcpy (in: _Dst=0x4d652b0, _Src=0x7e88020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0158.377] memcpy (in: _Dst=0x4dc5831, _Src=0x4d8d2c8, _Size=0x397 | out: _Dst=0x4dc5831) returned 0x4dc5831 [0158.377] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb0001) returned 0x663a020 [0158.501] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x822b020 | out: hHeap=0x4d40000) returned 1 [0158.505] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8d65f, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0158.505] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb4001) returned 0x822c020 [0158.521] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x663a020 | out: hHeap=0x4d40000) returned 1 [0158.526] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d9165f, _Size=0x2c96 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0158.528] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0158.528] memcpy (in: _Dst=0x4d652b0, _Src=0x7e90020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0158.530] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0158.530] memcpy (in: _Dst=0x4d652b0, _Src=0x7e98020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0158.532] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0158.532] memcpy (in: _Dst=0x4d652b0, _Src=0x7ea0020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0158.533] memcpy (in: _Dst=0x4dc485e, _Src=0x4d8d2c8, _Size=0x136a | out: _Dst=0x4dc485e) returned 0x4dc485e [0158.533] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb8001) returned 0x6632020 [0158.625] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x822c020 | out: hHeap=0x4d40000) returned 1 [0158.629] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8e632, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0158.629] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xbc001) returned 0x822f020 [0158.643] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x6632020 | out: hHeap=0x4d40000) returned 1 [0158.648] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d92632, _Size=0x1e64 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0158.651] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0158.651] memcpy (in: _Dst=0x4d652b0, _Src=0x7ea8020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0158.653] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0158.653] memcpy (in: _Dst=0x4d652b0, _Src=0x7eb0020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0158.654] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0158.654] memcpy (in: _Dst=0x4d652b0, _Src=0x7eb8020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0158.655] memcpy (in: _Dst=0x4dc3a2c, _Src=0x4d8d2c8, _Size=0x219c | out: _Dst=0x4dc3a2c) returned 0x4dc3a2c [0158.655] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc0001) returned 0x82fa020 [0158.753] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x822f020 | out: hHeap=0x4d40000) returned 1 [0158.760] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8f464, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0158.760] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc4001) returned 0x83cd020 [0158.780] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x82fa020 | out: hHeap=0x4d40000) returned 1 [0158.865] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d93464, _Size=0xe5b | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0158.867] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0158.867] memcpy (in: _Dst=0x4d652b0, _Src=0x7ec0020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0158.868] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0158.869] memcpy (in: _Dst=0x4d652b0, _Src=0x7ec8020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0158.870] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0158.870] memcpy (in: _Dst=0x4d652b0, _Src=0x7ed0020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0158.871] memcpy (in: _Dst=0x4dc2a23, _Src=0x4d8d2c8, _Size=0x31a5 | out: _Dst=0x4dc2a23) returned 0x4dc2a23 [0158.871] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc8001) returned 0x822b020 [0158.894] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x83cd020 | out: hHeap=0x4d40000) returned 1 [0158.947] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d9046d, _Size=0x3f6b | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0158.948] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0158.948] memcpy (in: _Dst=0x4d652b0, _Src=0x7ed8020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0158.950] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0158.950] memcpy (in: _Dst=0x4d652b0, _Src=0x7ee0020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0158.952] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0158.952] memcpy (in: _Dst=0x4d652b0, _Src=0x7ee8020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0158.953] memcpy (in: _Dst=0x4dc5b33, _Src=0x4d8d2c8, _Size=0x95 | out: _Dst=0x4dc5b33) returned 0x4dc5b33 [0158.953] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xcc001) returned 0x8309020 [0158.976] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x822b020 | out: hHeap=0x4d40000) returned 1 [0159.028] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8d35d, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0159.028] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd0001) returned 0x822b020 [0159.053] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8309020 | out: hHeap=0x4d40000) returned 1 [0159.058] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d9135d, _Size=0x3066 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0159.061] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0159.061] memcpy (in: _Dst=0x4d652b0, _Src=0x7ef0020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0159.064] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0159.064] memcpy (in: _Dst=0x4d652b0, _Src=0x7ef8020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0159.066] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0159.066] memcpy (in: _Dst=0x4d652b0, _Src=0x7f00020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0159.067] memcpy (in: _Dst=0x4dc4c2e, _Src=0x4d8d2c8, _Size=0xf9a | out: _Dst=0x4dc4c2e) returned 0x4dc4c2e [0159.067] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd4001) returned 0x8302020 [0159.133] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x822b020 | out: hHeap=0x4d40000) returned 1 [0159.142] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8e262, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0159.142] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd8001) returned 0x8223020 [0159.171] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8302020 | out: hHeap=0x4d40000) returned 1 [0159.248] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d92262, _Size=0x21a6 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0159.250] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0159.250] memcpy (in: _Dst=0x4d652b0, _Src=0x7f08020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0159.252] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0159.252] memcpy (in: _Dst=0x4d652b0, _Src=0x7f10020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0159.254] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0159.255] memcpy (in: _Dst=0x4d652b0, _Src=0x7f18020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0159.256] memcpy (in: _Dst=0x4dc3d6e, _Src=0x4d8d2c8, _Size=0x1e5a | out: _Dst=0x4dc3d6e) returned 0x4dc3d6e [0159.256] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xdc001) returned 0x8308020 [0159.276] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8223020 | out: hHeap=0x4d40000) returned 1 [0159.357] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8f122, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0159.357] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe0001) returned 0x83fe020 [0159.382] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8308020 | out: hHeap=0x4d40000) returned 1 [0159.392] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d93122, _Size=0x16e9 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0159.394] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0159.394] memcpy (in: _Dst=0x4d652b0, _Src=0x7f20020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0159.397] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0159.397] memcpy (in: _Dst=0x4d652b0, _Src=0x7f28020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0159.456] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0159.456] memcpy (in: _Dst=0x4d652b0, _Src=0x7f30020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0159.457] memcpy (in: _Dst=0x4dc32b1, _Src=0x4d8d2c8, _Size=0x2917 | out: _Dst=0x4dc32b1) returned 0x4dc32b1 [0159.457] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe4001) returned 0x8229020 [0159.477] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x83fe020 | out: hHeap=0x4d40000) returned 1 [0159.483] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8fbdf, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0159.483] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe8001) returned 0x831f020 [0159.558] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8229020 | out: hHeap=0x4d40000) returned 1 [0159.567] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d93bdf, _Size=0xa66 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0159.568] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0159.569] memcpy (in: _Dst=0x4d652b0, _Src=0x7f38020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0159.571] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0159.571] memcpy (in: _Dst=0x4d652b0, _Src=0x7f40020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0159.573] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0159.573] memcpy (in: _Dst=0x4d652b0, _Src=0x7f48020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0159.574] memcpy (in: _Dst=0x4dc262e, _Src=0x4d8d2c8, _Size=0x359a | out: _Dst=0x4dc262e) returned 0x4dc262e [0159.574] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xec001) returned 0x841b020 [0159.690] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x831f020 | out: hHeap=0x4d40000) returned 1 [0159.696] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d90862, _Size=0x3b5c | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0159.697] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0159.697] memcpy (in: _Dst=0x4d652b0, _Src=0x7f50020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0159.699] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0159.699] memcpy (in: _Dst=0x4d652b0, _Src=0x7f58020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0159.701] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0159.701] memcpy (in: _Dst=0x4d652b0, _Src=0x7f60020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0159.703] memcpy (in: _Dst=0x4dc5724, _Src=0x4d8d2c8, _Size=0x4a4 | out: _Dst=0x4dc5724) returned 0x4dc5724 [0159.703] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xf0001) returned 0x8228020 [0159.724] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x841b020 | out: hHeap=0x4d40000) returned 1 [0159.774] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8d76c, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0159.775] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xf4001) returned 0x8324020 [0159.795] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8228020 | out: hHeap=0x4d40000) returned 1 [0159.801] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d9176c, _Size=0x325e | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0159.802] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0159.802] memcpy (in: _Dst=0x4d652b0, _Src=0x7f68020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0159.805] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0159.805] memcpy (in: _Dst=0x4d652b0, _Src=0x7f70020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0159.824] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0159.824] memcpy (in: _Dst=0x4d652b0, _Src=0x7f78020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0159.826] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0159.826] memcpy (in: _Dst=0x4d652b0, _Src=0x7f80020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0159.827] memcpy (in: _Dst=0x4dc4e26, _Src=0x4d8d2c8, _Size=0xda2 | out: _Dst=0x4dc4e26) returned 0x4dc4e26 [0159.827] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xf8001) returned 0x8222020 [0159.879] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8324020 | out: hHeap=0x4d40000) returned 1 [0159.926] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8e06a, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0159.926] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xfc001) returned 0x832c020 [0159.952] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8222020 | out: hHeap=0x4d40000) returned 1 [0160.006] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d9206a, _Size=0x2b21 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0160.009] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0160.009] memcpy (in: _Dst=0x4d652b0, _Src=0x7f88020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0160.011] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0160.011] memcpy (in: _Dst=0x4d652b0, _Src=0x7f90020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0160.014] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0160.014] memcpy (in: _Dst=0x4d652b0, _Src=0x7f98020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0160.015] memcpy (in: _Dst=0x4dc46e9, _Src=0x4d8d2c8, _Size=0x14df | out: _Dst=0x4dc46e9) returned 0x4dc46e9 [0160.015] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x100001) returned 0x8436020 [0160.037] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x832c020 | out: hHeap=0x4d40000) returned 1 [0160.086] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8e7a7, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0160.086] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x104001) returned 0x822a020 [0160.107] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8436020 | out: hHeap=0x4d40000) returned 1 [0160.113] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d927a7, _Size=0x2124 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0160.114] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0160.115] memcpy (in: _Dst=0x4d652b0, _Src=0x7fa0020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0160.171] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0160.171] memcpy (in: _Dst=0x4d652b0, _Src=0x7fa8020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0160.174] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0160.174] memcpy (in: _Dst=0x4d652b0, _Src=0x7fb0020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0160.178] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0160.178] memcpy (in: _Dst=0x4d652b0, _Src=0x7fb8020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0160.179] memcpy (in: _Dst=0x4dc3cec, _Src=0x4d8d2c8, _Size=0x1edc | out: _Dst=0x4dc3cec) returned 0x4dc3cec [0160.181] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x108001) returned 0x8334020 [0160.209] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x822a020 | out: hHeap=0x4d40000) returned 1 [0160.264] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8f1a4, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0160.264] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10c001) returned 0x8443020 [0160.287] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8334020 | out: hHeap=0x4d40000) returned 1 [0160.294] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d931a4, _Size=0x1a76 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0160.297] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0160.297] memcpy (in: _Dst=0x4d652b0, _Src=0x7fc0020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0160.300] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0160.300] memcpy (in: _Dst=0x4d652b0, _Src=0x7fc8020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0160.304] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0160.304] memcpy (in: _Dst=0x4d652b0, _Src=0x7fd0020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0160.355] memcpy (in: _Dst=0x4dc363e, _Src=0x4d8d2c8, _Size=0x258a | out: _Dst=0x4dc363e) returned 0x4dc363e [0160.355] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x110001) returned 0x8229020 [0160.378] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8443020 | out: hHeap=0x4d40000) returned 1 [0160.386] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8f852, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0160.386] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x114001) returned 0x834c020 [0160.467] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8229020 | out: hHeap=0x4d40000) returned 1 [0160.474] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d93852, _Size=0x1197 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0160.475] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0160.475] memcpy (in: _Dst=0x4d652b0, _Src=0x7fd8020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0160.478] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0160.478] memcpy (in: _Dst=0x4d652b0, _Src=0x7fe0020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0160.481] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0160.482] memcpy (in: _Dst=0x4d652b0, _Src=0x7fe8020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0160.485] memcpy (in: _Dst=0x4dc2d5f, _Src=0x4d8d2c8, _Size=0x2e69 | out: _Dst=0x4dc2d5f) returned 0x4dc2d5f [0160.485] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x118001) returned 0x8222020 [0160.617] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x834c020 | out: hHeap=0x4d40000) returned 1 [0160.624] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d90131, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0160.624] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x11c001) returned 0x8343020 [0160.698] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8222020 | out: hHeap=0x4d40000) returned 1 [0160.704] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d94131, _Size=0x706 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0160.705] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0160.705] memcpy (in: _Dst=0x4d652b0, _Src=0x7ff0020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0160.708] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0160.708] memcpy (in: _Dst=0x4d652b0, _Src=0x7ff8020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0160.725] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0160.725] memcpy (in: _Dst=0x4d652b0, _Src=0x8000020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0160.792] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0160.792] memcpy (in: _Dst=0x4d652b0, _Src=0x8008020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0160.794] memcpy (in: _Dst=0x4dc22ce, _Src=0x4d8d2c8, _Size=0x38fa | out: _Dst=0x4dc22ce) returned 0x4dc22ce [0160.795] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x120001) returned 0x847f020 [0160.821] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8343020 | out: hHeap=0x4d40000) returned 1 [0161.016] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d90bc2, _Size=0x3e11 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0161.017] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0161.017] memcpy (in: _Dst=0x4d652b0, _Src=0x8010020, _Size=0x1a36 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0161.018] memcpy (in: _Dst=0x4dc59d9, _Src=0x4d8d2c8, _Size=0x1ef | out: _Dst=0x4dc59d9) returned 0x4dc59d9 [0161.018] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x124001) returned 0x8224020 [0161.051] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x847f020 | out: hHeap=0x4d40000) returned 1 [0161.109] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8d4b7, _Size=0xf01 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0161.109] memcpy (in: _Dst=0x4dc2ac9, _Src=0x4d8d2c8, _Size=0x4 | out: _Dst=0x4dc2ac9) returned 0x4dc2ac9 [0161.109] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x124f06) returned 0x8356020 [0161.136] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8224020 | out: hHeap=0x4d40000) returned 1 [0161.189] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d8d2c8 | out: hHeap=0x4d40000) returned 1 [0161.193] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d7d2c0 | out: hHeap=0x4d40000) returned 1 [0161.196] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d6d2b8 | out: hHeap=0x4d40000) returned 1 [0161.199] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0161.201] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc5bd0 | out: hHeap=0x4d40000) returned 1 [0161.206] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc1bc8 | out: hHeap=0x4d40000) returned 1 [0161.234] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x762a020 | out: hHeap=0x4d40000) returned 1 [0161.320] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7b20020 | out: hHeap=0x4d40000) returned 1 [0161.359] DeleteDC (hdc=0x2b0109af) returned 1 [0161.359] DeleteDC (hdc=0x20109ec) returned 1 [0161.359] DeleteObject (ho=0xd0509cc) returned 1 [0161.360] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x4cf988 | out: lpSystemTimeAsFileTime=0x4cf988*(dwLowDateTime=0x13afb400, dwHighDateTime=0x1d99f3b)) [0161.360] Sleep (dwMilliseconds=0x3a98) [0171.448] GetDC (hWnd=0x0) returned 0x180106a8 [0171.449] CreateCompatibleDC (hdc=0x180106a8) returned 0xf010a30 [0171.449] GetDeviceCaps (hdc=0x180106a8, index=8) returned 1440 [0171.449] GetDeviceCaps (hdc=0x180106a8, index=10) returned 900 [0171.449] CreateCompatibleBitmap (hdc=0x180106a8, cx=1440, cy=900) returned 0x27050a3c [0171.487] SelectObject (hdc=0xf010a30, h=0x27050a3c) returned 0x185000f [0171.487] BitBlt (hdc=0xf010a30, x=0, y=0, cx=1440, cy=900, hdcSrc=0x180106a8, x1=0, y1=0, rop=0xcc0020) returned 1 [0172.359] GetCursorInfo (in: pci=0x4cf95c | out: pci=0x4cf95c) returned 1 [0172.359] CopyIcon (hIcon=0x10019) returned 0x140209 [0172.361] GetIconInfo (in: hIcon=0x140209, piconinfo=0x4cf908 | out: piconinfo=0x4cf908) returned 1 [0172.361] GetObjectW (in: h=0x5a050987, c=24, pv=0x4cf91c | out: pv=0x4cf91c) returned 24 [0172.361] DrawIconEx (hdc=0xf010a30, xLeft=66, yTop=188, hIcon=0x10019, cxWidth=32, cyWidth=32, istepIfAniCur=0x0, hbrFlickerFreeDraw=0x0, diFlags=0x3) returned 1 [0172.361] SelectObject (hdc=0xf010a30, h=0x185000f) returned 0x27050a3c [0172.361] GetObjectW (in: h=0x27050a3c, c=24, pv=0x4cf8f0 | out: pv=0x4cf8f0) returned 24 [0172.365] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4f1a00) returned 0x848a020 [0172.383] GetDIBits (in: hdc=0xf010a30, hbm=0x27050a3c, start=0x0, cLines=0x384, lpvBits=0x848a020, lpbmi=0x4cf934, usage=0x0 | out: lpvBits=0x848a020, lpbmi=0x4cf934) returned 900 [0172.643] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4f1a36) returned 0x7124020 [0173.539] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4000) returned 0x4dc1bc8 [0173.540] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x16c4) returned 0x4dc5bd0 [0173.540] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4d5d2b0 [0173.542] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4d6d2b8 [0173.543] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4d7d2c0 [0173.544] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4d8d2c8 [0173.546] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8d2c8, _Size=0x2 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0173.546] memcpy (in: _Dst=0x4d5d2b0, _Src=0x7124020, _Size=0x10000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.547] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.547] memcpy (in: _Dst=0x4d652b0, _Src=0x7134020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.549] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.549] memcpy (in: _Dst=0x4d652b0, _Src=0x713c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.550] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.550] memcpy (in: _Dst=0x4d652b0, _Src=0x7144020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.551] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.552] memcpy (in: _Dst=0x4d652b0, _Src=0x714c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.552] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.552] memcpy (in: _Dst=0x4d652b0, _Src=0x7154020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.553] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.553] memcpy (in: _Dst=0x4d652b0, _Src=0x715c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.553] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.553] memcpy (in: _Dst=0x4d652b0, _Src=0x7164020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.554] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.554] memcpy (in: _Dst=0x4d652b0, _Src=0x716c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.555] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.563] memcpy (in: _Dst=0x4d652b0, _Src=0x7174020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.564] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.564] memcpy (in: _Dst=0x4d652b0, _Src=0x717c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.565] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.565] memcpy (in: _Dst=0x4d652b0, _Src=0x7184020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.567] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.567] memcpy (in: _Dst=0x4d652b0, _Src=0x718c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.569] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.569] memcpy (in: _Dst=0x4d652b0, _Src=0x7194020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.579] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.580] memcpy (in: _Dst=0x4d652b0, _Src=0x719c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.583] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.583] memcpy (in: _Dst=0x4d652b0, _Src=0x71a4020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.585] memcpy (in: _Dst=0x4dc1bca, _Src=0x4d8d2c8, _Size=0x3ffe | out: _Dst=0x4dc1bca) returned 0x4dc1bca [0173.585] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4001) returned 0x4dcae38 [0173.586] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d912c6, _Size=0x1325 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0173.634] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.634] memcpy (in: _Dst=0x4d652b0, _Src=0x71ac020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.636] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.636] memcpy (in: _Dst=0x4d652b0, _Src=0x71b4020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.638] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.638] memcpy (in: _Dst=0x4d652b0, _Src=0x71bc020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.640] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.640] memcpy (in: _Dst=0x4d652b0, _Src=0x71c4020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.642] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.642] memcpy (in: _Dst=0x4d652b0, _Src=0x71cc020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.643] memcpy (in: _Dst=0x4dc2eed, _Src=0x4d8d2c8, _Size=0x2cdb | out: _Dst=0x4dc2eed) returned 0x4dc2eed [0173.643] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x8001) returned 0x4d9d2d0 [0173.644] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dcae38 | out: hHeap=0x4d40000) returned 1 [0173.645] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8ffa3, _Size=0x1e90 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0173.646] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.646] memcpy (in: _Dst=0x4d652b0, _Src=0x71d4020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.648] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.648] memcpy (in: _Dst=0x4d652b0, _Src=0x71dc020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.654] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.654] memcpy (in: _Dst=0x4d652b0, _Src=0x71e4020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.656] memcpy (in: _Dst=0x4dc3a58, _Src=0x4d8d2c8, _Size=0x2170 | out: _Dst=0x4dc3a58) returned 0x4dc3a58 [0173.656] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc001) returned 0x4da52e0 [0173.659] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d9d2d0 | out: hHeap=0x4d40000) returned 1 [0173.659] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8f438, _Size=0x2503 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0173.659] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.659] memcpy (in: _Dst=0x4d652b0, _Src=0x71ec020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.662] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.662] memcpy (in: _Dst=0x4d652b0, _Src=0x71f4020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.664] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.664] memcpy (in: _Dst=0x4d652b0, _Src=0x71fc020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.671] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.671] memcpy (in: _Dst=0x4d652b0, _Src=0x7204020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.674] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.674] memcpy (in: _Dst=0x4d652b0, _Src=0x720c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.677] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.677] memcpy (in: _Dst=0x4d652b0, _Src=0x7214020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.720] memcpy (in: _Dst=0x4dc40cb, _Src=0x4d8d2c8, _Size=0x1afd | out: _Dst=0x4dc40cb) returned 0x4dc40cb [0173.721] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10001) returned 0x4c30450 [0173.723] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4da52e0 | out: hHeap=0x4d40000) returned 1 [0173.724] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8edc5, _Size=0x2977 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0173.724] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.724] memcpy (in: _Dst=0x4d652b0, _Src=0x721c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.731] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.731] memcpy (in: _Dst=0x4d652b0, _Src=0x7224020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.735] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.735] memcpy (in: _Dst=0x4d652b0, _Src=0x722c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.744] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.744] memcpy (in: _Dst=0x4d652b0, _Src=0x7234020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.750] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.750] memcpy (in: _Dst=0x4d652b0, _Src=0x723c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.755] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.755] memcpy (in: _Dst=0x4d652b0, _Src=0x7244020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.797] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.797] memcpy (in: _Dst=0x4d652b0, _Src=0x724c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.800] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.800] memcpy (in: _Dst=0x4d652b0, _Src=0x7254020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.801] memcpy (in: _Dst=0x4dc453f, _Src=0x4d8d2c8, _Size=0x1689 | out: _Dst=0x4dc453f) returned 0x4dc453f [0173.801] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x14001) returned 0x4d9d2d0 [0173.803] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0173.803] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8e951, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0173.803] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x18001) returned 0x4c30450 [0173.807] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d9d2d0 | out: hHeap=0x4d40000) returned 1 [0173.810] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d92951, _Size=0x1410 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0173.811] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.812] memcpy (in: _Dst=0x4d652b0, _Src=0x725c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.813] memcpy (in: _Dst=0x4dc2fd8, _Src=0x4d8d2c8, _Size=0x2bf0 | out: _Dst=0x4dc2fd8) returned 0x4dc2fd8 [0173.813] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x1c001) returned 0x4d9d2d0 [0173.816] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0173.816] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8feb8, _Size=0x29cf | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0173.816] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.816] memcpy (in: _Dst=0x4d652b0, _Src=0x7264020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.818] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.818] memcpy (in: _Dst=0x4d652b0, _Src=0x726c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.819] memcpy (in: _Dst=0x4dc4597, _Src=0x4d8d2c8, _Size=0x1631 | out: _Dst=0x4dc4597) returned 0x4dc4597 [0173.820] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20001) returned 0x4c30450 [0173.822] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d9d2d0 | out: hHeap=0x4d40000) returned 1 [0173.822] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8e8f9, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0173.822] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x24001) returned 0x4c50460 [0173.830] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0173.830] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d928f9, _Size=0x439 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0173.831] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.832] memcpy (in: _Dst=0x4d652b0, _Src=0x7274020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.834] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.834] memcpy (in: _Dst=0x4d652b0, _Src=0x727c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.873] memcpy (in: _Dst=0x4dc2001, _Src=0x4d8d2c8, _Size=0x3bc7 | out: _Dst=0x4dc2001) returned 0x4dc2001 [0173.873] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x28001) returned 0x4c74470 [0173.878] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c50460 | out: hHeap=0x4d40000) returned 1 [0173.878] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d90e8f, _Size=0x203d | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0173.879] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.879] memcpy (in: _Dst=0x4d652b0, _Src=0x7284020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.880] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.880] memcpy (in: _Dst=0x4d652b0, _Src=0x728c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.881] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.881] memcpy (in: _Dst=0x4d652b0, _Src=0x7294020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.882] memcpy (in: _Dst=0x4dc3c05, _Src=0x4d8d2c8, _Size=0x1fc3 | out: _Dst=0x4dc3c05) returned 0x4dc3c05 [0173.882] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x2c001) returned 0x4c30450 [0173.885] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c74470 | out: hHeap=0x4d40000) returned 1 [0173.930] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8f28b, _Size=0x3f31 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0173.931] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.931] memcpy (in: _Dst=0x4d652b0, _Src=0x729c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.932] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.932] memcpy (in: _Dst=0x4d652b0, _Src=0x72a4020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.934] memcpy (in: _Dst=0x4dc5af9, _Src=0x4d8d2c8, _Size=0xcf | out: _Dst=0x4dc5af9) returned 0x4dc5af9 [0173.934] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x30001) returned 0x4c5c460 [0173.936] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0173.938] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8d397, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0173.938] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x34001) returned 0x4c8c470 [0173.943] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c5c460 | out: hHeap=0x4d40000) returned 1 [0173.943] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d91397, _Size=0x2152 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0173.943] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.943] memcpy (in: _Dst=0x4d652b0, _Src=0x72ac020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.944] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.945] memcpy (in: _Dst=0x4d652b0, _Src=0x72b4020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.948] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.948] memcpy (in: _Dst=0x4d652b0, _Src=0x72bc020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.949] memcpy (in: _Dst=0x4dc3d1a, _Src=0x4d8d2c8, _Size=0x1eae | out: _Dst=0x4dc3d1a) returned 0x4dc3d1a [0173.949] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x38001) returned 0x4c30450 [0173.952] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c8c470 | out: hHeap=0x4d40000) returned 1 [0173.952] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8f176, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0173.952] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x3c001) returned 0x4c68460 [0173.954] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0173.954] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d93176, _Size=0x862 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0173.955] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.955] memcpy (in: _Dst=0x4d652b0, _Src=0x72c4020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.957] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.957] memcpy (in: _Dst=0x4d652b0, _Src=0x72cc020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.958] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.958] memcpy (in: _Dst=0x4d652b0, _Src=0x72d4020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.959] memcpy (in: _Dst=0x4dc242a, _Src=0x4d8d2c8, _Size=0x379e | out: _Dst=0x4dc242a) returned 0x4dc242a [0173.959] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x40001) returned 0x4ca4470 [0173.967] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c68460 | out: hHeap=0x4d40000) returned 1 [0173.967] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d90a66, _Size=0x335c | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0173.968] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.968] memcpy (in: _Dst=0x4d652b0, _Src=0x72dc020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.970] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.970] memcpy (in: _Dst=0x4d652b0, _Src=0x72e4020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.972] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0173.972] memcpy (in: _Dst=0x4d652b0, _Src=0x72ec020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0173.973] memcpy (in: _Dst=0x4dc4f24, _Src=0x4d8d2c8, _Size=0xca4 | out: _Dst=0x4dc4f24) returned 0x4dc4f24 [0173.973] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x44001) returned 0x4c30450 [0173.976] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4ca4470 | out: hHeap=0x4d40000) returned 1 [0174.006] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8df6c, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0174.006] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x48001) returned 0x4c74460 [0174.015] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0174.015] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d91f6c, _Size=0x1e7b | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0174.016] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.016] memcpy (in: _Dst=0x4d652b0, _Src=0x72f4020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.018] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.018] memcpy (in: _Dst=0x4d652b0, _Src=0x72fc020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.020] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.020] memcpy (in: _Dst=0x4d652b0, _Src=0x7304020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.022] memcpy (in: _Dst=0x4dc3a43, _Src=0x4d8d2c8, _Size=0x2185 | out: _Dst=0x4dc3a43) returned 0x4dc3a43 [0174.022] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4c001) returned 0x4cbc470 [0174.076] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c74460 | out: hHeap=0x4d40000) returned 1 [0174.079] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8f44d, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0174.079] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x50001) returned 0x4c30450 [0174.086] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4cbc470 | out: hHeap=0x4d40000) returned 1 [0174.086] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d9344d, _Size=0xadc | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0174.102] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.102] memcpy (in: _Dst=0x4d652b0, _Src=0x730c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.104] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.104] memcpy (in: _Dst=0x4d652b0, _Src=0x7314020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.106] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.106] memcpy (in: _Dst=0x4d652b0, _Src=0x731c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.108] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.108] memcpy (in: _Dst=0x4d652b0, _Src=0x7324020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.109] memcpy (in: _Dst=0x4dc26a4, _Src=0x4d8d2c8, _Size=0x3524 | out: _Dst=0x4dc26a4) returned 0x4dc26a4 [0174.109] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x54001) returned 0x8020048 [0174.117] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0174.117] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d907ec, _Size=0x3e1f | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0174.119] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.119] memcpy (in: _Dst=0x4d652b0, _Src=0x732c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.122] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.122] memcpy (in: _Dst=0x4d652b0, _Src=0x7334020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.125] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.125] memcpy (in: _Dst=0x4d652b0, _Src=0x733c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.127] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.127] memcpy (in: _Dst=0x4d652b0, _Src=0x7344020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.129] memcpy (in: _Dst=0x4dc59e7, _Src=0x4d8d2c8, _Size=0x1e1 | out: _Dst=0x4dc59e7) returned 0x4dc59e7 [0174.129] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x58001) returned 0x8074058 [0174.137] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8020048 | out: hHeap=0x4d40000) returned 1 [0174.137] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8d4a9, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0174.137] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x5c001) returned 0x80cc068 [0174.144] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8074058 | out: hHeap=0x4d40000) returned 1 [0174.148] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d914a9, _Size=0x32f3 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0174.152] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.152] memcpy (in: _Dst=0x4d652b0, _Src=0x734c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.154] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.154] memcpy (in: _Dst=0x4d652b0, _Src=0x7354020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.157] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.157] memcpy (in: _Dst=0x4d652b0, _Src=0x735c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.160] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.160] memcpy (in: _Dst=0x4d652b0, _Src=0x7364020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.160] memcpy (in: _Dst=0x4dc4ebb, _Src=0x4d8d2c8, _Size=0xd0d | out: _Dst=0x4dc4ebb) returned 0x4dc4ebb [0174.160] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x60001) returned 0x8020048 [0174.192] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x80cc068 | out: hHeap=0x4d40000) returned 1 [0174.193] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8dfd5, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0174.193] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x64001) returned 0x80cc008 [0174.197] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8020048 | out: hHeap=0x4d40000) returned 1 [0174.197] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d91fd5, _Size=0x2744 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0174.200] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.200] memcpy (in: _Dst=0x4d652b0, _Src=0x736c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.204] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.204] memcpy (in: _Dst=0x4d652b0, _Src=0x7374020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.207] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.207] memcpy (in: _Dst=0x4d652b0, _Src=0x737c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.209] memcpy (in: _Dst=0x4dc430c, _Src=0x4d8d2c8, _Size=0x18bc | out: _Dst=0x4dc430c) returned 0x4dc430c [0174.209] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x68001) returned 0x8130018 [0174.218] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x80cc008 | out: hHeap=0x4d40000) returned 1 [0174.218] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8eb84, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0174.218] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x6c001) returned 0x8980048 [0174.227] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8130018 | out: hHeap=0x4d40000) returned 1 [0174.282] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d92b84, _Size=0x1d96 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0174.283] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.283] memcpy (in: _Dst=0x4d652b0, _Src=0x7384020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.285] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.285] memcpy (in: _Dst=0x4d652b0, _Src=0x738c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.288] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.288] memcpy (in: _Dst=0x4d652b0, _Src=0x7394020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.291] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.291] memcpy (in: _Dst=0x4d652b0, _Src=0x739c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.293] memcpy (in: _Dst=0x4dc395e, _Src=0x4d8d2c8, _Size=0x226a | out: _Dst=0x4dc395e) returned 0x4dc395e [0174.293] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x70001) returned 0x8020048 [0174.299] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8980048 | out: hHeap=0x4d40000) returned 1 [0174.299] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8f532, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0174.299] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x74001) returned 0x8090058 [0174.310] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8020048 | out: hHeap=0x4d40000) returned 1 [0174.311] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d93532, _Size=0x1358 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0174.312] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.313] memcpy (in: _Dst=0x4d652b0, _Src=0x73a4020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.315] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.315] memcpy (in: _Dst=0x4d652b0, _Src=0x73ac020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.318] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.318] memcpy (in: _Dst=0x4d652b0, _Src=0x73b4020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.320] memcpy (in: _Dst=0x4dc2f20, _Src=0x4d8d2c8, _Size=0x2ca8 | out: _Dst=0x4dc2f20) returned 0x4dc2f20 [0174.320] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x78001) returned 0x8104068 [0174.371] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8090058 | out: hHeap=0x4d40000) returned 1 [0174.378] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8ff70, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0174.378] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x7c001) returned 0x8020048 [0174.390] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8104068 | out: hHeap=0x4d40000) returned 1 [0174.395] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d93f70, _Size=0x72f | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0174.397] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.397] memcpy (in: _Dst=0x4d652b0, _Src=0x73bc020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.447] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.448] memcpy (in: _Dst=0x4d652b0, _Src=0x73c4020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.450] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.450] memcpy (in: _Dst=0x4d652b0, _Src=0x73cc020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.453] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.453] memcpy (in: _Dst=0x4d652b0, _Src=0x73d4020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.454] memcpy (in: _Dst=0x4dc22f7, _Src=0x4d8d2c8, _Size=0x38d1 | out: _Dst=0x4dc22f7) returned 0x4dc22f7 [0174.454] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x80001) returned 0x7e23020 [0174.469] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8020048 | out: hHeap=0x4d40000) returned 1 [0174.469] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d90b99, _Size=0x3f59 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0174.472] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.472] memcpy (in: _Dst=0x4d652b0, _Src=0x73dc020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.475] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.475] memcpy (in: _Dst=0x4d652b0, _Src=0x73e4020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.478] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.478] memcpy (in: _Dst=0x4d652b0, _Src=0x73ec020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.481] memcpy (in: _Dst=0x4dc5b21, _Src=0x4d8d2c8, _Size=0xa7 | out: _Dst=0x4dc5b21) returned 0x4dc5b21 [0174.481] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x84001) returned 0x7eb5020 [0174.494] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7e23020 | out: hHeap=0x4d40000) returned 1 [0174.527] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8d36f, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0174.527] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x88001) returned 0x7e21020 [0174.540] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7eb5020 | out: hHeap=0x4d40000) returned 1 [0174.545] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d9136f, _Size=0x3679 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0174.546] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.546] memcpy (in: _Dst=0x4d652b0, _Src=0x73f4020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.549] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.549] memcpy (in: _Dst=0x4d652b0, _Src=0x73fc020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.552] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.552] memcpy (in: _Dst=0x4d652b0, _Src=0x7404020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.555] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.555] memcpy (in: _Dst=0x4d652b0, _Src=0x740c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.556] memcpy (in: _Dst=0x4dc5241, _Src=0x4d8d2c8, _Size=0x987 | out: _Dst=0x4dc5241) returned 0x4dc5241 [0174.556] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x8c001) returned 0x7ebb020 [0174.614] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7e21020 | out: hHeap=0x4d40000) returned 1 [0174.619] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8dc4f, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0174.619] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x90001) returned 0x7f50020 [0174.634] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ebb020 | out: hHeap=0x4d40000) returned 1 [0174.701] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d91c4f, _Size=0x2cfc | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0174.703] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.703] memcpy (in: _Dst=0x4d652b0, _Src=0x7414020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.705] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.705] memcpy (in: _Dst=0x4d652b0, _Src=0x741c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.707] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.708] memcpy (in: _Dst=0x4d652b0, _Src=0x7424020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.709] memcpy (in: _Dst=0x4dc48c4, _Src=0x4d8d2c8, _Size=0x1304 | out: _Dst=0x4dc48c4) returned 0x4dc48c4 [0174.709] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x94001) returned 0x7e2e020 [0174.725] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7f50020 | out: hHeap=0x4d40000) returned 1 [0174.752] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8e5cc, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0174.752] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x98001) returned 0x7ed1020 [0174.805] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7e2e020 | out: hHeap=0x4d40000) returned 1 [0174.810] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d925cc, _Size=0x20d9 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0174.812] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.812] memcpy (in: _Dst=0x4d652b0, _Src=0x742c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.815] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.815] memcpy (in: _Dst=0x4d652b0, _Src=0x7434020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.818] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.818] memcpy (in: _Dst=0x4d652b0, _Src=0x743c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.821] memcpy (in: _Dst=0x4dc3ca1, _Src=0x4d8d2c8, _Size=0x1f27 | out: _Dst=0x4dc3ca1) returned 0x4dc3ca1 [0174.821] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x9c001) returned 0x7e23020 [0174.837] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ed1020 | out: hHeap=0x4d40000) returned 1 [0174.873] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8f1ef, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0174.873] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa0001) returned 0x7ed9020 [0174.889] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7e23020 | out: hHeap=0x4d40000) returned 1 [0174.894] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d931ef, _Size=0x188a | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0174.895] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.895] memcpy (in: _Dst=0x4d652b0, _Src=0x7444020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.897] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.897] memcpy (in: _Dst=0x4d652b0, _Src=0x744c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.900] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.900] memcpy (in: _Dst=0x4d652b0, _Src=0x7454020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.981] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0174.981] memcpy (in: _Dst=0x4d652b0, _Src=0x745c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0174.983] memcpy (in: _Dst=0x4dc3452, _Src=0x4d8d2c8, _Size=0x2776 | out: _Dst=0x4dc3452) returned 0x4dc3452 [0174.984] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa4001) returned 0x7e25020 [0175.009] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ed9020 | out: hHeap=0x4d40000) returned 1 [0175.136] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8fa3e, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0175.136] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa8001) returned 0x7ed9020 [0175.151] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7e25020 | out: hHeap=0x4d40000) returned 1 [0175.251] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d93a3e, _Size=0xb4a | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0175.253] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0175.253] memcpy (in: _Dst=0x4d652b0, _Src=0x7464020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0175.255] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0175.255] memcpy (in: _Dst=0x4d652b0, _Src=0x746c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0175.257] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0175.257] memcpy (in: _Dst=0x4d652b0, _Src=0x7474020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0175.258] memcpy (in: _Dst=0x4dc2712, _Src=0x4d8d2c8, _Size=0x34b6 | out: _Dst=0x4dc2712) returned 0x4dc2712 [0175.258] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xac001) returned 0x7e22020 [0175.279] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ed9020 | out: hHeap=0x4d40000) returned 1 [0175.325] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d9077e, _Size=0x3de5 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0175.326] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0175.327] memcpy (in: _Dst=0x4d652b0, _Src=0x747c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0175.329] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0175.329] memcpy (in: _Dst=0x4d652b0, _Src=0x7484020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0175.332] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0175.332] memcpy (in: _Dst=0x4d652b0, _Src=0x748c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0175.333] memcpy (in: _Dst=0x4dc59ad, _Src=0x4d8d2c8, _Size=0x21b | out: _Dst=0x4dc59ad) returned 0x4dc59ad [0175.333] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb0001) returned 0x7edc020 [0175.350] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7e22020 | out: hHeap=0x4d40000) returned 1 [0175.479] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8d4e3, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0175.479] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb4001) returned 0x822d020 [0175.495] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7edc020 | out: hHeap=0x4d40000) returned 1 [0175.502] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d914e3, _Size=0x2dee | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0175.505] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0175.505] memcpy (in: _Dst=0x4d652b0, _Src=0x7494020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0175.507] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0175.508] memcpy (in: _Dst=0x4d652b0, _Src=0x749c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0175.510] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0175.510] memcpy (in: _Dst=0x4d652b0, _Src=0x74a4020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0175.511] memcpy (in: _Dst=0x4dc49b6, _Src=0x4d8d2c8, _Size=0x1212 | out: _Dst=0x4dc49b6) returned 0x4dc49b6 [0175.511] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb8001) returned 0x7e22020 [0175.763] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x822d020 | out: hHeap=0x4d40000) returned 1 [0175.779] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8e4da, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0175.779] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xbc001) returned 0x7eec020 [0175.801] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7e22020 | out: hHeap=0x4d40000) returned 1 [0175.880] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d924da, _Size=0x1f18 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0175.881] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0175.882] memcpy (in: _Dst=0x4d652b0, _Src=0x74ac020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0175.884] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0175.884] memcpy (in: _Dst=0x4d652b0, _Src=0x74b4020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0175.885] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0175.885] memcpy (in: _Dst=0x4d652b0, _Src=0x74bc020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0175.886] memcpy (in: _Dst=0x4dc3ae0, _Src=0x4d8d2c8, _Size=0x20e8 | out: _Dst=0x4dc3ae0) returned 0x4dc3ae0 [0175.886] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc0001) returned 0x8224020 [0175.910] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7eec020 | out: hHeap=0x4d40000) returned 1 [0176.185] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8f3b0, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0176.185] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc4001) returned 0x7e24020 [0176.209] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8224020 | out: hHeap=0x4d40000) returned 1 [0176.216] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d933b0, _Size=0xf36 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0176.217] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0176.217] memcpy (in: _Dst=0x4d652b0, _Src=0x74c4020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0176.219] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0176.220] memcpy (in: _Dst=0x4d652b0, _Src=0x74cc020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0176.221] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0176.222] memcpy (in: _Dst=0x4d652b0, _Src=0x74d4020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0176.223] memcpy (in: _Dst=0x4dc2afe, _Src=0x4d8d2c8, _Size=0x30ca | out: _Dst=0x4dc2afe) returned 0x4dc2afe [0176.223] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc8001) returned 0x7ef1020 [0176.371] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7e24020 | out: hHeap=0x4d40000) returned 1 [0176.377] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d90392, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0176.377] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xcc001) returned 0x8227020 [0176.395] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ef1020 | out: hHeap=0x4d40000) returned 1 [0176.494] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d94392, _Size=0x28 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0176.496] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0176.496] memcpy (in: _Dst=0x4d652b0, _Src=0x74dc020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0176.498] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0176.499] memcpy (in: _Dst=0x4d652b0, _Src=0x74e4020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0176.501] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0176.501] memcpy (in: _Dst=0x4d652b0, _Src=0x74ec020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0176.502] memcpy (in: _Dst=0x4dc1bf0, _Src=0x4d8d2c8, _Size=0x3fd8 | out: _Dst=0x4dc1bf0) returned 0x4dc1bf0 [0176.502] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd0001) returned 0x7e26020 [0176.526] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8227020 | out: hHeap=0x4d40000) returned 1 [0176.623] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d912a0, _Size=0x315e | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0176.624] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0176.624] memcpy (in: _Dst=0x4d652b0, _Src=0x74f4020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0176.626] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0176.626] memcpy (in: _Dst=0x4d652b0, _Src=0x74fc020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0176.628] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0176.629] memcpy (in: _Dst=0x4d652b0, _Src=0x7504020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0176.629] memcpy (in: _Dst=0x4dc4d26, _Src=0x4d8d2c8, _Size=0xea2 | out: _Dst=0x4dc4d26) returned 0x4dc4d26 [0176.629] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd4001) returned 0x7f0d020 [0176.649] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7e26020 | out: hHeap=0x4d40000) returned 1 [0176.654] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8e16a, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0176.654] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd8001) returned 0x822b020 [0176.805] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7f0d020 | out: hHeap=0x4d40000) returned 1 [0176.811] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d9216a, _Size=0x22c7 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0176.812] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0176.813] memcpy (in: _Dst=0x4d652b0, _Src=0x750c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0176.815] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0176.815] memcpy (in: _Dst=0x4d652b0, _Src=0x7514020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0176.818] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0176.818] memcpy (in: _Dst=0x4d652b0, _Src=0x751c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0176.820] memcpy (in: _Dst=0x4dc3e8f, _Src=0x4d8d2c8, _Size=0x1d39 | out: _Dst=0x4dc3e8f) returned 0x4dc3e8f [0176.820] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xdc001) returned 0x7e21020 [0176.972] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x822b020 | out: hHeap=0x4d40000) returned 1 [0176.980] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8f001, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0176.980] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe0001) returned 0x7f01020 [0177.005] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7e21020 | out: hHeap=0x4d40000) returned 1 [0177.345] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d93001, _Size=0x17e9 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0177.347] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0177.347] memcpy (in: _Dst=0x4d652b0, _Src=0x7524020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0177.350] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0177.350] memcpy (in: _Dst=0x4d652b0, _Src=0x752c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0177.353] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0177.353] memcpy (in: _Dst=0x4d652b0, _Src=0x7534020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0177.354] memcpy (in: _Dst=0x4dc33b1, _Src=0x4d8d2c8, _Size=0x2817 | out: _Dst=0x4dc33b1) returned 0x4dc33b1 [0177.355] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe4001) returned 0x8d84020 [0177.378] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7f01020 | out: hHeap=0x4d40000) returned 1 [0177.700] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8fadf, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0177.700] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe8001) returned 0x7e29020 [0177.723] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8d84020 | out: hHeap=0x4d40000) returned 1 [0177.730] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d93adf, _Size=0xb6c | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0177.731] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0177.731] memcpy (in: _Dst=0x4d652b0, _Src=0x753c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0177.733] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0177.733] memcpy (in: _Dst=0x4d652b0, _Src=0x7544020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0177.735] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0177.735] memcpy (in: _Dst=0x4d652b0, _Src=0x754c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0177.737] memcpy (in: _Dst=0x4dc2734, _Src=0x4d8d2c8, _Size=0x3494 | out: _Dst=0x4dc2734) returned 0x4dc2734 [0177.737] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xec001) returned 0x7f2b020 [0178.048] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7e29020 | out: hHeap=0x4d40000) returned 1 [0178.070] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d9075c, _Size=0x3c71 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0178.071] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0178.071] memcpy (in: _Dst=0x4d652b0, _Src=0x7554020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0178.074] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0178.074] memcpy (in: _Dst=0x4d652b0, _Src=0x755c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0178.076] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0178.076] memcpy (in: _Dst=0x4d652b0, _Src=0x7564020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0178.078] memcpy (in: _Dst=0x4dc5839, _Src=0x4d8d2c8, _Size=0x38f | out: _Dst=0x4dc5839) returned 0x4dc5839 [0178.078] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xf0001) returned 0x7e2c020 [0178.234] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7f2b020 | out: hHeap=0x4d40000) returned 1 [0178.241] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8d657, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0178.241] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xf4001) returned 0x7f26020 [0178.263] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7e2c020 | out: hHeap=0x4d40000) returned 1 [0178.394] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d91657, _Size=0x3350 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0178.395] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0178.395] memcpy (in: _Dst=0x4d652b0, _Src=0x756c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0178.397] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0178.397] memcpy (in: _Dst=0x4d652b0, _Src=0x7574020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0178.400] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0178.400] memcpy (in: _Dst=0x4d652b0, _Src=0x757c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0178.402] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0178.402] memcpy (in: _Dst=0x4d652b0, _Src=0x7584020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0178.403] memcpy (in: _Dst=0x4dc4f18, _Src=0x4d8d2c8, _Size=0xcb0 | out: _Dst=0x4dc4f18) returned 0x4dc4f18 [0178.403] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xf8001) returned 0x8d8f020 [0178.428] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7f26020 | out: hHeap=0x4d40000) returned 1 [0178.546] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8df78, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0178.546] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xfc001) returned 0x7e2f020 [0178.570] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8d8f020 | out: hHeap=0x4d40000) returned 1 [0178.578] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d91f78, _Size=0x2c38 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0178.580] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0178.580] memcpy (in: _Dst=0x4d652b0, _Src=0x758c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0178.583] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0178.583] memcpy (in: _Dst=0x4d652b0, _Src=0x7594020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0178.585] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0178.585] memcpy (in: _Dst=0x4d652b0, _Src=0x759c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0178.838] memcpy (in: _Dst=0x4dc4800, _Src=0x4d8d2c8, _Size=0x13c8 | out: _Dst=0x4dc4800) returned 0x4dc4800 [0178.838] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x100001) returned 0x7621020 [0178.867] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7e2f020 | out: hHeap=0x4d40000) returned 1 [0178.879] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8e690, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0178.879] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x104001) returned 0x7739020 [0178.981] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7621020 | out: hHeap=0x4d40000) returned 1 [0178.989] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d92690, _Size=0x223a | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0178.991] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0178.991] memcpy (in: _Dst=0x4d652b0, _Src=0x75a4020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0178.995] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0178.995] memcpy (in: _Dst=0x4d652b0, _Src=0x75ac020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0178.998] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0178.998] memcpy (in: _Dst=0x4d652b0, _Src=0x75b4020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0179.003] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0179.003] memcpy (in: _Dst=0x4d652b0, _Src=0x75bc020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0179.003] memcpy (in: _Dst=0x4dc3e02, _Src=0x4d8d2c8, _Size=0x1dc6 | out: _Dst=0x4dc3e02) returned 0x4dc3e02 [0179.004] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x108001) returned 0x7622020 [0179.190] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7739020 | out: hHeap=0x4d40000) returned 1 [0179.201] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8f08e, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0179.201] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10c001) returned 0x773c020 [0179.305] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7622020 | out: hHeap=0x4d40000) returned 1 [0179.315] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d9308e, _Size=0x1b83 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0179.320] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0179.321] memcpy (in: _Dst=0x4d652b0, _Src=0x75c4020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0179.324] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0179.324] memcpy (in: _Dst=0x4d652b0, _Src=0x75cc020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0179.327] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0179.327] memcpy (in: _Dst=0x4d652b0, _Src=0x75d4020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0179.329] memcpy (in: _Dst=0x4dc374b, _Src=0x4d8d2c8, _Size=0x247d | out: _Dst=0x4dc374b) returned 0x4dc374b [0179.329] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x110001) returned 0x7853020 [0179.399] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x773c020 | out: hHeap=0x4d40000) returned 1 [0179.407] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8f745, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0179.407] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x114001) returned 0x7629020 [0179.606] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7853020 | out: hHeap=0x4d40000) returned 1 [0179.728] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d93745, _Size=0x1285 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0179.729] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0179.729] memcpy (in: _Dst=0x4d652b0, _Src=0x75dc020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0179.732] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0179.732] memcpy (in: _Dst=0x4d652b0, _Src=0x75e4020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0179.735] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0179.735] memcpy (in: _Dst=0x4d652b0, _Src=0x75ec020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0179.738] memcpy (in: _Dst=0x4dc2e4d, _Src=0x4d8d2c8, _Size=0x2d7b | out: _Dst=0x4dc2e4d) returned 0x4dc2e4d [0179.738] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x118001) returned 0x7740020 [0179.780] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7629020 | out: hHeap=0x4d40000) returned 1 [0179.859] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d90043, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0179.859] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x11c001) returned 0x786b020 [0179.883] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7740020 | out: hHeap=0x4d40000) returned 1 [0179.947] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d94043, _Size=0x7ea | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0179.947] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0179.947] memcpy (in: _Dst=0x4d652b0, _Src=0x75f4020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0179.950] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0179.950] memcpy (in: _Dst=0x4d652b0, _Src=0x75fc020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0179.953] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0179.954] memcpy (in: _Dst=0x4d652b0, _Src=0x7604020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0179.957] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0179.957] memcpy (in: _Dst=0x4d652b0, _Src=0x760c020, _Size=0x8000 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0179.959] memcpy (in: _Dst=0x4dc23b2, _Src=0x4d8d2c8, _Size=0x3816 | out: _Dst=0x4dc23b2) returned 0x4dc23b2 [0179.959] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x120001) returned 0x7627020 [0180.040] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x786b020 | out: hHeap=0x4d40000) returned 1 [0180.049] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d90ade, _Size=0x3ef4 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0180.051] memcpy (in: _Dst=0x4d5d2b0, _Src=0x4d652b0, _Size=0x8000 | out: _Dst=0x4d5d2b0) returned 0x4d5d2b0 [0180.051] memcpy (in: _Dst=0x4d652b0, _Src=0x7614020, _Size=0x1a36 | out: _Dst=0x4d652b0) returned 0x4d652b0 [0180.052] memcpy (in: _Dst=0x4dc5abc, _Src=0x4d8d2c8, _Size=0x10c | out: _Dst=0x4dc5abc) returned 0x4dc5abc [0180.052] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x124001) returned 0x7757020 [0180.163] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7627020 | out: hHeap=0x4d40000) returned 1 [0180.173] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4d8d3d4, _Size=0x1079 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0180.173] memcpy (in: _Dst=0x4dc2c41, _Src=0x4d8d2c8, _Size=0x4 | out: _Dst=0x4dc2c41) returned 0x4dc2c41 [0180.173] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x12507e) returned 0x788e020 [0180.301] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7757020 | out: hHeap=0x4d40000) returned 1 [0180.312] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d8d2c8 | out: hHeap=0x4d40000) returned 1 [0180.314] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d7d2c0 | out: hHeap=0x4d40000) returned 1 [0180.317] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d6d2b8 | out: hHeap=0x4d40000) returned 1 [0180.319] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0180.371] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc5bd0 | out: hHeap=0x4d40000) returned 1 [0180.372] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc1bc8 | out: hHeap=0x4d40000) returned 1 [0180.396] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x848a020 | out: hHeap=0x4d40000) returned 1 [0180.505] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7124020 | out: hHeap=0x4d40000) returned 1 [0180.600] DeleteDC (hdc=0xf010a30) returned 1 [0180.600] DeleteDC (hdc=0x180106a8) returned 1 [0180.600] DeleteObject (ho=0x27050a3c) returned 1 [0180.601] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x4cf988 | out: lpSystemTimeAsFileTime=0x4cf988*(dwLowDateTime=0x1f26a1cb, dwHighDateTime=0x1d99f3b)) [0180.601] Sleep (dwMilliseconds=0x3a98) [0190.647] GetDC (hWnd=0x0) returned 0xd010736 [0190.649] CreateCompatibleDC (hdc=0xd010736) returned 0x350109e0 [0190.650] GetDeviceCaps (hdc=0xd010736, index=8) returned 1440 [0190.650] GetDeviceCaps (hdc=0xd010736, index=10) returned 900 [0190.650] CreateCompatibleBitmap (hdc=0xd010736, cx=1440, cy=900) returned 0x12050a50 [0190.685] SelectObject (hdc=0x350109e0, h=0x12050a50) returned 0x185000f [0190.685] BitBlt (hdc=0x350109e0, x=0, y=0, cx=1440, cy=900, hdcSrc=0xd010736, x1=0, y1=0, rop=0xcc0020) returned 1 [0191.053] GetCursorInfo (in: pci=0x4cf95c | out: pci=0x4cf95c) returned 1 [0191.053] CopyIcon (hIcon=0x10019) returned 0x303ab [0191.054] GetIconInfo (in: hIcon=0x303ab, piconinfo=0x4cf908 | out: piconinfo=0x4cf908) returned 1 [0191.054] GetObjectW (in: h=0x52050a46, c=24, pv=0x4cf91c | out: pv=0x4cf91c) returned 24 [0191.054] DrawIconEx (hdc=0x350109e0, xLeft=713, yTop=444, hIcon=0x10019, cxWidth=32, cyWidth=32, istepIfAniCur=0x0, hbrFlickerFreeDraw=0x0, diFlags=0x3) returned 1 [0191.055] SelectObject (hdc=0x350109e0, h=0x185000f) returned 0x12050a50 [0191.055] GetObjectW (in: h=0x12050a50, c=24, pv=0x4cf8f0 | out: pv=0x4cf8f0) returned 24 [0191.055] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4f1a00) returned 0x79ca020 [0191.070] GetDIBits (in: hdc=0x350109e0, hbm=0x12050a50, start=0x0, cLines=0x384, lpvBits=0x79ca020, lpbmi=0x4cf934, usage=0x0 | out: lpvBits=0x79ca020, lpbmi=0x4cf934) returned 900 [0191.250] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4f1a36) returned 0x8489020 [0191.476] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4000) returned 0x4dc1bc8 [0191.476] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x16c4) returned 0x4dc5bd0 [0191.476] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4cbc008 [0191.478] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4ccc010 [0191.479] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4cdc018 [0191.479] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4cec020 [0191.480] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cec020, _Size=0x2 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0191.480] memcpy (in: _Dst=0x4cbc008, _Src=0x8489020, _Size=0x10000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.481] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.481] memcpy (in: _Dst=0x4cc4008, _Src=0x8499020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.482] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.482] memcpy (in: _Dst=0x4cc4008, _Src=0x84a1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.483] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.483] memcpy (in: _Dst=0x4cc4008, _Src=0x84a9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.485] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.485] memcpy (in: _Dst=0x4cc4008, _Src=0x84b1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.485] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.485] memcpy (in: _Dst=0x4cc4008, _Src=0x84b9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.486] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.486] memcpy (in: _Dst=0x4cc4008, _Src=0x84c1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.486] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.486] memcpy (in: _Dst=0x4cc4008, _Src=0x84c9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.487] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.487] memcpy (in: _Dst=0x4cc4008, _Src=0x84d1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.487] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.487] memcpy (in: _Dst=0x4cc4008, _Src=0x84d9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.487] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.488] memcpy (in: _Dst=0x4cc4008, _Src=0x84e1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.488] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.488] memcpy (in: _Dst=0x4cc4008, _Src=0x84e9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.591] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.591] memcpy (in: _Dst=0x4cc4008, _Src=0x84f1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.592] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.592] memcpy (in: _Dst=0x4cc4008, _Src=0x84f9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.594] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.594] memcpy (in: _Dst=0x4cc4008, _Src=0x8501020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.597] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.597] memcpy (in: _Dst=0x4cc4008, _Src=0x8509020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.598] memcpy (in: _Dst=0x4dc1bca, _Src=0x4cec020, _Size=0x3ffe | out: _Dst=0x4dc1bca) returned 0x4dc1bca [0191.598] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4001) returned 0x4dcae38 [0191.599] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf001e, _Size=0x1325 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0191.600] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.600] memcpy (in: _Dst=0x4cc4008, _Src=0x8511020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.601] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.601] memcpy (in: _Dst=0x4cc4008, _Src=0x8519020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.603] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.603] memcpy (in: _Dst=0x4cc4008, _Src=0x8521020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.604] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.604] memcpy (in: _Dst=0x4cc4008, _Src=0x8529020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.607] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.607] memcpy (in: _Dst=0x4cc4008, _Src=0x8531020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.607] memcpy (in: _Dst=0x4dc2eed, _Src=0x4cec020, _Size=0x2cdb | out: _Dst=0x4dc2eed) returned 0x4dc2eed [0191.607] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x8001) returned 0x4cfc028 [0191.608] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dcae38 | out: hHeap=0x4d40000) returned 1 [0191.608] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ceecfb, _Size=0x1e90 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0191.610] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.610] memcpy (in: _Dst=0x4cc4008, _Src=0x8539020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.611] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.611] memcpy (in: _Dst=0x4cc4008, _Src=0x8541020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.613] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.613] memcpy (in: _Dst=0x4cc4008, _Src=0x8549020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.615] memcpy (in: _Dst=0x4dc3a58, _Src=0x4cec020, _Size=0x2170 | out: _Dst=0x4dc3a58) returned 0x4dc3a58 [0191.615] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc001) returned 0x4c30450 [0191.617] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4cfc028 | out: hHeap=0x4d40000) returned 1 [0191.617] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cee190, _Size=0x2503 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0191.618] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.618] memcpy (in: _Dst=0x4cc4008, _Src=0x8551020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.620] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.620] memcpy (in: _Dst=0x4cc4008, _Src=0x8559020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.621] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.621] memcpy (in: _Dst=0x4cc4008, _Src=0x8561020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.623] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.623] memcpy (in: _Dst=0x4cc4008, _Src=0x8569020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.625] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.625] memcpy (in: _Dst=0x4cc4008, _Src=0x8571020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.627] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.627] memcpy (in: _Dst=0x4cc4008, _Src=0x8579020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.629] memcpy (in: _Dst=0x4dc40cb, _Src=0x4cec020, _Size=0x1afd | out: _Dst=0x4dc40cb) returned 0x4dc40cb [0191.629] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10001) returned 0x4c3c460 [0191.631] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0191.731] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cedb1d, _Size=0x2977 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0191.731] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.731] memcpy (in: _Dst=0x4cc4008, _Src=0x8581020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.734] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.735] memcpy (in: _Dst=0x4cc4008, _Src=0x8589020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.738] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.738] memcpy (in: _Dst=0x4cc4008, _Src=0x8591020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.745] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.745] memcpy (in: _Dst=0x4cc4008, _Src=0x8599020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.750] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.750] memcpy (in: _Dst=0x4cc4008, _Src=0x85a1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.755] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.755] memcpy (in: _Dst=0x4cc4008, _Src=0x85a9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.761] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.761] memcpy (in: _Dst=0x4cc4008, _Src=0x85b1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.765] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.765] memcpy (in: _Dst=0x4cc4008, _Src=0x85b9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.765] memcpy (in: _Dst=0x4dc453f, _Src=0x4cec020, _Size=0x1689 | out: _Dst=0x4dc453f) returned 0x4dc453f [0191.765] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x14001) returned 0x4c4c470 [0191.767] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c3c460 | out: hHeap=0x4d40000) returned 1 [0191.767] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ced6a9, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0191.767] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x18001) returned 0x4c30450 [0191.768] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c4c470 | out: hHeap=0x4d40000) returned 1 [0191.768] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf16a9, _Size=0x1410 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0191.769] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.770] memcpy (in: _Dst=0x4cc4008, _Src=0x85c1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.771] memcpy (in: _Dst=0x4dc2fd8, _Src=0x4cec020, _Size=0x2bf0 | out: _Dst=0x4dc2fd8) returned 0x4dc2fd8 [0191.771] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x1c001) returned 0x4c48460 [0191.847] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0191.847] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ceec10, _Size=0x29cf | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0191.847] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.847] memcpy (in: _Dst=0x4cc4008, _Src=0x85c9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.849] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.849] memcpy (in: _Dst=0x4cc4008, _Src=0x85d1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.850] memcpy (in: _Dst=0x4dc4597, _Src=0x4cec020, _Size=0x1631 | out: _Dst=0x4dc4597) returned 0x4dc4597 [0191.850] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20001) returned 0x4d5d2b0 [0191.854] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c48460 | out: hHeap=0x4d40000) returned 1 [0191.854] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ced651, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0191.854] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x24001) returned 0x4d7d2c0 [0191.857] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0191.857] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf1651, _Size=0x439 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0191.857] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.857] memcpy (in: _Dst=0x4cc4008, _Src=0x85d9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.858] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.859] memcpy (in: _Dst=0x4cc4008, _Src=0x85e1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.860] memcpy (in: _Dst=0x4dc2001, _Src=0x4cec020, _Size=0x3bc7 | out: _Dst=0x4dc2001) returned 0x4dc2001 [0191.860] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x28001) returned 0x4c30450 [0191.861] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d7d2c0 | out: hHeap=0x4d40000) returned 1 [0191.862] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cefbe7, _Size=0x203d | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0191.862] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.862] memcpy (in: _Dst=0x4cc4008, _Src=0x85e9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.863] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.863] memcpy (in: _Dst=0x4cc4008, _Src=0x85f1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.864] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.864] memcpy (in: _Dst=0x4cc4008, _Src=0x85f9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.866] memcpy (in: _Dst=0x4dc3c05, _Src=0x4cec020, _Size=0x1fc3 | out: _Dst=0x4dc3c05) returned 0x4dc3c05 [0191.866] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x2c001) returned 0x4d5d2b0 [0191.868] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0191.868] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cedfe3, _Size=0x3f31 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0191.869] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.869] memcpy (in: _Dst=0x4cc4008, _Src=0x8601020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.870] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.870] memcpy (in: _Dst=0x4cc4008, _Src=0x8609020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.872] memcpy (in: _Dst=0x4dc5af9, _Src=0x4cec020, _Size=0xcf | out: _Dst=0x4dc5af9) returned 0x4dc5af9 [0191.872] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x30001) returned 0x4d892c0 [0191.874] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0191.874] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cec0ef, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0191.874] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x34001) returned 0x4c30450 [0191.876] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d892c0 | out: hHeap=0x4d40000) returned 1 [0191.876] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf00ef, _Size=0x2152 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0191.876] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.876] memcpy (in: _Dst=0x4cc4008, _Src=0x8611020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.878] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.878] memcpy (in: _Dst=0x4cc4008, _Src=0x8619020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.879] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.879] memcpy (in: _Dst=0x4cc4008, _Src=0x8621020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.880] memcpy (in: _Dst=0x4dc3d1a, _Src=0x4cec020, _Size=0x1eae | out: _Dst=0x4dc3d1a) returned 0x4dc3d1a [0191.880] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x38001) returned 0x4d5d2b0 [0191.883] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0191.929] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cedece, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0191.929] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x3c001) returned 0x4c30450 [0191.934] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0191.934] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf1ece, _Size=0x862 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0191.935] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.935] memcpy (in: _Dst=0x4cc4008, _Src=0x8629020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.936] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.936] memcpy (in: _Dst=0x4cc4008, _Src=0x8631020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.938] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.938] memcpy (in: _Dst=0x4cc4008, _Src=0x8639020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.939] memcpy (in: _Dst=0x4dc242a, _Src=0x4cec020, _Size=0x379e | out: _Dst=0x4dc242a) returned 0x4dc242a [0191.939] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x40001) returned 0x4d5d2b0 [0191.942] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0191.942] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cef7be, _Size=0x335c | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0191.944] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.944] memcpy (in: _Dst=0x4cc4008, _Src=0x8641020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.945] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.945] memcpy (in: _Dst=0x4cc4008, _Src=0x8649020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.947] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.947] memcpy (in: _Dst=0x4cc4008, _Src=0x8651020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.948] memcpy (in: _Dst=0x4dc4f24, _Src=0x4cec020, _Size=0xca4 | out: _Dst=0x4dc4f24) returned 0x4dc4f24 [0191.948] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x44001) returned 0x4c30450 [0191.952] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0191.952] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ceccc4, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0191.952] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x48001) returned 0x4d5d2b0 [0191.955] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0191.955] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf0cc4, _Size=0x1e7b | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0191.956] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.956] memcpy (in: _Dst=0x4cc4008, _Src=0x8659020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.958] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.958] memcpy (in: _Dst=0x4cc4008, _Src=0x8661020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.960] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.960] memcpy (in: _Dst=0x4cc4008, _Src=0x8669020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.962] memcpy (in: _Dst=0x4dc3a43, _Src=0x4cec020, _Size=0x2185 | out: _Dst=0x4dc3a43) returned 0x4dc3a43 [0191.962] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4c001) returned 0x4c30450 [0191.965] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0191.965] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cee1a5, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0191.965] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x50001) returned 0x4d5d2b0 [0191.968] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0191.968] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf21a5, _Size=0xadc | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0191.969] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.969] memcpy (in: _Dst=0x4cc4008, _Src=0x8671020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0191.971] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0191.971] memcpy (in: _Dst=0x4cc4008, _Src=0x8679020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.002] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.003] memcpy (in: _Dst=0x4cc4008, _Src=0x8681020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.005] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.005] memcpy (in: _Dst=0x4cc4008, _Src=0x8689020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.007] memcpy (in: _Dst=0x4dc26a4, _Src=0x4cec020, _Size=0x3524 | out: _Dst=0x4dc26a4) returned 0x4dc26a4 [0192.007] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x54001) returned 0x8980048 [0192.016] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0192.016] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cef544, _Size=0x3e1f | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0192.018] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.018] memcpy (in: _Dst=0x4cc4008, _Src=0x8691020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.020] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.020] memcpy (in: _Dst=0x4cc4008, _Src=0x8699020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.023] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.024] memcpy (in: _Dst=0x4cc4008, _Src=0x86a1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.026] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.026] memcpy (in: _Dst=0x4cc4008, _Src=0x86a9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.027] memcpy (in: _Dst=0x4dc59e7, _Src=0x4cec020, _Size=0x1e1 | out: _Dst=0x4dc59e7) returned 0x4dc59e7 [0192.027] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x58001) returned 0x4d5d2b0 [0192.032] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8980048 | out: hHeap=0x4d40000) returned 1 [0192.032] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cec201, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0192.032] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x5c001) returned 0x8980048 [0192.036] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0192.036] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf0201, _Size=0x32f3 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0192.086] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.086] memcpy (in: _Dst=0x4cc4008, _Src=0x86b1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.088] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.088] memcpy (in: _Dst=0x4cc4008, _Src=0x86b9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.091] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.091] memcpy (in: _Dst=0x4cc4008, _Src=0x86c1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.094] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.094] memcpy (in: _Dst=0x4cc4008, _Src=0x86c9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.094] memcpy (in: _Dst=0x4dc4ebb, _Src=0x4cec020, _Size=0xd0d | out: _Dst=0x4dc4ebb) returned 0x4dc4ebb [0192.094] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x60001) returned 0x4d5d2b0 [0192.100] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8980048 | out: hHeap=0x4d40000) returned 1 [0192.141] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cecd2d, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0192.141] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x64001) returned 0x8980048 [0192.146] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0192.147] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf0d2d, _Size=0x2744 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0192.150] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.150] memcpy (in: _Dst=0x4cc4008, _Src=0x86d1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.152] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.152] memcpy (in: _Dst=0x4cc4008, _Src=0x86d9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.156] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.156] memcpy (in: _Dst=0x4cc4008, _Src=0x86e1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.158] memcpy (in: _Dst=0x4dc430c, _Src=0x4cec020, _Size=0x18bc | out: _Dst=0x4dc430c) returned 0x4dc430c [0192.158] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x68001) returned 0x8020048 [0192.221] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8980048 | out: hHeap=0x4d40000) returned 1 [0192.221] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ced8dc, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0192.221] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x6c001) returned 0x8980048 [0192.226] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8020048 | out: hHeap=0x4d40000) returned 1 [0192.226] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf18dc, _Size=0x1d89 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0192.227] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.227] memcpy (in: _Dst=0x4cc4008, _Src=0x86e9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.231] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.231] memcpy (in: _Dst=0x4cc4008, _Src=0x86f1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.234] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.234] memcpy (in: _Dst=0x4cc4008, _Src=0x86f9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.237] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.237] memcpy (in: _Dst=0x4cc4008, _Src=0x8701020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.238] memcpy (in: _Dst=0x4dc3951, _Src=0x4cec020, _Size=0x2277 | out: _Dst=0x4dc3951) returned 0x4dc3951 [0192.238] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x70001) returned 0x8020048 [0192.243] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8980048 | out: hHeap=0x4d40000) returned 1 [0192.244] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cee297, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0192.244] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x74001) returned 0x8090058 [0192.257] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8020048 | out: hHeap=0x4d40000) returned 1 [0192.334] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf2297, _Size=0x122b | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0192.336] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.336] memcpy (in: _Dst=0x4cc4008, _Src=0x8709020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.338] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.338] memcpy (in: _Dst=0x4cc4008, _Src=0x8711020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.340] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.340] memcpy (in: _Dst=0x4cc4008, _Src=0x8719020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.342] memcpy (in: _Dst=0x4dc2df3, _Src=0x4cec020, _Size=0x2dd5 | out: _Dst=0x4dc2df3) returned 0x4dc2df3 [0192.342] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x78001) returned 0x8104068 [0192.354] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8090058 | out: hHeap=0x4d40000) returned 1 [0192.444] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ceedf5, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0192.444] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x7c001) returned 0x817c078 [0192.456] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8104068 | out: hHeap=0x4d40000) returned 1 [0192.456] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf2df5, _Size=0x570 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0192.457] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.457] memcpy (in: _Dst=0x4cc4008, _Src=0x8721020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.461] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.461] memcpy (in: _Dst=0x4cc4008, _Src=0x8729020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.464] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.464] memcpy (in: _Dst=0x4cc4008, _Src=0x8731020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.466] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.466] memcpy (in: _Dst=0x4cc4008, _Src=0x8739020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.467] memcpy (in: _Dst=0x4dc2138, _Src=0x4cec020, _Size=0x3a90 | out: _Dst=0x4dc2138) returned 0x4dc2138 [0192.467] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x80001) returned 0x762a020 [0192.479] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x817c078 | out: hHeap=0x4d40000) returned 1 [0192.486] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cefab0, _Size=0x3e26 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0192.488] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.488] memcpy (in: _Dst=0x4cc4008, _Src=0x8741020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.554] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.554] memcpy (in: _Dst=0x4cc4008, _Src=0x8749020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.556] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.556] memcpy (in: _Dst=0x4cc4008, _Src=0x8751020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.558] memcpy (in: _Dst=0x4dc59ee, _Src=0x4cec020, _Size=0x1da | out: _Dst=0x4dc59ee) returned 0x4dc59ee [0192.558] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x84001) returned 0x76b7020 [0192.569] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x762a020 | out: hHeap=0x4d40000) returned 1 [0192.574] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cec1fa, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0192.575] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x88001) returned 0x774d020 [0192.588] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x76b7020 | out: hHeap=0x4d40000) returned 1 [0192.666] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf01fa, _Size=0x34ca | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0192.667] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.667] memcpy (in: _Dst=0x4cc4008, _Src=0x8759020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.669] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.669] memcpy (in: _Dst=0x4cc4008, _Src=0x8761020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.672] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.672] memcpy (in: _Dst=0x4cc4008, _Src=0x8769020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.674] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.674] memcpy (in: _Dst=0x4cc4008, _Src=0x8771020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.675] memcpy (in: _Dst=0x4dc5092, _Src=0x4cec020, _Size=0xb36 | out: _Dst=0x4dc5092) returned 0x4dc5092 [0192.675] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x8c001) returned 0x7624020 [0192.692] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x774d020 | out: hHeap=0x4d40000) returned 1 [0192.759] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cecb56, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0192.759] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x90001) returned 0x76c5020 [0192.777] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7624020 | out: hHeap=0x4d40000) returned 1 [0192.783] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf0b56, _Size=0x2b4f | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0192.786] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.786] memcpy (in: _Dst=0x4cc4008, _Src=0x8779020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.790] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.790] memcpy (in: _Dst=0x4cc4008, _Src=0x8781020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.792] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.792] memcpy (in: _Dst=0x4cc4008, _Src=0x8789020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.793] memcpy (in: _Dst=0x4dc4717, _Src=0x4cec020, _Size=0x14b1 | out: _Dst=0x4dc4717) returned 0x4dc4717 [0192.794] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x94001) returned 0x7622020 [0192.937] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x76c5020 | out: hHeap=0x4d40000) returned 1 [0192.940] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ced4d1, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0192.941] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x98001) returned 0x76c2020 [0192.958] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7622020 | out: hHeap=0x4d40000) returned 1 [0192.963] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf14d1, _Size=0x1fc6 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0192.964] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.964] memcpy (in: _Dst=0x4cc4008, _Src=0x8791020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.966] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.966] memcpy (in: _Dst=0x4cc4008, _Src=0x8799020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.968] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0192.969] memcpy (in: _Dst=0x4cc4008, _Src=0x87a1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0192.971] memcpy (in: _Dst=0x4dc3b8e, _Src=0x4cec020, _Size=0x203a | out: _Dst=0x4dc3b8e) returned 0x4dc3b8e [0192.971] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x9c001) returned 0x7621020 [0193.079] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x76c2020 | out: hHeap=0x4d40000) returned 1 [0193.084] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cee05a, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0193.084] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa0001) returned 0x76c8020 [0193.100] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7621020 | out: hHeap=0x4d40000) returned 1 [0193.143] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf205a, _Size=0x176e | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0193.143] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0193.143] memcpy (in: _Dst=0x4cc4008, _Src=0x87a9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0193.145] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0193.145] memcpy (in: _Dst=0x4cc4008, _Src=0x87b1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0193.148] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0193.148] memcpy (in: _Dst=0x4cc4008, _Src=0x87b9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0193.150] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0193.151] memcpy (in: _Dst=0x4cc4008, _Src=0x87c1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0193.151] memcpy (in: _Dst=0x4dc3336, _Src=0x4cec020, _Size=0x2892 | out: _Dst=0x4dc3336) returned 0x4dc3336 [0193.151] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa4001) returned 0x7778020 [0193.244] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x76c8020 | out: hHeap=0x4d40000) returned 1 [0193.248] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cee8b2, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0193.248] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa8001) returned 0x7620020 [0193.265] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7778020 | out: hHeap=0x4d40000) returned 1 [0193.345] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf28b2, _Size=0x9ba | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0193.347] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0193.347] memcpy (in: _Dst=0x4cc4008, _Src=0x87c9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0193.349] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0193.349] memcpy (in: _Dst=0x4cc4008, _Src=0x87d1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0193.351] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0193.351] memcpy (in: _Dst=0x4cc4008, _Src=0x87d9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0193.352] memcpy (in: _Dst=0x4dc2582, _Src=0x4cec020, _Size=0x3646 | out: _Dst=0x4dc2582) returned 0x4dc2582 [0193.352] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xac001) returned 0x76d8020 [0193.362] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7620020 | out: hHeap=0x4d40000) returned 1 [0193.368] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cef666, _Size=0x3c26 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0193.370] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0193.370] memcpy (in: _Dst=0x4cc4008, _Src=0x87e1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0193.372] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0193.372] memcpy (in: _Dst=0x4cc4008, _Src=0x87e9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0193.375] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0193.375] memcpy (in: _Dst=0x4cc4008, _Src=0x87f1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0193.376] memcpy (in: _Dst=0x4dc57ee, _Src=0x4cec020, _Size=0x3da | out: _Dst=0x4dc57ee) returned 0x4dc57ee [0193.376] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb0001) returned 0x7792020 [0193.497] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x76d8020 | out: hHeap=0x4d40000) returned 1 [0193.503] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cec3fa, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0193.503] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb4001) returned 0x7623020 [0193.523] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7792020 | out: hHeap=0x4d40000) returned 1 [0193.585] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf03fa, _Size=0x2c4e | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0193.587] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0193.587] memcpy (in: _Dst=0x4cc4008, _Src=0x87f9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0193.590] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0193.590] memcpy (in: _Dst=0x4cc4008, _Src=0x8801020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0193.592] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0193.592] memcpy (in: _Dst=0x4cc4008, _Src=0x8809020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0193.593] memcpy (in: _Dst=0x4dc4816, _Src=0x4cec020, _Size=0x13b2 | out: _Dst=0x4dc4816) returned 0x4dc4816 [0193.593] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb8001) returned 0x76e3020 [0193.609] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7623020 | out: hHeap=0x4d40000) returned 1 [0193.614] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ced3d2, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0193.614] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xbc001) returned 0x7620020 [0193.640] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x76e3020 | out: hHeap=0x4d40000) returned 1 [0193.645] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf13d2, _Size=0x1e31 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0193.647] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0193.647] memcpy (in: _Dst=0x4cc4008, _Src=0x8811020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0193.649] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0193.649] memcpy (in: _Dst=0x4cc4008, _Src=0x8819020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0193.651] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0193.651] memcpy (in: _Dst=0x4cc4008, _Src=0x8821020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0193.652] memcpy (in: _Dst=0x4dc39f9, _Src=0x4cec020, _Size=0x21cf | out: _Dst=0x4dc39f9) returned 0x4dc39f9 [0193.652] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc0001) returned 0x76ea020 [0193.704] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7620020 | out: hHeap=0x4d40000) returned 1 [0193.710] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cee1ef, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0193.710] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc4001) returned 0x7ecf020 [0193.734] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x76ea020 | out: hHeap=0x4d40000) returned 1 [0193.770] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf21ef, _Size=0xe1e | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0193.773] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0193.773] memcpy (in: _Dst=0x4cc4008, _Src=0x8829020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0193.775] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0193.775] memcpy (in: _Dst=0x4cc4008, _Src=0x8831020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0193.778] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0193.778] memcpy (in: _Dst=0x4cc4008, _Src=0x8839020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0193.779] memcpy (in: _Dst=0x4dc29e6, _Src=0x4cec020, _Size=0x31e2 | out: _Dst=0x4dc29e6) returned 0x4dc29e6 [0193.779] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc8001) returned 0x7624020 [0193.803] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ecf020 | out: hHeap=0x4d40000) returned 1 [0193.861] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cef202, _Size=0x3f3f | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0193.863] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0193.863] memcpy (in: _Dst=0x4cc4008, _Src=0x8841020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0193.866] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0193.866] memcpy (in: _Dst=0x4cc4008, _Src=0x8849020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0193.868] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0193.868] memcpy (in: _Dst=0x4cc4008, _Src=0x8851020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0193.869] memcpy (in: _Dst=0x4dc5b07, _Src=0x4cec020, _Size=0xc1 | out: _Dst=0x4dc5b07) returned 0x4dc5b07 [0193.869] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xcc001) returned 0x76f2020 [0193.898] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7624020 | out: hHeap=0x4d40000) returned 1 [0193.942] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cec0e1, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0193.943] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd0001) returned 0x7ec8020 [0193.970] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x76f2020 | out: hHeap=0x4d40000) returned 1 [0194.023] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf00e1, _Size=0x3039 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0194.027] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0194.027] memcpy (in: _Dst=0x4cc4008, _Src=0x8859020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0194.031] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0194.031] memcpy (in: _Dst=0x4cc4008, _Src=0x8861020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0194.037] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0194.037] memcpy (in: _Dst=0x4cc4008, _Src=0x8869020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0194.039] memcpy (in: _Dst=0x4dc4c01, _Src=0x4cec020, _Size=0xfc7 | out: _Dst=0x4dc4c01) returned 0x4dc4c01 [0194.040] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd4001) returned 0x762d020 [0194.073] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ec8020 | out: hHeap=0x4d40000) returned 1 [0194.216] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cecfe7, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0194.216] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd8001) returned 0x7712020 [0194.239] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x762d020 | out: hHeap=0x4d40000) returned 1 [0194.267] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf0fe7, _Size=0x216f | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0194.269] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0194.269] memcpy (in: _Dst=0x4cc4008, _Src=0x8871020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0194.271] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0194.271] memcpy (in: _Dst=0x4cc4008, _Src=0x8879020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0194.273] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0194.273] memcpy (in: _Dst=0x4cc4008, _Src=0x8881020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0194.275] memcpy (in: _Dst=0x4dc3d37, _Src=0x4cec020, _Size=0x1e91 | out: _Dst=0x4dc3d37) returned 0x4dc3d37 [0194.275] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xdc001) returned 0x7620020 [0194.302] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7712020 | out: hHeap=0x4d40000) returned 1 [0194.353] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cedeb1, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0194.353] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe0001) returned 0x7708020 [0194.378] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7620020 | out: hHeap=0x4d40000) returned 1 [0194.430] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf1eb1, _Size=0x16b0 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0194.432] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0194.432] memcpy (in: _Dst=0x4cc4008, _Src=0x8889020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0194.434] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0194.434] memcpy (in: _Dst=0x4cc4008, _Src=0x8891020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0194.436] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0194.437] memcpy (in: _Dst=0x4cc4008, _Src=0x8899020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0194.438] memcpy (in: _Dst=0x4dc3278, _Src=0x4cec020, _Size=0x2950 | out: _Dst=0x4dc3278) returned 0x4dc3278 [0194.438] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe4001) returned 0x7ec0020 [0194.457] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7708020 | out: hHeap=0x4d40000) returned 1 [0194.469] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cee970, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0194.469] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe8001) returned 0x7621020 [0194.489] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ec0020 | out: hHeap=0x4d40000) returned 1 [0194.498] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf2970, _Size=0xa2a | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0194.499] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0194.499] memcpy (in: _Dst=0x4cc4008, _Src=0x88a1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0194.502] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0194.502] memcpy (in: _Dst=0x4cc4008, _Src=0x88a9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0194.504] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0194.504] memcpy (in: _Dst=0x4cc4008, _Src=0x88b1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0194.506] memcpy (in: _Dst=0x4dc25f2, _Src=0x4cec020, _Size=0x35d6 | out: _Dst=0x4dc25f2) returned 0x4dc25f2 [0194.506] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xec001) returned 0x771b020 [0194.561] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7621020 | out: hHeap=0x4d40000) returned 1 [0194.568] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cef5f6, _Size=0x3b2f | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0194.569] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0194.569] memcpy (in: _Dst=0x4cc4008, _Src=0x88b9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0194.573] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0194.573] memcpy (in: _Dst=0x4cc4008, _Src=0x88c1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0194.575] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0194.575] memcpy (in: _Dst=0x4cc4008, _Src=0x88c9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0194.578] memcpy (in: _Dst=0x4dc56f7, _Src=0x4cec020, _Size=0x4d1 | out: _Dst=0x4dc56f7) returned 0x4dc56f7 [0194.578] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xf0001) returned 0x7ecb020 [0194.630] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x771b020 | out: hHeap=0x4d40000) returned 1 [0194.638] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cec4f1, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0194.638] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xf4001) returned 0x7623020 [0194.685] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ecb020 | out: hHeap=0x4d40000) returned 1 [0194.694] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf04f1, _Size=0x3216 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0194.694] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0194.694] memcpy (in: _Dst=0x4cc4008, _Src=0x88d1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0194.698] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0194.698] memcpy (in: _Dst=0x4cc4008, _Src=0x88d9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0194.701] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0194.701] memcpy (in: _Dst=0x4cc4008, _Src=0x88e1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0194.704] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0194.704] memcpy (in: _Dst=0x4cc4008, _Src=0x88e9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0194.705] memcpy (in: _Dst=0x4dc4dde, _Src=0x4cec020, _Size=0xdea | out: _Dst=0x4dc4dde) returned 0x4dc4dde [0194.705] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xf8001) returned 0x7728020 [0194.786] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7623020 | out: hHeap=0x4d40000) returned 1 [0194.794] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cece0a, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0194.794] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xfc001) returned 0x7ec6020 [0194.867] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7728020 | out: hHeap=0x4d40000) returned 1 [0194.883] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf0e0a, _Size=0x2af5 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0194.886] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0194.886] memcpy (in: _Dst=0x4cc4008, _Src=0x88f1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0194.889] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0194.889] memcpy (in: _Dst=0x4cc4008, _Src=0x88f9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0194.892] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0194.892] memcpy (in: _Dst=0x4cc4008, _Src=0x8901020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0194.894] memcpy (in: _Dst=0x4dc46bd, _Src=0x4cec020, _Size=0x150b | out: _Dst=0x4dc46bd) returned 0x4dc46bd [0194.894] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x100001) returned 0x762e020 [0194.931] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ec6020 | out: hHeap=0x4d40000) returned 1 [0194.939] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ced52b, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0194.939] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x104001) returned 0x773d020 [0194.963] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x762e020 | out: hHeap=0x4d40000) returned 1 [0194.976] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf152b, _Size=0x20f6 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0194.978] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0194.978] memcpy (in: _Dst=0x4cc4008, _Src=0x8909020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0194.981] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0194.981] memcpy (in: _Dst=0x4cc4008, _Src=0x8911020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0194.984] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0194.984] memcpy (in: _Dst=0x4cc4008, _Src=0x8919020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0194.988] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0194.988] memcpy (in: _Dst=0x4cc4008, _Src=0x8921020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0194.989] memcpy (in: _Dst=0x4dc3cbe, _Src=0x4cec020, _Size=0x1f0a | out: _Dst=0x4dc3cbe) returned 0x4dc3cbe [0194.989] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x108001) returned 0x7ecd020 [0195.036] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x773d020 | out: hHeap=0x4d40000) returned 1 [0195.043] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cedf2a, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0195.043] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10c001) returned 0x7624020 [0195.066] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ecd020 | out: hHeap=0x4d40000) returned 1 [0195.090] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf1f2a, _Size=0x1a3f | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0195.094] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0195.094] memcpy (in: _Dst=0x4cc4008, _Src=0x8929020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0195.097] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0195.097] memcpy (in: _Dst=0x4cc4008, _Src=0x8931020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0195.157] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0195.157] memcpy (in: _Dst=0x4cc4008, _Src=0x8939020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0195.160] memcpy (in: _Dst=0x4dc3607, _Src=0x4cec020, _Size=0x25c1 | out: _Dst=0x4dc3607) returned 0x4dc3607 [0195.160] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x110001) returned 0x774f020 [0195.223] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7624020 | out: hHeap=0x4d40000) returned 1 [0195.235] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cee5e1, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0195.235] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x114001) returned 0x7628020 [0195.352] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x774f020 | out: hHeap=0x4d40000) returned 1 [0195.362] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf25e1, _Size=0x1154 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0195.363] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0195.363] memcpy (in: _Dst=0x4cc4008, _Src=0x8941020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0195.367] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0195.367] memcpy (in: _Dst=0x4cc4008, _Src=0x8949020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0195.371] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0195.371] memcpy (in: _Dst=0x4cc4008, _Src=0x8951020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0195.374] memcpy (in: _Dst=0x4dc2d1c, _Src=0x4cec020, _Size=0x2eac | out: _Dst=0x4dc2d1c) returned 0x4dc2d1c [0195.374] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x118001) returned 0x7748020 [0195.455] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7628020 | out: hHeap=0x4d40000) returned 1 [0195.482] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ceeecc, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0195.482] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x11c001) returned 0x7ecf020 [0195.511] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7748020 | out: hHeap=0x4d40000) returned 1 [0195.530] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf2ecc, _Size=0x6bb | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0195.531] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0195.531] memcpy (in: _Dst=0x4cc4008, _Src=0x8959020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0195.533] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0195.534] memcpy (in: _Dst=0x4cc4008, _Src=0x8961020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0195.537] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0195.537] memcpy (in: _Dst=0x4cc4008, _Src=0x8969020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0195.732] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0195.732] memcpy (in: _Dst=0x4cc4008, _Src=0x8971020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0195.734] memcpy (in: _Dst=0x4dc2283, _Src=0x4cec020, _Size=0x3945 | out: _Dst=0x4dc2283) returned 0x4dc2283 [0195.734] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x120001) returned 0x762d020 [0195.757] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ecf020 | out: hHeap=0x4d40000) returned 1 [0195.766] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cef965, _Size=0x3dc3 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0195.768] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0195.768] memcpy (in: _Dst=0x4cc4008, _Src=0x8979020, _Size=0x1a36 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0195.769] memcpy (in: _Dst=0x4dc598b, _Src=0x4cec020, _Size=0x23d | out: _Dst=0x4dc598b) returned 0x4dc598b [0195.769] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x124001) returned 0x7753020 [0195.887] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x762d020 | out: hHeap=0x4d40000) returned 1 [0195.895] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cec25d, _Size=0xf03 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0195.895] memcpy (in: _Dst=0x4dc2acb, _Src=0x4cec020, _Size=0x4 | out: _Dst=0x4dc2acb) returned 0x4dc2acb [0195.895] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x124f08) returned 0x7620020 [0195.962] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7753020 | out: hHeap=0x4d40000) returned 1 [0196.232] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4cec020 | out: hHeap=0x4d40000) returned 1 [0196.233] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4cdc018 | out: hHeap=0x4d40000) returned 1 [0196.363] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4ccc010 | out: hHeap=0x4d40000) returned 1 [0196.365] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4cbc008 | out: hHeap=0x4d40000) returned 1 [0196.368] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc5bd0 | out: hHeap=0x4d40000) returned 1 [0196.368] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc1bc8 | out: hHeap=0x4d40000) returned 1 [0196.392] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x79ca020 | out: hHeap=0x4d40000) returned 1 [0196.635] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8489020 | out: hHeap=0x4d40000) returned 1 [0196.697] DeleteDC (hdc=0x350109e0) returned 1 [0196.697] DeleteDC (hdc=0xd010736) returned 1 [0196.781] DeleteObject (ho=0x12050a50) returned 1 [0196.781] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x4cf988 | out: lpSystemTimeAsFileTime=0x4cf988*(dwLowDateTime=0x28cc7ffa, dwHighDateTime=0x1d99f3b)) [0196.781] Sleep (dwMilliseconds=0x3a98) [0196.874] GetDC (hWnd=0x0) returned 0x240106c6 [0196.907] CreateCompatibleDC (hdc=0x240106c6) returned 0x28010a01 [0196.907] GetDeviceCaps (hdc=0x240106c6, index=8) returned 1440 [0196.907] GetDeviceCaps (hdc=0x240106c6, index=10) returned 900 [0196.907] CreateCompatibleBitmap (hdc=0x240106c6, cx=1440, cy=900) returned 0x2d0509f1 [0196.941] SelectObject (hdc=0x28010a01, h=0x2d0509f1) returned 0x185000f [0196.941] BitBlt (hdc=0x28010a01, x=0, y=0, cx=1440, cy=900, hdcSrc=0x240106c6, x1=0, y1=0, rop=0xcc0020) returned 1 [0197.394] GetCursorInfo (in: pci=0x4cf95c | out: pci=0x4cf95c) returned 1 [0197.394] CopyIcon (hIcon=0x10019) returned 0x7b016d [0197.395] GetIconInfo (in: hIcon=0x7b016d, piconinfo=0x4cf908 | out: piconinfo=0x4cf908) returned 1 [0197.396] GetObjectW (in: h=0x220509bd, c=24, pv=0x4cf91c | out: pv=0x4cf91c) returned 24 [0197.396] DrawIconEx (hdc=0x28010a01, xLeft=791, yTop=439, hIcon=0x10019, cxWidth=32, cyWidth=32, istepIfAniCur=0x0, hbrFlickerFreeDraw=0x0, diFlags=0x3) returned 1 [0197.396] SelectObject (hdc=0x28010a01, h=0x185000f) returned 0x2d0509f1 [0197.396] GetObjectW (in: h=0x2d0509f1, c=24, pv=0x4cf8f0 | out: pv=0x4cf8f0) returned 24 [0197.396] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4f1a00) returned 0x79c1020 [0197.413] GetDIBits (in: hdc=0x28010a01, hbm=0x2d0509f1, start=0x0, cLines=0x384, lpvBits=0x79c1020, lpbmi=0x4cf934, usage=0x0 | out: lpvBits=0x79c1020, lpbmi=0x4cf934) returned 900 [0197.466] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4f1a36) returned 0x8483020 [0197.575] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4000) returned 0x4dc1bc8 [0197.575] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x16c4) returned 0x4dc5bd0 [0197.575] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4cbc008 [0197.577] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4ccc010 [0197.578] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4cdc018 [0197.578] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4cec020 [0197.579] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cec020, _Size=0x2 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0197.579] memcpy (in: _Dst=0x4cbc008, _Src=0x8483020, _Size=0x10000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.580] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.580] memcpy (in: _Dst=0x4cc4008, _Src=0x8493020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.581] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.581] memcpy (in: _Dst=0x4cc4008, _Src=0x849b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.582] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.582] memcpy (in: _Dst=0x4cc4008, _Src=0x84a3020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.583] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.584] memcpy (in: _Dst=0x4cc4008, _Src=0x84ab020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.584] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.584] memcpy (in: _Dst=0x4cc4008, _Src=0x84b3020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.584] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.585] memcpy (in: _Dst=0x4cc4008, _Src=0x84bb020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.586] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.586] memcpy (in: _Dst=0x4cc4008, _Src=0x84c3020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.587] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.587] memcpy (in: _Dst=0x4cc4008, _Src=0x84cb020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.587] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.587] memcpy (in: _Dst=0x4cc4008, _Src=0x84d3020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.588] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.588] memcpy (in: _Dst=0x4cc4008, _Src=0x84db020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.588] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.588] memcpy (in: _Dst=0x4cc4008, _Src=0x84e3020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.590] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.590] memcpy (in: _Dst=0x4cc4008, _Src=0x84eb020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.591] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.591] memcpy (in: _Dst=0x4cc4008, _Src=0x84f3020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.593] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.594] memcpy (in: _Dst=0x4cc4008, _Src=0x84fb020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.596] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.596] memcpy (in: _Dst=0x4cc4008, _Src=0x8503020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.598] memcpy (in: _Dst=0x4dc1bca, _Src=0x4cec020, _Size=0x3ffe | out: _Dst=0x4dc1bca) returned 0x4dc1bca [0197.598] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4001) returned 0x4dcae38 [0197.598] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf001e, _Size=0x1325 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0197.599] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.599] memcpy (in: _Dst=0x4cc4008, _Src=0x850b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.600] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.600] memcpy (in: _Dst=0x4cc4008, _Src=0x8513020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.691] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.691] memcpy (in: _Dst=0x4cc4008, _Src=0x851b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.692] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.692] memcpy (in: _Dst=0x4cc4008, _Src=0x8523020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.694] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.694] memcpy (in: _Dst=0x4cc4008, _Src=0x852b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.694] memcpy (in: _Dst=0x4dc2eed, _Src=0x4cec020, _Size=0x2cdb | out: _Dst=0x4dc2eed) returned 0x4dc2eed [0197.695] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x8001) returned 0x4cfc028 [0197.696] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dcae38 | out: hHeap=0x4d40000) returned 1 [0197.696] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ceecfb, _Size=0x1e90 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0197.697] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.697] memcpy (in: _Dst=0x4cc4008, _Src=0x8533020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.698] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.698] memcpy (in: _Dst=0x4cc4008, _Src=0x853b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.700] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.700] memcpy (in: _Dst=0x4cc4008, _Src=0x8543020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.702] memcpy (in: _Dst=0x4dc3a58, _Src=0x4cec020, _Size=0x2170 | out: _Dst=0x4dc3a58) returned 0x4dc3a58 [0197.702] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc001) returned 0x4c30450 [0197.705] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4cfc028 | out: hHeap=0x4d40000) returned 1 [0197.705] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cee190, _Size=0x2503 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0197.705] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.705] memcpy (in: _Dst=0x4cc4008, _Src=0x854b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.707] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.707] memcpy (in: _Dst=0x4cc4008, _Src=0x8553020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.708] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.708] memcpy (in: _Dst=0x4cc4008, _Src=0x855b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.711] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.711] memcpy (in: _Dst=0x4cc4008, _Src=0x8563020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.713] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.713] memcpy (in: _Dst=0x4cc4008, _Src=0x856b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.715] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.715] memcpy (in: _Dst=0x4cc4008, _Src=0x8573020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.717] memcpy (in: _Dst=0x4dc40cb, _Src=0x4cec020, _Size=0x1afd | out: _Dst=0x4dc40cb) returned 0x4dc40cb [0197.717] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10001) returned 0x4c3c460 [0197.719] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0197.719] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cedb1d, _Size=0x2977 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0197.720] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.720] memcpy (in: _Dst=0x4cc4008, _Src=0x857b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.723] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.723] memcpy (in: _Dst=0x4cc4008, _Src=0x8583020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.800] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.800] memcpy (in: _Dst=0x4cc4008, _Src=0x858b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.806] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.806] memcpy (in: _Dst=0x4cc4008, _Src=0x8593020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.811] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.811] memcpy (in: _Dst=0x4cc4008, _Src=0x859b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.816] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.816] memcpy (in: _Dst=0x4cc4008, _Src=0x85a3020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.821] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.821] memcpy (in: _Dst=0x4cc4008, _Src=0x85ab020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.824] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.824] memcpy (in: _Dst=0x4cc4008, _Src=0x85b3020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.825] memcpy (in: _Dst=0x4dc453f, _Src=0x4cec020, _Size=0x1689 | out: _Dst=0x4dc453f) returned 0x4dc453f [0197.825] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x14001) returned 0x4c4c470 [0197.827] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c3c460 | out: hHeap=0x4d40000) returned 1 [0197.827] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ced6a9, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0197.827] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x18001) returned 0x4c30450 [0197.828] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c4c470 | out: hHeap=0x4d40000) returned 1 [0197.828] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf16a9, _Size=0x1410 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0197.829] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.829] memcpy (in: _Dst=0x4cc4008, _Src=0x85bb020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.830] memcpy (in: _Dst=0x4dc2fd8, _Src=0x4cec020, _Size=0x2bf0 | out: _Dst=0x4dc2fd8) returned 0x4dc2fd8 [0197.831] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x1c001) returned 0x4c48460 [0197.832] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0197.832] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ceec10, _Size=0x29cf | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0197.832] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.832] memcpy (in: _Dst=0x4cc4008, _Src=0x85c3020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.833] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.834] memcpy (in: _Dst=0x4cc4008, _Src=0x85cb020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.835] memcpy (in: _Dst=0x4dc4597, _Src=0x4cec020, _Size=0x1631 | out: _Dst=0x4dc4597) returned 0x4dc4597 [0197.835] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20001) returned 0x4d5d2b0 [0197.885] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c48460 | out: hHeap=0x4d40000) returned 1 [0197.885] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ced651, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0197.885] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x24001) returned 0x4d7d2c0 [0197.888] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0197.888] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf1651, _Size=0x439 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0197.889] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.889] memcpy (in: _Dst=0x4cc4008, _Src=0x85d3020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.890] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.890] memcpy (in: _Dst=0x4cc4008, _Src=0x85db020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.891] memcpy (in: _Dst=0x4dc2001, _Src=0x4cec020, _Size=0x3bc7 | out: _Dst=0x4dc2001) returned 0x4dc2001 [0197.891] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x28001) returned 0x4c30450 [0197.893] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d7d2c0 | out: hHeap=0x4d40000) returned 1 [0197.893] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cefbe7, _Size=0x203d | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0197.893] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.893] memcpy (in: _Dst=0x4cc4008, _Src=0x85e3020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.894] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.894] memcpy (in: _Dst=0x4cc4008, _Src=0x85eb020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.895] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.896] memcpy (in: _Dst=0x4cc4008, _Src=0x85f3020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.896] memcpy (in: _Dst=0x4dc3c05, _Src=0x4cec020, _Size=0x1fc3 | out: _Dst=0x4dc3c05) returned 0x4dc3c05 [0197.896] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x2c001) returned 0x4d5d2b0 [0197.897] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0197.898] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cedfe3, _Size=0x3f31 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0197.899] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.899] memcpy (in: _Dst=0x4cc4008, _Src=0x85fb020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.900] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.900] memcpy (in: _Dst=0x4cc4008, _Src=0x8603020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.901] memcpy (in: _Dst=0x4dc5af9, _Src=0x4cec020, _Size=0xcf | out: _Dst=0x4dc5af9) returned 0x4dc5af9 [0197.901] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x30001) returned 0x4d892c0 [0197.904] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0197.904] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cec0ef, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0197.904] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x34001) returned 0x4c30450 [0197.906] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d892c0 | out: hHeap=0x4d40000) returned 1 [0197.906] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf00ef, _Size=0x2152 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0197.906] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.906] memcpy (in: _Dst=0x4cc4008, _Src=0x860b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.907] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.907] memcpy (in: _Dst=0x4cc4008, _Src=0x8613020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.909] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.909] memcpy (in: _Dst=0x4cc4008, _Src=0x861b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.910] memcpy (in: _Dst=0x4dc3d1a, _Src=0x4cec020, _Size=0x1eae | out: _Dst=0x4dc3d1a) returned 0x4dc3d1a [0197.910] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x38001) returned 0x4d5d2b0 [0197.911] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0197.911] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cedece, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0197.911] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x3c001) returned 0x4c30450 [0197.913] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0197.913] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf1ece, _Size=0x862 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0197.914] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.914] memcpy (in: _Dst=0x4cc4008, _Src=0x8623020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.916] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.916] memcpy (in: _Dst=0x4cc4008, _Src=0x862b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.918] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.918] memcpy (in: _Dst=0x4cc4008, _Src=0x8633020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.954] memcpy (in: _Dst=0x4dc242a, _Src=0x4cec020, _Size=0x379e | out: _Dst=0x4dc242a) returned 0x4dc242a [0197.954] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x40001) returned 0x4d5d2b0 [0197.956] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0197.956] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cef7be, _Size=0x335c | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0197.957] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.957] memcpy (in: _Dst=0x4cc4008, _Src=0x863b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.959] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.959] memcpy (in: _Dst=0x4cc4008, _Src=0x8643020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.961] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.961] memcpy (in: _Dst=0x4cc4008, _Src=0x864b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.962] memcpy (in: _Dst=0x4dc4f24, _Src=0x4cec020, _Size=0xca4 | out: _Dst=0x4dc4f24) returned 0x4dc4f24 [0197.962] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x44001) returned 0x4c30450 [0197.964] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0197.964] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ceccc4, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0197.964] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x48001) returned 0x4d5d2b0 [0197.966] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0197.966] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf0cc4, _Size=0x1e7b | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0197.967] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.967] memcpy (in: _Dst=0x4cc4008, _Src=0x8653020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.969] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.969] memcpy (in: _Dst=0x4cc4008, _Src=0x865b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.971] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.971] memcpy (in: _Dst=0x4cc4008, _Src=0x8663020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.972] memcpy (in: _Dst=0x4dc3a43, _Src=0x4cec020, _Size=0x2185 | out: _Dst=0x4dc3a43) returned 0x4dc3a43 [0197.972] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4c001) returned 0x4c30450 [0197.975] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0197.975] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cee1a5, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0197.975] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x50001) returned 0x4d5d2b0 [0197.977] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0197.977] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf21a5, _Size=0xadc | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0197.978] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.978] memcpy (in: _Dst=0x4cc4008, _Src=0x866b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.980] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.980] memcpy (in: _Dst=0x4cc4008, _Src=0x8673020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.982] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.982] memcpy (in: _Dst=0x4cc4008, _Src=0x867b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.984] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0197.984] memcpy (in: _Dst=0x4cc4008, _Src=0x8683020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0197.985] memcpy (in: _Dst=0x4dc26a4, _Src=0x4cec020, _Size=0x3524 | out: _Dst=0x4dc26a4) returned 0x4dc26a4 [0197.985] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x54001) returned 0x8980048 [0197.993] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0198.038] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cef544, _Size=0x3e1f | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0198.040] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0198.040] memcpy (in: _Dst=0x4cc4008, _Src=0x868b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0198.042] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0198.042] memcpy (in: _Dst=0x4cc4008, _Src=0x8693020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0198.045] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0198.045] memcpy (in: _Dst=0x4cc4008, _Src=0x869b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0198.047] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0198.047] memcpy (in: _Dst=0x4cc4008, _Src=0x86a3020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0198.049] memcpy (in: _Dst=0x4dc59e7, _Src=0x4cec020, _Size=0x1e1 | out: _Dst=0x4dc59e7) returned 0x4dc59e7 [0198.049] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x58001) returned 0x4d5d2b0 [0198.051] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8980048 | out: hHeap=0x4d40000) returned 1 [0198.051] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cec201, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0198.051] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x5c001) returned 0x8980048 [0198.054] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0198.055] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf0201, _Size=0x32f3 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0198.056] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0198.056] memcpy (in: _Dst=0x4cc4008, _Src=0x86ab020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0198.059] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0198.059] memcpy (in: _Dst=0x4cc4008, _Src=0x86b3020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0198.062] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0198.062] memcpy (in: _Dst=0x4cc4008, _Src=0x86bb020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0198.065] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0198.065] memcpy (in: _Dst=0x4cc4008, _Src=0x86c3020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0198.065] memcpy (in: _Dst=0x4dc4ebb, _Src=0x4cec020, _Size=0xd0d | out: _Dst=0x4dc4ebb) returned 0x4dc4ebb [0198.065] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x60001) returned 0x4d5d2b0 [0198.068] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8980048 | out: hHeap=0x4d40000) returned 1 [0198.068] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cecd2d, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0198.068] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x64001) returned 0x8980048 [0198.072] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0198.113] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf0d2d, _Size=0x2744 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0198.116] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0198.116] memcpy (in: _Dst=0x4cc4008, _Src=0x86cb020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0198.131] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0198.131] memcpy (in: _Dst=0x4cc4008, _Src=0x86d3020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0198.152] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0198.152] memcpy (in: _Dst=0x4cc4008, _Src=0x86db020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0198.154] memcpy (in: _Dst=0x4dc430c, _Src=0x4cec020, _Size=0x18bc | out: _Dst=0x4dc430c) returned 0x4dc430c [0198.154] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x68001) returned 0x8020048 [0198.164] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8980048 | out: hHeap=0x4d40000) returned 1 [0198.164] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ced8dc, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0198.164] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x6c001) returned 0x8980048 [0198.168] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8020048 | out: hHeap=0x4d40000) returned 1 [0198.168] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf18dc, _Size=0x1d96 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0198.169] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0198.169] memcpy (in: _Dst=0x4cc4008, _Src=0x86e3020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0198.171] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0198.171] memcpy (in: _Dst=0x4cc4008, _Src=0x86eb020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0198.174] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0198.174] memcpy (in: _Dst=0x4cc4008, _Src=0x86f3020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0198.176] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0198.176] memcpy (in: _Dst=0x4cc4008, _Src=0x86fb020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0198.177] memcpy (in: _Dst=0x4dc395e, _Src=0x4cec020, _Size=0x226a | out: _Dst=0x4dc395e) returned 0x4dc395e [0198.177] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x70001) returned 0x8020048 [0198.188] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8980048 | out: hHeap=0x4d40000) returned 1 [0198.188] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cee28a, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0198.188] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x74001) returned 0x8090058 [0198.200] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8020048 | out: hHeap=0x4d40000) returned 1 [0198.200] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf228a, _Size=0x133d | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0198.202] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0198.202] memcpy (in: _Dst=0x4cc4008, _Src=0x8703020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0198.204] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0198.204] memcpy (in: _Dst=0x4cc4008, _Src=0x870b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0198.207] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0198.207] memcpy (in: _Dst=0x4cc4008, _Src=0x8713020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0198.209] memcpy (in: _Dst=0x4dc2f05, _Src=0x4cec020, _Size=0x2cc3 | out: _Dst=0x4dc2f05) returned 0x4dc2f05 [0198.209] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x78001) returned 0x8104068 [0198.220] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8090058 | out: hHeap=0x4d40000) returned 1 [0198.280] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ceece3, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0198.280] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x7c001) returned 0x8020048 [0198.291] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8104068 | out: hHeap=0x4d40000) returned 1 [0198.296] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf2ce3, _Size=0x66e | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0198.297] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0198.297] memcpy (in: _Dst=0x4cc4008, _Src=0x871b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0198.299] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0198.299] memcpy (in: _Dst=0x4cc4008, _Src=0x8723020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0198.302] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0198.302] memcpy (in: _Dst=0x4cc4008, _Src=0x872b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0198.305] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0198.305] memcpy (in: _Dst=0x4cc4008, _Src=0x8733020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0198.306] memcpy (in: _Dst=0x4dc2236, _Src=0x4cec020, _Size=0x3992 | out: _Dst=0x4dc2236) returned 0x4dc2236 [0198.306] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x80001) returned 0x7756020 [0198.317] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8020048 | out: hHeap=0x4d40000) returned 1 [0198.422] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x84001) returned 0x77ed020 [0198.434] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7756020 | out: hHeap=0x4d40000) returned 1 [0198.437] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x88001) returned 0x7ec7020 [0198.449] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x77ed020 | out: hHeap=0x4d40000) returned 1 [0198.769] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x8c001) returned 0x7759020 [0198.783] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ec7020 | out: hHeap=0x4d40000) returned 1 [0198.787] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x90001) returned 0x7ec8020 [0198.799] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7759020 | out: hHeap=0x4d40000) returned 1 [0198.961] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x94001) returned 0x7129020 [0198.974] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ec8020 | out: hHeap=0x4d40000) returned 1 [0198.977] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x98001) returned 0x71ce020 [0198.990] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7129020 | out: hHeap=0x4d40000) returned 1 [0199.295] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x9c001) returned 0x727a020 [0199.309] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x71ce020 | out: hHeap=0x4d40000) returned 1 [0199.313] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa0001) returned 0x7124020 [0199.397] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x727a020 | out: hHeap=0x4d40000) returned 1 [0199.426] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa4001) returned 0x71d0020 [0199.562] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7124020 | out: hHeap=0x4d40000) returned 1 [0199.652] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa8001) returned 0x728a020 [0199.667] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x71d0020 | out: hHeap=0x4d40000) returned 1 [0199.749] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xac001) returned 0x712f020 [0199.766] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x728a020 | out: hHeap=0x4d40000) returned 1 [0199.781] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb0001) returned 0x71ed020 [0199.897] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x712f020 | out: hHeap=0x4d40000) returned 1 [0199.904] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb4001) returned 0x7120020 [0199.923] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x71ed020 | out: hHeap=0x4d40000) returned 1 [0200.078] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb8001) returned 0x71e9020 [0200.099] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7120020 | out: hHeap=0x4d40000) returned 1 [0200.108] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xbc001) returned 0x72b8020 [0200.219] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x71e9020 | out: hHeap=0x4d40000) returned 1 [0200.235] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc0001) returned 0x712a020 [0200.319] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x72b8020 | out: hHeap=0x4d40000) returned 1 [0200.324] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc4001) returned 0x71ff020 [0200.385] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x712a020 | out: hHeap=0x4d40000) returned 1 [0200.399] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc8001) returned 0x72dc020 [0200.415] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x71ff020 | out: hHeap=0x4d40000) returned 1 [0200.529] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xcc001) returned 0x712e020 [0200.550] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x72dc020 | out: hHeap=0x4d40000) returned 1 [0200.632] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd0001) returned 0x7202020 [0200.652] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x712e020 | out: hHeap=0x4d40000) returned 1 [0200.669] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd4001) returned 0x7126020 [0200.786] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7202020 | out: hHeap=0x4d40000) returned 1 [0200.793] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd8001) returned 0x720e020 [0200.815] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7126020 | out: hHeap=0x4d40000) returned 1 [0200.926] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xdc001) returned 0x72fa020 [0200.949] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x720e020 | out: hHeap=0x4d40000) returned 1 [0201.004] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe0001) returned 0x712a020 [0201.027] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x72fa020 | out: hHeap=0x4d40000) returned 1 [0201.071] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe4001) returned 0x721d020 [0201.094] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x712a020 | out: hHeap=0x4d40000) returned 1 [0201.267] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe8001) returned 0x731f020 [0201.297] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x721d020 | out: hHeap=0x4d40000) returned 1 [0201.312] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xec001) returned 0x7125020 [0201.381] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x731f020 | out: hHeap=0x4d40000) returned 1 [0201.440] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xf0001) returned 0x7222020 [0201.462] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7125020 | out: hHeap=0x4d40000) returned 1 [0201.470] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xf4001) returned 0x7120020 [0201.572] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7222020 | out: hHeap=0x4d40000) returned 1 [0201.668] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xf8001) returned 0x722e020 [0201.692] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7120020 | out: hHeap=0x4d40000) returned 1 [0201.774] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xfc001) returned 0x733f020 [0201.799] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x722e020 | out: hHeap=0x4d40000) returned 1 [0201.881] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x100001) returned 0x7120020 [0201.909] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x733f020 | out: hHeap=0x4d40000) returned 1 [0201.981] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x104001) returned 0x7235020 [0202.008] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7120020 | out: hHeap=0x4d40000) returned 1 [0202.256] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0202.256] memcpy (in: _Dst=0x4cc4008, _Src=0x8913020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0202.260] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0202.261] memcpy (in: _Dst=0x4cc4008, _Src=0x891b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0202.261] memcpy (in: _Dst=0x4dc3d5c, _Src=0x4cec020, _Size=0x1e6c | out: _Dst=0x4dc3d5c) returned 0x4dc3d5c [0202.261] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x108001) returned 0x7349020 [0202.284] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7235020 | out: hHeap=0x4d40000) returned 1 [0202.521] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10c001) returned 0x7123020 [0202.545] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7349020 | out: hHeap=0x4d40000) returned 1 [0202.651] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x110001) returned 0x724a020 [0202.680] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7123020 | out: hHeap=0x4d40000) returned 1 [0202.767] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x114001) returned 0x7124020 [0202.789] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x724a020 | out: hHeap=0x4d40000) returned 1 [0202.957] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x118001) returned 0x7245020 [0202.984] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7124020 | out: hHeap=0x4d40000) returned 1 [0203.137] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x11c001) returned 0x7369020 [0203.164] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7245020 | out: hHeap=0x4d40000) returned 1 [0203.364] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x120001) returned 0x7129020 [0203.486] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7369020 | out: hHeap=0x4d40000) returned 1 [0203.497] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x124001) returned 0x7252020 [0203.521] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7129020 | out: hHeap=0x4d40000) returned 1 [0203.702] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x124eb7) returned 0x7126020 [0203.734] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7252020 | out: hHeap=0x4d40000) returned 1 [0203.803] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4cec020 | out: hHeap=0x4d40000) returned 1 [0203.807] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4cdc018 | out: hHeap=0x4d40000) returned 1 [0203.809] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4ccc010 | out: hHeap=0x4d40000) returned 1 [0203.812] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4cbc008 | out: hHeap=0x4d40000) returned 1 [0203.814] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc5bd0 | out: hHeap=0x4d40000) returned 1 [0203.814] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc1bc8 | out: hHeap=0x4d40000) returned 1 [0203.840] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x79c1020 | out: hHeap=0x4d40000) returned 1 [0203.930] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8483020 | out: hHeap=0x4d40000) returned 1 [0204.067] DeleteDC (hdc=0x28010a01) returned 1 [0204.067] DeleteDC (hdc=0x240106c6) returned 1 [0204.067] DeleteObject (ho=0x2d0509f1) returned 1 [0204.067] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x4cf988 | out: lpSystemTimeAsFileTime=0x4cf988*(dwLowDateTime=0x2d238390, dwHighDateTime=0x1d99f3b)) [0204.067] Sleep (dwMilliseconds=0x3a98) [0204.185] GetDC (hWnd=0x0) returned 0xd010736 [0204.189] CreateCompatibleDC (hdc=0xd010736) returned 0x2f0109f1 [0204.190] GetDeviceCaps (hdc=0xd010736, index=8) returned 1440 [0204.190] GetDeviceCaps (hdc=0xd010736, index=10) returned 900 [0204.190] CreateCompatibleBitmap (hdc=0xd010736, cx=1440, cy=900) returned 0x3e050982 [0204.388] SelectObject (hdc=0x2f0109f1, h=0x3e050982) returned 0x185000f [0204.388] BitBlt (hdc=0x2f0109f1, x=0, y=0, cx=1440, cy=900, hdcSrc=0xd010736, x1=0, y1=0, rop=0xcc0020) returned 1 [0205.217] GetCursorInfo (in: pci=0x4cf95c | out: pci=0x4cf95c) returned 1 [0205.218] CopyIcon (hIcon=0x10019) returned 0x210191 [0205.220] GetIconInfo (in: hIcon=0x210191, piconinfo=0x4cf908 | out: piconinfo=0x4cf908) returned 1 [0205.220] GetObjectW (in: h=0x77050a57, c=24, pv=0x4cf91c | out: pv=0x4cf91c) returned 24 [0205.220] DrawIconEx (hdc=0x2f0109f1, xLeft=1418, yTop=425, hIcon=0x10019, cxWidth=32, cyWidth=32, istepIfAniCur=0x0, hbrFlickerFreeDraw=0x0, diFlags=0x3) returned 1 [0205.221] SelectObject (hdc=0x2f0109f1, h=0x185000f) returned 0x3e050982 [0205.221] GetObjectW (in: h=0x3e050982, c=24, pv=0x4cf8f0 | out: pv=0x4cf8f0) returned 24 [0205.221] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4f1a00) returned 0x8485020 [0205.283] GetDIBits (in: hdc=0x2f0109f1, hbm=0x3e050982, start=0x0, cLines=0x384, lpvBits=0x8485020, lpbmi=0x4cf934, usage=0x0 | out: lpvBits=0x8485020, lpbmi=0x4cf934) returned 900 [0205.494] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4f1a36) returned 0x958f020 [0205.808] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4000) returned 0x4dc1bc8 [0205.808] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x16c4) returned 0x4dc5bd0 [0205.808] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4cbc008 [0205.810] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4ccc010 [0205.811] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4cdc018 [0205.812] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4cec020 [0205.916] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0205.916] memcpy (in: _Dst=0x4cc4008, _Src=0x960f020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0205.917] memcpy (in: _Dst=0x4dc1bca, _Src=0x4cec020, _Size=0x3ffe | out: _Dst=0x4dc1bca) returned 0x4dc1bca [0205.917] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4001) returned 0x4dcae38 [0205.918] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf001e, _Size=0x1325 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0205.919] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0205.919] memcpy (in: _Dst=0x4cc4008, _Src=0x9617020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0205.920] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0205.921] memcpy (in: _Dst=0x4cc4008, _Src=0x961f020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0205.922] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0205.922] memcpy (in: _Dst=0x4cc4008, _Src=0x9627020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0205.924] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0205.924] memcpy (in: _Dst=0x4cc4008, _Src=0x962f020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0205.926] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0205.926] memcpy (in: _Dst=0x4cc4008, _Src=0x9637020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0205.927] memcpy (in: _Dst=0x4dc2eed, _Src=0x4cec020, _Size=0x2cdb | out: _Dst=0x4dc2eed) returned 0x4dc2eed [0205.927] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x8001) returned 0x4cfc028 [0205.929] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dcae38 | out: hHeap=0x4d40000) returned 1 [0205.929] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ceecfb, _Size=0x1e90 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0205.931] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0205.931] memcpy (in: _Dst=0x4cc4008, _Src=0x963f020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0205.932] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0205.933] memcpy (in: _Dst=0x4cc4008, _Src=0x9647020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0205.935] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0205.935] memcpy (in: _Dst=0x4cc4008, _Src=0x964f020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0205.937] memcpy (in: _Dst=0x4dc3a58, _Src=0x4cec020, _Size=0x2170 | out: _Dst=0x4dc3a58) returned 0x4dc3a58 [0205.937] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc001) returned 0x4c30450 [0205.940] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4cfc028 | out: hHeap=0x4d40000) returned 1 [0205.940] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cee190, _Size=0x2503 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0205.941] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0205.941] memcpy (in: _Dst=0x4cc4008, _Src=0x9657020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0205.943] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0205.943] memcpy (in: _Dst=0x4cc4008, _Src=0x965f020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.104] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.104] memcpy (in: _Dst=0x4cc4008, _Src=0x9667020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.106] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.107] memcpy (in: _Dst=0x4cc4008, _Src=0x966f020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.109] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.109] memcpy (in: _Dst=0x4cc4008, _Src=0x9677020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.111] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.112] memcpy (in: _Dst=0x4cc4008, _Src=0x967f020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.114] memcpy (in: _Dst=0x4dc40cb, _Src=0x4cec020, _Size=0x1afd | out: _Dst=0x4dc40cb) returned 0x4dc40cb [0206.114] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10001) returned 0x4c3c460 [0206.116] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0206.119] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cedb1d, _Size=0x2977 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0206.119] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.120] memcpy (in: _Dst=0x4cc4008, _Src=0x9687020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.124] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.124] memcpy (in: _Dst=0x4cc4008, _Src=0x968f020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.129] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.129] memcpy (in: _Dst=0x4cc4008, _Src=0x9697020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.136] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.136] memcpy (in: _Dst=0x4cc4008, _Src=0x969f020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.142] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.143] memcpy (in: _Dst=0x4cc4008, _Src=0x96a7020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.310] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.310] memcpy (in: _Dst=0x4cc4008, _Src=0x96af020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.317] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.317] memcpy (in: _Dst=0x4cc4008, _Src=0x96b7020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.321] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.322] memcpy (in: _Dst=0x4cc4008, _Src=0x96bf020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.322] memcpy (in: _Dst=0x4dc453f, _Src=0x4cec020, _Size=0x1689 | out: _Dst=0x4dc453f) returned 0x4dc453f [0206.322] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x14001) returned 0x4c4c470 [0206.325] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c3c460 | out: hHeap=0x4d40000) returned 1 [0206.325] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ced6a9, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0206.325] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x18001) returned 0x4c30450 [0206.327] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c4c470 | out: hHeap=0x4d40000) returned 1 [0206.327] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf16a9, _Size=0x1410 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0206.329] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.329] memcpy (in: _Dst=0x4cc4008, _Src=0x96c7020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.330] memcpy (in: _Dst=0x4dc2fd8, _Src=0x4cec020, _Size=0x2bf0 | out: _Dst=0x4dc2fd8) returned 0x4dc2fd8 [0206.330] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x1c001) returned 0x4c48460 [0206.332] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0206.332] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ceec10, _Size=0x29cf | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0206.333] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.333] memcpy (in: _Dst=0x4cc4008, _Src=0x96cf020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.334] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.334] memcpy (in: _Dst=0x4cc4008, _Src=0x96d7020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.336] memcpy (in: _Dst=0x4dc4597, _Src=0x4cec020, _Size=0x1631 | out: _Dst=0x4dc4597) returned 0x4dc4597 [0206.336] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20001) returned 0x4d5d2b0 [0206.341] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c48460 | out: hHeap=0x4d40000) returned 1 [0206.341] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ced651, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0206.341] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x24001) returned 0x4d7d2c0 [0206.345] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0206.345] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf1651, _Size=0x439 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0206.345] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.345] memcpy (in: _Dst=0x4cc4008, _Src=0x96df020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.347] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.347] memcpy (in: _Dst=0x4cc4008, _Src=0x96e7020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.349] memcpy (in: _Dst=0x4dc2001, _Src=0x4cec020, _Size=0x3bc7 | out: _Dst=0x4dc2001) returned 0x4dc2001 [0206.349] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x28001) returned 0x4c30450 [0206.350] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d7d2c0 | out: hHeap=0x4d40000) returned 1 [0206.350] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cefbe7, _Size=0x203d | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0206.350] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.390] memcpy (in: _Dst=0x4cc4008, _Src=0x96ef020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.392] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.392] memcpy (in: _Dst=0x4cc4008, _Src=0x96f7020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.393] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.393] memcpy (in: _Dst=0x4cc4008, _Src=0x96ff020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.394] memcpy (in: _Dst=0x4dc3c05, _Src=0x4cec020, _Size=0x1fc3 | out: _Dst=0x4dc3c05) returned 0x4dc3c05 [0206.394] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x2c001) returned 0x4d5d2b0 [0206.395] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0206.395] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cedfe3, _Size=0x3f31 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0206.396] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.396] memcpy (in: _Dst=0x4cc4008, _Src=0x9707020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.413] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.413] memcpy (in: _Dst=0x4cc4008, _Src=0x970f020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.415] memcpy (in: _Dst=0x4dc5af9, _Src=0x4cec020, _Size=0xcf | out: _Dst=0x4dc5af9) returned 0x4dc5af9 [0206.415] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x30001) returned 0x4d892c0 [0206.419] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0206.419] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cec0ef, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0206.419] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x34001) returned 0x4c30450 [0206.421] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d892c0 | out: hHeap=0x4d40000) returned 1 [0206.421] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf00ef, _Size=0x2152 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0206.422] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.422] memcpy (in: _Dst=0x4cc4008, _Src=0x9717020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.423] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.423] memcpy (in: _Dst=0x4cc4008, _Src=0x971f020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.425] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.425] memcpy (in: _Dst=0x4cc4008, _Src=0x9727020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.426] memcpy (in: _Dst=0x4dc3d1a, _Src=0x4cec020, _Size=0x1eae | out: _Dst=0x4dc3d1a) returned 0x4dc3d1a [0206.426] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x38001) returned 0x4d5d2b0 [0206.428] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0206.428] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cedece, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0206.428] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x3c001) returned 0x4c30450 [0206.430] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0206.432] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf1ece, _Size=0x862 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0206.433] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.433] memcpy (in: _Dst=0x4cc4008, _Src=0x972f020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.435] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.435] memcpy (in: _Dst=0x4cc4008, _Src=0x9737020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.436] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.436] memcpy (in: _Dst=0x4cc4008, _Src=0x973f020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.437] memcpy (in: _Dst=0x4dc242a, _Src=0x4cec020, _Size=0x379e | out: _Dst=0x4dc242a) returned 0x4dc242a [0206.438] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x40001) returned 0x4d5d2b0 [0206.440] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0206.440] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cef7be, _Size=0x335c | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0206.441] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.441] memcpy (in: _Dst=0x4cc4008, _Src=0x9747020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.442] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.442] memcpy (in: _Dst=0x4cc4008, _Src=0x974f020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.444] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.444] memcpy (in: _Dst=0x4cc4008, _Src=0x9757020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.495] memcpy (in: _Dst=0x4dc4f24, _Src=0x4cec020, _Size=0xca4 | out: _Dst=0x4dc4f24) returned 0x4dc4f24 [0206.495] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x44001) returned 0x4c30450 [0206.499] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0206.499] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ceccc4, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0206.499] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x48001) returned 0x4d5d2b0 [0206.502] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0206.502] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf0cc4, _Size=0x1e7b | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0206.503] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.503] memcpy (in: _Dst=0x4cc4008, _Src=0x975f020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.506] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.506] memcpy (in: _Dst=0x4cc4008, _Src=0x9767020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.509] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.509] memcpy (in: _Dst=0x4cc4008, _Src=0x976f020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.511] memcpy (in: _Dst=0x4dc3a43, _Src=0x4cec020, _Size=0x2185 | out: _Dst=0x4dc3a43) returned 0x4dc3a43 [0206.511] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4c001) returned 0x4c30450 [0206.515] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0206.515] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cee1a5, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0206.515] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x50001) returned 0x4d5d2b0 [0206.518] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0206.518] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf21a5, _Size=0xadc | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0206.519] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.519] memcpy (in: _Dst=0x4cc4008, _Src=0x9777020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.521] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.521] memcpy (in: _Dst=0x4cc4008, _Src=0x977f020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.524] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.524] memcpy (in: _Dst=0x4cc4008, _Src=0x9787020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.527] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.527] memcpy (in: _Dst=0x4cc4008, _Src=0x978f020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.529] memcpy (in: _Dst=0x4dc26a4, _Src=0x4cec020, _Size=0x3524 | out: _Dst=0x4dc26a4) returned 0x4dc26a4 [0206.529] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x54001) returned 0x8980048 [0206.539] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0206.588] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cef544, _Size=0x3e1f | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0206.590] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.590] memcpy (in: _Dst=0x4cc4008, _Src=0x9797020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.593] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.594] memcpy (in: _Dst=0x4cc4008, _Src=0x979f020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.597] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.597] memcpy (in: _Dst=0x4cc4008, _Src=0x97a7020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.600] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.600] memcpy (in: _Dst=0x4cc4008, _Src=0x97af020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.603] memcpy (in: _Dst=0x4dc59e7, _Src=0x4cec020, _Size=0x1e1 | out: _Dst=0x4dc59e7) returned 0x4dc59e7 [0206.603] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x58001) returned 0x4d5d2b0 [0206.606] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8980048 | out: hHeap=0x4d40000) returned 1 [0206.606] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cec201, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0206.606] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x5c001) returned 0x8980048 [0206.610] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0206.610] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf0201, _Size=0x32f3 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0206.612] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.612] memcpy (in: _Dst=0x4cc4008, _Src=0x97b7020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.615] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.615] memcpy (in: _Dst=0x4cc4008, _Src=0x97bf020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.619] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.619] memcpy (in: _Dst=0x4cc4008, _Src=0x97c7020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.623] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.623] memcpy (in: _Dst=0x4cc4008, _Src=0x97cf020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.624] memcpy (in: _Dst=0x4dc4ebb, _Src=0x4cec020, _Size=0xd0d | out: _Dst=0x4dc4ebb) returned 0x4dc4ebb [0206.624] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x60001) returned 0x4d5d2b0 [0206.627] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8980048 | out: hHeap=0x4d40000) returned 1 [0206.627] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cecd2d, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0206.627] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x64001) returned 0x8980048 [0206.631] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0206.631] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf0d2d, _Size=0x2744 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0206.672] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.672] memcpy (in: _Dst=0x4cc4008, _Src=0x97d7020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.675] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.675] memcpy (in: _Dst=0x4cc4008, _Src=0x97df020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.678] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.678] memcpy (in: _Dst=0x4cc4008, _Src=0x97e7020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.681] memcpy (in: _Dst=0x4dc430c, _Src=0x4cec020, _Size=0x18bc | out: _Dst=0x4dc430c) returned 0x4dc430c [0206.681] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x68001) returned 0x8020048 [0206.693] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8980048 | out: hHeap=0x4d40000) returned 1 [0206.693] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ced8dc, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0206.693] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x6c001) returned 0x8980048 [0206.697] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8020048 | out: hHeap=0x4d40000) returned 1 [0206.699] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf18dc, _Size=0x1d96 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0206.699] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.700] memcpy (in: _Dst=0x4cc4008, _Src=0x97ef020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.702] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.702] memcpy (in: _Dst=0x4cc4008, _Src=0x97f7020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.705] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.705] memcpy (in: _Dst=0x4cc4008, _Src=0x97ff020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.707] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.707] memcpy (in: _Dst=0x4cc4008, _Src=0x9807020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.709] memcpy (in: _Dst=0x4dc395e, _Src=0x4cec020, _Size=0x226a | out: _Dst=0x4dc395e) returned 0x4dc395e [0206.709] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x70001) returned 0x8020048 [0206.713] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8980048 | out: hHeap=0x4d40000) returned 1 [0206.760] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cee28a, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0206.760] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x74001) returned 0x8090058 [0206.774] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8020048 | out: hHeap=0x4d40000) returned 1 [0206.774] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf228a, _Size=0x1345 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0206.776] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.776] memcpy (in: _Dst=0x4cc4008, _Src=0x980f020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.778] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.779] memcpy (in: _Dst=0x4cc4008, _Src=0x9817020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.782] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.782] memcpy (in: _Dst=0x4cc4008, _Src=0x981f020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.784] memcpy (in: _Dst=0x4dc2f0d, _Src=0x4cec020, _Size=0x2cbb | out: _Dst=0x4dc2f0d) returned 0x4dc2f0d [0206.784] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x78001) returned 0x8104068 [0206.801] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8090058 | out: hHeap=0x4d40000) returned 1 [0206.860] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ceecdb, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0206.860] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x7c001) returned 0x817c078 [0206.880] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8104068 | out: hHeap=0x4d40000) returned 1 [0206.880] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf2cdb, _Size=0x67b | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0206.882] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.883] memcpy (in: _Dst=0x4cc4008, _Src=0x9827020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.885] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.885] memcpy (in: _Dst=0x4cc4008, _Src=0x982f020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.888] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.888] memcpy (in: _Dst=0x4cc4008, _Src=0x9837020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.891] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0206.891] memcpy (in: _Dst=0x4cc4008, _Src=0x983f020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0206.892] memcpy (in: _Dst=0x4dc2243, _Src=0x4cec020, _Size=0x3985 | out: _Dst=0x4dc2243) returned 0x4dc2243 [0206.892] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x80001) returned 0x7250020 [0206.938] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x817c078 | out: hHeap=0x4d40000) returned 1 [0206.958] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x84001) returned 0x72ec020 [0207.000] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7250020 | out: hHeap=0x4d40000) returned 1 [0207.008] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x88001) returned 0x738f020 [0207.021] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x72ec020 | out: hHeap=0x4d40000) returned 1 [0207.111] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x8c001) returned 0x725d020 [0207.125] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x738f020 | out: hHeap=0x4d40000) returned 1 [0207.130] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x90001) returned 0x72f5020 [0207.327] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x725d020 | out: hHeap=0x4d40000) returned 1 [0207.341] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x94001) returned 0x7251020 [0207.354] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x72f5020 | out: hHeap=0x4d40000) returned 1 [0207.415] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x98001) returned 0x72f4020 [0207.432] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7251020 | out: hHeap=0x4d40000) returned 1 [0207.474] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x9c001) returned 0x739d020 [0207.492] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x72f4020 | out: hHeap=0x4d40000) returned 1 [0207.498] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa0001) returned 0x7254020 [0207.567] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x739d020 | out: hHeap=0x4d40000) returned 1 [0207.583] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa4001) returned 0x730f020 [0207.604] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7254020 | out: hHeap=0x4d40000) returned 1 [0207.652] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa8001) returned 0x73cb020 [0207.671] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x730f020 | out: hHeap=0x4d40000) returned 1 [0207.689] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xac001) returned 0x7259020 [0207.747] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x73cb020 | out: hHeap=0x4d40000) returned 1 [0207.763] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb0001) returned 0x7313020 [0207.822] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7259020 | out: hHeap=0x4d40000) returned 1 [0207.828] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb4001) returned 0x73dc020 [0207.844] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7313020 | out: hHeap=0x4d40000) returned 1 [0207.889] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb8001) returned 0x725a020 [0207.910] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x73dc020 | out: hHeap=0x4d40000) returned 1 [0207.916] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xbc001) returned 0x7328020 [0207.977] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x725a020 | out: hHeap=0x4d40000) returned 1 [0207.988] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc0001) returned 0x73ff020 [0208.008] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7328020 | out: hHeap=0x4d40000) returned 1 [0208.017] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc4001) returned 0x7253020 [0208.038] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x73ff020 | out: hHeap=0x4d40000) returned 1 [0208.075] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc8001) returned 0x7321020 [0208.099] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7253020 | out: hHeap=0x4d40000) returned 1 [0208.107] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xcc001) returned 0x7250020 [0208.154] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7321020 | out: hHeap=0x4d40000) returned 1 [0208.176] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd0001) returned 0x7323020 [0208.197] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7250020 | out: hHeap=0x4d40000) returned 1 [0208.257] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd4001) returned 0x7402020 [0208.433] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7323020 | out: hHeap=0x4d40000) returned 1 [0208.441] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd8001) returned 0x7251020 [0208.517] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7402020 | out: hHeap=0x4d40000) returned 1 [0208.536] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xdc001) returned 0x7332020 [0208.597] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7251020 | out: hHeap=0x4d40000) returned 1 [0208.606] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe0001) returned 0x741d020 [0208.629] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7332020 | out: hHeap=0x4d40000) returned 1 [0208.675] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe4001) returned 0x7255020 [0208.698] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x741d020 | out: hHeap=0x4d40000) returned 1 [0208.764] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe8001) returned 0x7345020 [0208.790] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7255020 | out: hHeap=0x4d40000) returned 1 [0208.869] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xec001) returned 0x743c020 [0208.903] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7345020 | out: hHeap=0x4d40000) returned 1 [0208.963] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xf0001) returned 0x7253020 [0208.994] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x743c020 | out: hHeap=0x4d40000) returned 1 [0209.015] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xf4001) returned 0x735a020 [0209.043] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7253020 | out: hHeap=0x4d40000) returned 1 [0209.095] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xf8001) returned 0x7250020 [0209.119] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x735a020 | out: hHeap=0x4d40000) returned 1 [0209.153] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xfc001) returned 0x7357020 [0209.193] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7250020 | out: hHeap=0x4d40000) returned 1 [0209.232] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x100001) returned 0x7468020 [0209.255] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7357020 | out: hHeap=0x4d40000) returned 1 [0209.341] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x104001) returned 0x725c020 [0209.366] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7468020 | out: hHeap=0x4d40000) returned 1 [0209.410] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x108001) returned 0x737d020 [0209.438] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x725c020 | out: hHeap=0x4d40000) returned 1 [0209.488] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10c001) returned 0x7250020 [0209.588] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x737d020 | out: hHeap=0x4d40000) returned 1 [0209.667] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x110001) returned 0x7365020 [0209.693] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7250020 | out: hHeap=0x4d40000) returned 1 [0209.770] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x114001) returned 0x7486020 [0209.798] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7365020 | out: hHeap=0x4d40000) returned 1 [0209.838] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x118001) returned 0x7256020 [0209.867] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7486020 | out: hHeap=0x4d40000) returned 1 [0209.938] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x11c001) returned 0x7377020 [0209.973] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7256020 | out: hHeap=0x4d40000) returned 1 [0210.064] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x120001) returned 0x74a3020 [0210.153] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7377020 | out: hHeap=0x4d40000) returned 1 [0210.177] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x124001) returned 0x7257020 [0210.248] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74a3020 | out: hHeap=0x4d40000) returned 1 [0210.259] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x125031) returned 0x7389020 [0210.583] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7257020 | out: hHeap=0x4d40000) returned 1 [0210.599] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4cec020 | out: hHeap=0x4d40000) returned 1 [0210.614] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4cdc018 | out: hHeap=0x4d40000) returned 1 [0210.617] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4ccc010 | out: hHeap=0x4d40000) returned 1 [0210.728] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4cbc008 | out: hHeap=0x4d40000) returned 1 [0210.730] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc5bd0 | out: hHeap=0x4d40000) returned 1 [0210.731] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc1bc8 | out: hHeap=0x4d40000) returned 1 [0210.756] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8485020 | out: hHeap=0x4d40000) returned 1 [0210.870] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x958f020 | out: hHeap=0x4d40000) returned 1 [0210.937] DeleteDC (hdc=0x2f0109f1) returned 1 [0210.938] DeleteDC (hdc=0xd010736) returned 1 [0210.941] DeleteObject (ho=0x3e050982) returned 1 [0210.943] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x4cf988 | out: lpSystemTimeAsFileTime=0x4cf988*(dwLowDateTime=0x313c9106, dwHighDateTime=0x1d99f3b)) [0210.943] Sleep (dwMilliseconds=0x3a98) [0210.977] GetDC (hWnd=0x0) returned 0xd010736 [0210.977] CreateCompatibleDC (hdc=0xd010736) returned 0x3f010982 [0210.977] GetDeviceCaps (hdc=0xd010736, index=8) returned 1440 [0210.977] GetDeviceCaps (hdc=0xd010736, index=10) returned 900 [0210.977] CreateCompatibleBitmap (hdc=0xd010736, cx=1440, cy=900) returned 0x300509f1 [0211.060] SelectObject (hdc=0x3f010982, h=0x300509f1) returned 0x185000f [0211.060] BitBlt (hdc=0x3f010982, x=0, y=0, cx=1440, cy=900, hdcSrc=0xd010736, x1=0, y1=0, rop=0xcc0020) returned 1 [0211.827] GetCursorInfo (in: pci=0x4cf95c | out: pci=0x4cf95c) returned 1 [0211.827] CopyIcon (hIcon=0x10019) returned 0x2c0299 [0211.830] GetIconInfo (in: hIcon=0x2c0299, piconinfo=0x4cf908 | out: piconinfo=0x4cf908) returned 1 [0211.830] GetObjectW (in: h=0x130509e7, c=24, pv=0x4cf91c | out: pv=0x4cf91c) returned 24 [0211.830] DrawIconEx (hdc=0x3f010982, xLeft=147, yTop=366, hIcon=0x10019, cxWidth=32, cyWidth=32, istepIfAniCur=0x0, hbrFlickerFreeDraw=0x0, diFlags=0x3) returned 1 [0211.830] SelectObject (hdc=0x3f010982, h=0x185000f) returned 0x300509f1 [0211.830] GetObjectW (in: h=0x300509f1, c=24, pv=0x4cf8f0 | out: pv=0x4cf8f0) returned 24 [0211.830] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4f1a00) returned 0x958f020 [0211.852] GetDIBits (in: hdc=0x3f010982, hbm=0x300509f1, start=0x0, cLines=0x384, lpvBits=0x958f020, lpbmi=0x4cf934, usage=0x0 | out: lpvBits=0x958f020, lpbmi=0x4cf934) returned 900 [0212.116] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4f1a36) returned 0x8484020 [0212.492] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4000) returned 0x4dc1bc8 [0212.495] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x16c4) returned 0x4dc5bd0 [0212.495] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4cbc008 [0212.497] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4ccc010 [0212.498] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4cdc018 [0212.499] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4cec020 [0212.627] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4001) returned 0x4dcae38 [0212.628] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf001e, _Size=0x1325 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0212.629] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.629] memcpy (in: _Dst=0x4cc4008, _Src=0x850c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.631] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.631] memcpy (in: _Dst=0x4cc4008, _Src=0x8514020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.636] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.637] memcpy (in: _Dst=0x4cc4008, _Src=0x851c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.638] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.639] memcpy (in: _Dst=0x4cc4008, _Src=0x8524020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.641] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.641] memcpy (in: _Dst=0x4cc4008, _Src=0x852c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.642] memcpy (in: _Dst=0x4dc2eed, _Src=0x4cec020, _Size=0x2cdb | out: _Dst=0x4dc2eed) returned 0x4dc2eed [0212.642] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x8001) returned 0x4cfc028 [0212.643] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dcae38 | out: hHeap=0x4d40000) returned 1 [0212.643] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ceecfb, _Size=0x1e90 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0212.644] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.645] memcpy (in: _Dst=0x4cc4008, _Src=0x8534020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.646] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.646] memcpy (in: _Dst=0x4cc4008, _Src=0x853c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.688] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.688] memcpy (in: _Dst=0x4cc4008, _Src=0x8544020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.690] memcpy (in: _Dst=0x4dc3a58, _Src=0x4cec020, _Size=0x2170 | out: _Dst=0x4dc3a58) returned 0x4dc3a58 [0212.690] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc001) returned 0x4c30450 [0212.693] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4cfc028 | out: hHeap=0x4d40000) returned 1 [0212.693] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cee190, _Size=0x2503 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0212.693] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.693] memcpy (in: _Dst=0x4cc4008, _Src=0x854c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.696] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.696] memcpy (in: _Dst=0x4cc4008, _Src=0x8554020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.697] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.697] memcpy (in: _Dst=0x4cc4008, _Src=0x855c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.699] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.699] memcpy (in: _Dst=0x4cc4008, _Src=0x8564020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.701] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.701] memcpy (in: _Dst=0x4cc4008, _Src=0x856c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.703] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.703] memcpy (in: _Dst=0x4cc4008, _Src=0x8574020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.706] memcpy (in: _Dst=0x4dc40cb, _Src=0x4cec020, _Size=0x1afd | out: _Dst=0x4dc40cb) returned 0x4dc40cb [0212.706] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10001) returned 0x4c3c460 [0212.707] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0212.707] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cedb1d, _Size=0x2977 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0212.708] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.708] memcpy (in: _Dst=0x4cc4008, _Src=0x857c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.712] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.712] memcpy (in: _Dst=0x4cc4008, _Src=0x8584020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.716] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.716] memcpy (in: _Dst=0x4cc4008, _Src=0x858c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.722] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.722] memcpy (in: _Dst=0x4cc4008, _Src=0x8594020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.776] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.776] memcpy (in: _Dst=0x4cc4008, _Src=0x859c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.781] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.781] memcpy (in: _Dst=0x4cc4008, _Src=0x85a4020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.786] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.786] memcpy (in: _Dst=0x4cc4008, _Src=0x85ac020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.796] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.796] memcpy (in: _Dst=0x4cc4008, _Src=0x85b4020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.797] memcpy (in: _Dst=0x4dc453f, _Src=0x4cec020, _Size=0x1689 | out: _Dst=0x4dc453f) returned 0x4dc453f [0212.797] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x14001) returned 0x4c4c470 [0212.801] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c3c460 | out: hHeap=0x4d40000) returned 1 [0212.801] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ced6a9, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0212.801] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x18001) returned 0x4c30450 [0212.802] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c4c470 | out: hHeap=0x4d40000) returned 1 [0212.802] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf16a9, _Size=0x1410 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0212.808] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.808] memcpy (in: _Dst=0x4cc4008, _Src=0x85bc020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.809] memcpy (in: _Dst=0x4dc2fd8, _Src=0x4cec020, _Size=0x2bf0 | out: _Dst=0x4dc2fd8) returned 0x4dc2fd8 [0212.809] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x1c001) returned 0x4c48460 [0212.811] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0212.811] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ceec10, _Size=0x29cf | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0212.811] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.811] memcpy (in: _Dst=0x4cc4008, _Src=0x85c4020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.812] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.813] memcpy (in: _Dst=0x4cc4008, _Src=0x85cc020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.814] memcpy (in: _Dst=0x4dc4597, _Src=0x4cec020, _Size=0x1631 | out: _Dst=0x4dc4597) returned 0x4dc4597 [0212.814] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20001) returned 0x4d5d2b0 [0212.818] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c48460 | out: hHeap=0x4d40000) returned 1 [0212.818] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ced651, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0212.818] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x24001) returned 0x4d7d2c0 [0212.888] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0212.890] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf1651, _Size=0x439 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0212.891] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.891] memcpy (in: _Dst=0x4cc4008, _Src=0x85d4020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.892] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.892] memcpy (in: _Dst=0x4cc4008, _Src=0x85dc020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.893] memcpy (in: _Dst=0x4dc2001, _Src=0x4cec020, _Size=0x3bc7 | out: _Dst=0x4dc2001) returned 0x4dc2001 [0212.893] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x28001) returned 0x4c30450 [0212.895] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d7d2c0 | out: hHeap=0x4d40000) returned 1 [0212.895] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cefbe7, _Size=0x203d | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0212.895] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.895] memcpy (in: _Dst=0x4cc4008, _Src=0x85e4020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.896] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.896] memcpy (in: _Dst=0x4cc4008, _Src=0x85ec020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.900] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.900] memcpy (in: _Dst=0x4cc4008, _Src=0x85f4020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.900] memcpy (in: _Dst=0x4dc3c05, _Src=0x4cec020, _Size=0x1fc3 | out: _Dst=0x4dc3c05) returned 0x4dc3c05 [0212.900] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x2c001) returned 0x4d5d2b0 [0212.902] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0212.902] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cedfe3, _Size=0x3f31 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0212.903] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.903] memcpy (in: _Dst=0x4cc4008, _Src=0x85fc020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.904] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.904] memcpy (in: _Dst=0x4cc4008, _Src=0x8604020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.905] memcpy (in: _Dst=0x4dc5af9, _Src=0x4cec020, _Size=0xcf | out: _Dst=0x4dc5af9) returned 0x4dc5af9 [0212.905] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x30001) returned 0x4d892c0 [0212.908] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0212.908] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cec0ef, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0212.908] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x34001) returned 0x4c30450 [0212.909] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d892c0 | out: hHeap=0x4d40000) returned 1 [0212.909] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf00ef, _Size=0x2152 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0212.910] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.910] memcpy (in: _Dst=0x4cc4008, _Src=0x860c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.911] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.911] memcpy (in: _Dst=0x4cc4008, _Src=0x8614020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.912] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.913] memcpy (in: _Dst=0x4cc4008, _Src=0x861c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.914] memcpy (in: _Dst=0x4dc3d1a, _Src=0x4cec020, _Size=0x1eae | out: _Dst=0x4dc3d1a) returned 0x4dc3d1a [0212.914] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x38001) returned 0x4d5d2b0 [0212.916] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0212.918] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cedece, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0212.918] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x3c001) returned 0x4c30450 [0212.921] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0212.922] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf1ece, _Size=0x862 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0212.924] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.924] memcpy (in: _Dst=0x4cc4008, _Src=0x8624020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.928] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.983] memcpy (in: _Dst=0x4cc4008, _Src=0x862c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.984] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.985] memcpy (in: _Dst=0x4cc4008, _Src=0x8634020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.986] memcpy (in: _Dst=0x4dc242a, _Src=0x4cec020, _Size=0x379e | out: _Dst=0x4dc242a) returned 0x4dc242a [0212.986] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x40001) returned 0x4d5d2b0 [0212.988] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0212.988] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cef7be, _Size=0x335c | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0212.989] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.989] memcpy (in: _Dst=0x4cc4008, _Src=0x863c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.991] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.991] memcpy (in: _Dst=0x4cc4008, _Src=0x8644020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.992] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0212.992] memcpy (in: _Dst=0x4cc4008, _Src=0x864c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0212.993] memcpy (in: _Dst=0x4dc4f24, _Src=0x4cec020, _Size=0xca4 | out: _Dst=0x4dc4f24) returned 0x4dc4f24 [0212.993] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x44001) returned 0x4c30450 [0212.996] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0212.996] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ceccc4, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0212.996] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x48001) returned 0x4d5d2b0 [0212.999] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0212.999] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf0cc4, _Size=0x1e7b | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0213.000] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0213.000] memcpy (in: _Dst=0x4cc4008, _Src=0x8654020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0213.002] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0213.002] memcpy (in: _Dst=0x4cc4008, _Src=0x865c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0213.004] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0213.004] memcpy (in: _Dst=0x4cc4008, _Src=0x8664020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0213.006] memcpy (in: _Dst=0x4dc3a43, _Src=0x4cec020, _Size=0x2185 | out: _Dst=0x4dc3a43) returned 0x4dc3a43 [0213.006] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4c001) returned 0x4c30450 [0213.010] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0213.011] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cee1a5, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0213.011] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x50001) returned 0x4d5d2b0 [0213.015] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0213.015] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf21a5, _Size=0xadc | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0213.015] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0213.015] memcpy (in: _Dst=0x4cc4008, _Src=0x866c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0213.017] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0213.017] memcpy (in: _Dst=0x4cc4008, _Src=0x8674020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0213.020] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0213.020] memcpy (in: _Dst=0x4cc4008, _Src=0x867c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0213.022] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0213.022] memcpy (in: _Dst=0x4cc4008, _Src=0x8684020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0213.065] memcpy (in: _Dst=0x4dc26a4, _Src=0x4cec020, _Size=0x3524 | out: _Dst=0x4dc26a4) returned 0x4dc26a4 [0213.065] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x54001) returned 0x8980048 [0213.182] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0213.184] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cef544, _Size=0x3e1f | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0213.185] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0213.185] memcpy (in: _Dst=0x4cc4008, _Src=0x868c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0213.188] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0213.189] memcpy (in: _Dst=0x4cc4008, _Src=0x8694020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0213.192] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0213.192] memcpy (in: _Dst=0x4cc4008, _Src=0x869c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0213.194] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0213.195] memcpy (in: _Dst=0x4cc4008, _Src=0x86a4020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0213.196] memcpy (in: _Dst=0x4dc59e7, _Src=0x4cec020, _Size=0x1e1 | out: _Dst=0x4dc59e7) returned 0x4dc59e7 [0213.196] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x58001) returned 0x4d5d2b0 [0213.200] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8980048 | out: hHeap=0x4d40000) returned 1 [0213.200] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cec201, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0213.200] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x5c001) returned 0x8980048 [0213.205] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0213.205] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf0201, _Size=0x32f3 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0213.208] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0213.208] memcpy (in: _Dst=0x4cc4008, _Src=0x86ac020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0213.261] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0213.261] memcpy (in: _Dst=0x4cc4008, _Src=0x86b4020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0213.263] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0213.263] memcpy (in: _Dst=0x4cc4008, _Src=0x86bc020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0213.266] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0213.266] memcpy (in: _Dst=0x4cc4008, _Src=0x86c4020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0213.267] memcpy (in: _Dst=0x4dc4ebb, _Src=0x4cec020, _Size=0xd0d | out: _Dst=0x4dc4ebb) returned 0x4dc4ebb [0213.267] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x60001) returned 0x4d5d2b0 [0213.271] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8980048 | out: hHeap=0x4d40000) returned 1 [0213.271] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cecd2d, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0213.271] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x64001) returned 0x8980048 [0213.275] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0213.275] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf0d2d, _Size=0x2744 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0213.278] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0213.278] memcpy (in: _Dst=0x4cc4008, _Src=0x86cc020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0213.281] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0213.281] memcpy (in: _Dst=0x4cc4008, _Src=0x86d4020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0213.284] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0213.284] memcpy (in: _Dst=0x4cc4008, _Src=0x86dc020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0213.287] memcpy (in: _Dst=0x4dc430c, _Src=0x4cec020, _Size=0x18bc | out: _Dst=0x4dc430c) returned 0x4dc430c [0213.287] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x68001) returned 0x8020048 [0213.297] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8980048 | out: hHeap=0x4d40000) returned 1 [0213.297] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ced8dc, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0213.297] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x6c001) returned 0x8980048 [0213.301] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8020048 | out: hHeap=0x4d40000) returned 1 [0213.301] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf18dc, _Size=0x1d96 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0213.302] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0213.302] memcpy (in: _Dst=0x4cc4008, _Src=0x86e4020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0213.330] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0213.330] memcpy (in: _Dst=0x4cc4008, _Src=0x86ec020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0213.333] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0213.333] memcpy (in: _Dst=0x4cc4008, _Src=0x86f4020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0213.361] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0213.361] memcpy (in: _Dst=0x4cc4008, _Src=0x86fc020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0213.362] memcpy (in: _Dst=0x4dc395e, _Src=0x4cec020, _Size=0x226a | out: _Dst=0x4dc395e) returned 0x4dc395e [0213.362] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x70001) returned 0x8020048 [0213.370] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8980048 | out: hHeap=0x4d40000) returned 1 [0213.372] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cee28a, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0213.372] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x74001) returned 0x8090058 [0213.387] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8020048 | out: hHeap=0x4d40000) returned 1 [0213.492] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf228a, _Size=0x1358 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0213.493] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0213.493] memcpy (in: _Dst=0x4cc4008, _Src=0x8704020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0213.495] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0213.495] memcpy (in: _Dst=0x4cc4008, _Src=0x870c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0213.498] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0213.498] memcpy (in: _Dst=0x4cc4008, _Src=0x8714020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0213.499] memcpy (in: _Dst=0x4dc2f20, _Src=0x4cec020, _Size=0x2ca8 | out: _Dst=0x4dc2f20) returned 0x4dc2f20 [0213.499] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x78001) returned 0x8104068 [0213.512] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8090058 | out: hHeap=0x4d40000) returned 1 [0213.518] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ceecc8, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0213.518] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x7c001) returned 0x8020048 [0213.530] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8104068 | out: hHeap=0x4d40000) returned 1 [0213.535] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf2cc8, _Size=0x72f | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0213.536] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0213.536] memcpy (in: _Dst=0x4cc4008, _Src=0x871c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0213.538] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0213.538] memcpy (in: _Dst=0x4cc4008, _Src=0x8724020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0213.589] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0213.589] memcpy (in: _Dst=0x4cc4008, _Src=0x872c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0213.591] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0213.591] memcpy (in: _Dst=0x4cc4008, _Src=0x8734020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0213.592] memcpy (in: _Dst=0x4dc22f7, _Src=0x4cec020, _Size=0x38d1 | out: _Dst=0x4dc22f7) returned 0x4dc22f7 [0213.592] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x80001) returned 0x725c020 [0213.603] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8020048 | out: hHeap=0x4d40000) returned 1 [0213.613] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x84001) returned 0x72e9020 [0213.624] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x725c020 | out: hHeap=0x4d40000) returned 1 [0213.630] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x88001) returned 0x74bd020 [0213.661] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x72e9020 | out: hHeap=0x4d40000) returned 1 [0213.674] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x8c001) returned 0x7252020 [0213.687] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74bd020 | out: hHeap=0x4d40000) returned 1 [0213.691] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x90001) returned 0x72e3020 [0213.737] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7252020 | out: hHeap=0x4d40000) returned 1 [0213.751] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x94001) returned 0x74b3020 [0213.766] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x72e3020 | out: hHeap=0x4d40000) returned 1 [0213.770] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x98001) returned 0x725f020 [0213.817] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74b3020 | out: hHeap=0x4d40000) returned 1 [0213.832] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x9c001) returned 0x74b7020 [0213.846] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x725f020 | out: hHeap=0x4d40000) returned 1 [0213.874] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa0001) returned 0x7252020 [0213.915] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74b7020 | out: hHeap=0x4d40000) returned 1 [0213.928] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa4001) returned 0x74b9020 [0213.948] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7252020 | out: hHeap=0x4d40000) returned 1 [0213.952] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa8001) returned 0x7254020 [0213.967] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74b9020 | out: hHeap=0x4d40000) returned 1 [0213.983] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xac001) returned 0x74b3020 [0213.998] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7254020 | out: hHeap=0x4d40000) returned 1 [0214.010] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb0001) returned 0x7258020 [0214.025] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74b3020 | out: hHeap=0x4d40000) returned 1 [0214.058] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb4001) returned 0x74bd020 [0214.073] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7258020 | out: hHeap=0x4d40000) returned 1 [0214.097] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb8001) returned 0x725c020 [0214.149] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74bd020 | out: hHeap=0x4d40000) returned 1 [0214.154] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xbc001) returned 0x74b8020 [0214.177] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x725c020 | out: hHeap=0x4d40000) returned 1 [0214.236] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc0001) returned 0x725d020 [0214.252] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74b8020 | out: hHeap=0x4d40000) returned 1 [0214.313] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc4001) returned 0x74bb020 [0214.350] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x725d020 | out: hHeap=0x4d40000) returned 1 [0214.450] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc8001) returned 0x7256020 [0214.467] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74bb020 | out: hHeap=0x4d40000) returned 1 [0214.472] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xcc001) returned 0x74b4020 [0214.519] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7256020 | out: hHeap=0x4d40000) returned 1 [0214.534] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd0001) returned 0x725e020 [0214.595] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74b4020 | out: hHeap=0x4d40000) returned 1 [0214.608] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd4001) returned 0x74b4020 [0214.627] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x725e020 | out: hHeap=0x4d40000) returned 1 [0214.694] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd8001) returned 0x725b020 [0214.713] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74b4020 | out: hHeap=0x4d40000) returned 1 [0214.735] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xdc001) returned 0x74b3020 [0214.775] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x725b020 | out: hHeap=0x4d40000) returned 1 [0214.786] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe0001) returned 0x7251020 [0214.806] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74b3020 | out: hHeap=0x4d40000) returned 1 [0214.905] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe4001) returned 0x74b0020 [0214.926] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7251020 | out: hHeap=0x4d40000) returned 1 [0215.010] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe8001) returned 0x7251020 [0215.029] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74b0020 | out: hHeap=0x4d40000) returned 1 [0215.184] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xec001) returned 0x74b8020 [0215.313] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7251020 | out: hHeap=0x4d40000) returned 1 [0215.331] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xf0001) returned 0x725f020 [0215.352] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74b8020 | out: hHeap=0x4d40000) returned 1 [0215.477] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xf4001) returned 0x74b4020 [0215.508] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x725f020 | out: hHeap=0x4d40000) returned 1 [0215.677] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xf8001) returned 0x7257020 [0215.705] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74b4020 | out: hHeap=0x4d40000) returned 1 [0215.760] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xfc001) returned 0x74bf020 [0215.789] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7257020 | out: hHeap=0x4d40000) returned 1 [0215.911] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf0d0f, _Size=0x2bfe | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0215.915] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0215.915] memcpy (in: _Dst=0x4cc4008, _Src=0x88ec020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0215.917] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0215.918] memcpy (in: _Dst=0x4cc4008, _Src=0x88f4020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0215.920] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0215.920] memcpy (in: _Dst=0x4cc4008, _Src=0x88fc020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0215.922] memcpy (in: _Dst=0x4dc47c6, _Src=0x4cec020, _Size=0x1402 | out: _Dst=0x4dc47c6) returned 0x4dc47c6 [0215.922] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x100001) returned 0x7250020 [0215.946] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74bf020 | out: hHeap=0x4d40000) returned 1 [0216.000] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x104001) returned 0x74b5020 [0216.037] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7250020 | out: hHeap=0x4d40000) returned 1 [0216.105] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x108001) returned 0x7259020 [0216.141] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74b5020 | out: hHeap=0x4d40000) returned 1 [0216.219] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10c001) returned 0x74be020 [0216.257] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7259020 | out: hHeap=0x4d40000) returned 1 [0216.551] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x110001) returned 0x7255020 [0216.574] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74be020 | out: hHeap=0x4d40000) returned 1 [0216.722] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x114001) returned 0x74b6020 [0216.746] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7255020 | out: hHeap=0x4d40000) returned 1 [0216.815] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x118001) returned 0x7252020 [0216.840] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74b6020 | out: hHeap=0x4d40000) returned 1 [0216.895] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x11c001) returned 0x74b9020 [0216.924] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7252020 | out: hHeap=0x4d40000) returned 1 [0217.001] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x120001) returned 0x7253020 [0217.030] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74b9020 | out: hHeap=0x4d40000) returned 1 [0217.107] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x124001) returned 0x74bc020 [0217.132] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7253020 | out: hHeap=0x4d40000) returned 1 [0217.160] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x12506b) returned 0x7255020 [0217.205] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74bc020 | out: hHeap=0x4d40000) returned 1 [0217.249] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4cec020 | out: hHeap=0x4d40000) returned 1 [0217.250] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4cdc018 | out: hHeap=0x4d40000) returned 1 [0217.264] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4ccc010 | out: hHeap=0x4d40000) returned 1 [0217.268] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4cbc008 | out: hHeap=0x4d40000) returned 1 [0217.269] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc5bd0 | out: hHeap=0x4d40000) returned 1 [0217.270] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc1bc8 | out: hHeap=0x4d40000) returned 1 [0217.293] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x958f020 | out: hHeap=0x4d40000) returned 1 [0217.447] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8484020 | out: hHeap=0x4d40000) returned 1 [0217.531] DeleteDC (hdc=0x3f010982) returned 1 [0217.532] DeleteDC (hdc=0xd010736) returned 1 [0217.532] DeleteObject (ho=0x300509f1) returned 1 [0217.532] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x4cf988 | out: lpSystemTimeAsFileTime=0x4cf988*(dwLowDateTime=0x352aaee4, dwHighDateTime=0x1d99f3b)) [0217.532] Sleep (dwMilliseconds=0x3a98) [0217.581] GetDC (hWnd=0x0) returned 0x27010a3b [0217.581] CreateCompatibleDC (hdc=0x27010a3b) returned 0x320109f1 [0217.581] GetDeviceCaps (hdc=0x27010a3b, index=8) returned 1440 [0217.581] GetDeviceCaps (hdc=0x27010a3b, index=10) returned 900 [0217.581] CreateCompatibleBitmap (hdc=0x27010a3b, cx=1440, cy=900) returned 0x40050982 [0217.672] SelectObject (hdc=0x320109f1, h=0x40050982) returned 0x185000f [0217.672] BitBlt (hdc=0x320109f1, x=0, y=0, cx=1440, cy=900, hdcSrc=0x27010a3b, x1=0, y1=0, rop=0xcc0020) returned 1 [0218.415] GetCursorInfo (in: pci=0x4cf95c | out: pci=0x4cf95c) returned 1 [0218.415] CopyIcon (hIcon=0x10019) returned 0x1403a5 [0218.417] GetIconInfo (in: hIcon=0x1403a5, piconinfo=0x4cf908 | out: piconinfo=0x4cf908) returned 1 [0218.417] GetObjectW (in: h=0x2f050a42, c=24, pv=0x4cf91c | out: pv=0x4cf91c) returned 24 [0218.417] DrawIconEx (hdc=0x320109f1, xLeft=264, yTop=193, hIcon=0x10019, cxWidth=32, cyWidth=32, istepIfAniCur=0x0, hbrFlickerFreeDraw=0x0, diFlags=0x3) returned 1 [0218.418] SelectObject (hdc=0x320109f1, h=0x185000f) returned 0x40050982 [0218.418] GetObjectW (in: h=0x40050982, c=24, pv=0x4cf8f0 | out: pv=0x4cf8f0) returned 24 [0218.418] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4f1a00) returned 0x8d8f020 [0218.433] GetDIBits (in: hdc=0x320109f1, hbm=0x40050982, start=0x0, cLines=0x384, lpvBits=0x8d8f020, lpbmi=0x4cf934, usage=0x0 | out: lpvBits=0x8d8f020, lpbmi=0x4cf934) returned 900 [0218.608] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4f1a36) returned 0x8484020 [0218.909] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4000) returned 0x4dc1bc8 [0218.910] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x16c4) returned 0x4dc5bd0 [0218.910] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4cbc008 [0218.912] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4ccc010 [0218.912] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4cdc018 [0219.102] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4cec020 [0219.122] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4001) returned 0x4dcae38 [0219.123] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf001e, _Size=0x1316 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0219.123] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.123] memcpy (in: _Dst=0x4cc4008, _Src=0x850c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.125] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.125] memcpy (in: _Dst=0x4cc4008, _Src=0x8514020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.126] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.127] memcpy (in: _Dst=0x4cc4008, _Src=0x851c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.128] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.128] memcpy (in: _Dst=0x4cc4008, _Src=0x8524020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.130] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.130] memcpy (in: _Dst=0x4cc4008, _Src=0x852c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.131] memcpy (in: _Dst=0x4dc2ede, _Src=0x4cec020, _Size=0x2cea | out: _Dst=0x4dc2ede) returned 0x4dc2ede [0219.131] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x8001) returned 0x4cfc028 [0219.132] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dcae38 | out: hHeap=0x4d40000) returned 1 [0219.132] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ceed0a, _Size=0x1e7d | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0219.134] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.134] memcpy (in: _Dst=0x4cc4008, _Src=0x8534020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.135] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.135] memcpy (in: _Dst=0x4cc4008, _Src=0x853c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.137] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.137] memcpy (in: _Dst=0x4cc4008, _Src=0x8544020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.139] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.139] memcpy (in: _Dst=0x4cc4008, _Src=0x854c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.139] memcpy (in: _Dst=0x4dc3a45, _Src=0x4cec020, _Size=0x2183 | out: _Dst=0x4dc3a45) returned 0x4dc3a45 [0219.139] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc001) returned 0x4c30450 [0219.142] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4cfc028 | out: hHeap=0x4d40000) returned 1 [0219.142] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cee1a3, _Size=0x2509 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0219.144] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.144] memcpy (in: _Dst=0x4cc4008, _Src=0x8554020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.145] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.145] memcpy (in: _Dst=0x4cc4008, _Src=0x855c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.237] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.237] memcpy (in: _Dst=0x4cc4008, _Src=0x8564020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.239] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.239] memcpy (in: _Dst=0x4cc4008, _Src=0x856c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.242] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.242] memcpy (in: _Dst=0x4cc4008, _Src=0x8574020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.244] memcpy (in: _Dst=0x4dc40d1, _Src=0x4cec020, _Size=0x1af7 | out: _Dst=0x4dc40d1) returned 0x4dc40d1 [0219.244] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10001) returned 0x4c3c460 [0219.246] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0219.246] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cedb17, _Size=0x2970 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0219.247] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.247] memcpy (in: _Dst=0x4cc4008, _Src=0x857c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.250] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.250] memcpy (in: _Dst=0x4cc4008, _Src=0x8584020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.255] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.255] memcpy (in: _Dst=0x4cc4008, _Src=0x858c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.261] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.261] memcpy (in: _Dst=0x4cc4008, _Src=0x8594020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.266] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.266] memcpy (in: _Dst=0x4cc4008, _Src=0x859c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.271] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.271] memcpy (in: _Dst=0x4cc4008, _Src=0x85a4020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.412] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.412] memcpy (in: _Dst=0x4cc4008, _Src=0x85ac020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.415] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.415] memcpy (in: _Dst=0x4cc4008, _Src=0x85b4020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.416] memcpy (in: _Dst=0x4dc4538, _Src=0x4cec020, _Size=0x1690 | out: _Dst=0x4dc4538) returned 0x4dc4538 [0219.416] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x14001) returned 0x4c4c470 [0219.418] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c3c460 | out: hHeap=0x4d40000) returned 1 [0219.418] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ced6b0, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0219.418] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x18001) returned 0x4c30450 [0219.419] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c4c470 | out: hHeap=0x4d40000) returned 1 [0219.419] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf16b0, _Size=0x140c | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0219.421] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.421] memcpy (in: _Dst=0x4cc4008, _Src=0x85bc020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.422] memcpy (in: _Dst=0x4dc2fd4, _Src=0x4cec020, _Size=0x2bf4 | out: _Dst=0x4dc2fd4) returned 0x4dc2fd4 [0219.422] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x1c001) returned 0x4c48460 [0219.423] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0219.424] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ceec14, _Size=0x29d0 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0219.424] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.424] memcpy (in: _Dst=0x4cc4008, _Src=0x85c4020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.425] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.425] memcpy (in: _Dst=0x4cc4008, _Src=0x85cc020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.427] memcpy (in: _Dst=0x4dc4598, _Src=0x4cec020, _Size=0x1630 | out: _Dst=0x4dc4598) returned 0x4dc4598 [0219.427] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20001) returned 0x4d5d2b0 [0219.431] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c48460 | out: hHeap=0x4d40000) returned 1 [0219.431] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ced650, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0219.431] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x24001) returned 0x4d7d2c0 [0219.434] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0219.434] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf1650, _Size=0x432 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0219.434] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.434] memcpy (in: _Dst=0x4cc4008, _Src=0x85d4020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.435] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.436] memcpy (in: _Dst=0x4cc4008, _Src=0x85dc020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.437] memcpy (in: _Dst=0x4dc1ffa, _Src=0x4cec020, _Size=0x3bce | out: _Dst=0x4dc1ffa) returned 0x4dc1ffa [0219.437] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x28001) returned 0x4c30450 [0219.438] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d7d2c0 | out: hHeap=0x4d40000) returned 1 [0219.438] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cefbee, _Size=0x2039 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0219.439] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.439] memcpy (in: _Dst=0x4cc4008, _Src=0x85e4020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.440] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.440] memcpy (in: _Dst=0x4cc4008, _Src=0x85ec020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.441] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.442] memcpy (in: _Dst=0x4cc4008, _Src=0x85f4020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.442] memcpy (in: _Dst=0x4dc3c01, _Src=0x4cec020, _Size=0x1fc7 | out: _Dst=0x4dc3c01) returned 0x4dc3c01 [0219.442] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x2c001) returned 0x4d5d2b0 [0219.444] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0219.444] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cedfe7, _Size=0x3f2d | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0219.445] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.445] memcpy (in: _Dst=0x4cc4008, _Src=0x85fc020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.566] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.566] memcpy (in: _Dst=0x4cc4008, _Src=0x8604020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.567] memcpy (in: _Dst=0x4dc5af5, _Src=0x4cec020, _Size=0xd3 | out: _Dst=0x4dc5af5) returned 0x4dc5af5 [0219.567] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x30001) returned 0x4d892c0 [0219.570] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0219.571] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cec0f3, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0219.571] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x34001) returned 0x4c30450 [0219.572] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d892c0 | out: hHeap=0x4d40000) returned 1 [0219.572] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf00f3, _Size=0x2153 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0219.573] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.573] memcpy (in: _Dst=0x4cc4008, _Src=0x860c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.574] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.574] memcpy (in: _Dst=0x4cc4008, _Src=0x8614020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.576] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.576] memcpy (in: _Dst=0x4cc4008, _Src=0x861c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.577] memcpy (in: _Dst=0x4dc3d1b, _Src=0x4cec020, _Size=0x1ead | out: _Dst=0x4dc3d1b) returned 0x4dc3d1b [0219.577] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x38001) returned 0x4d5d2b0 [0219.579] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0219.579] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cedecd, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0219.579] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x3c001) returned 0x4c30450 [0219.581] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0219.581] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf1ecd, _Size=0x861 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0219.582] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.582] memcpy (in: _Dst=0x4cc4008, _Src=0x8624020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.584] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.584] memcpy (in: _Dst=0x4cc4008, _Src=0x862c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.588] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.588] memcpy (in: _Dst=0x4cc4008, _Src=0x8634020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.589] memcpy (in: _Dst=0x4dc2429, _Src=0x4cec020, _Size=0x379f | out: _Dst=0x4dc2429) returned 0x4dc2429 [0219.589] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x40001) returned 0x4d5d2b0 [0219.591] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0219.591] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cef7bf, _Size=0x3356 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0219.592] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.592] memcpy (in: _Dst=0x4cc4008, _Src=0x863c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.594] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.594] memcpy (in: _Dst=0x4cc4008, _Src=0x8644020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.595] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.595] memcpy (in: _Dst=0x4cc4008, _Src=0x864c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.597] memcpy (in: _Dst=0x4dc4f1e, _Src=0x4cec020, _Size=0xcaa | out: _Dst=0x4dc4f1e) returned 0x4dc4f1e [0219.597] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x44001) returned 0x4c30450 [0219.599] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0219.599] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ceccca, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0219.599] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x48001) returned 0x4d5d2b0 [0219.601] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0219.741] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf0cca, _Size=0x1e80 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0219.742] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.742] memcpy (in: _Dst=0x4cc4008, _Src=0x8654020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.745] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.745] memcpy (in: _Dst=0x4cc4008, _Src=0x865c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.747] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.747] memcpy (in: _Dst=0x4cc4008, _Src=0x8664020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.749] memcpy (in: _Dst=0x4dc3a48, _Src=0x4cec020, _Size=0x2180 | out: _Dst=0x4dc3a48) returned 0x4dc3a48 [0219.749] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4c001) returned 0x4c30450 [0219.755] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0219.755] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cee1a0, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0219.755] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x50001) returned 0x4d5d2b0 [0219.759] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0219.759] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf21a0, _Size=0xae4 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0219.760] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.760] memcpy (in: _Dst=0x4cc4008, _Src=0x866c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.763] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.763] memcpy (in: _Dst=0x4cc4008, _Src=0x8674020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.766] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.766] memcpy (in: _Dst=0x4cc4008, _Src=0x867c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.768] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.768] memcpy (in: _Dst=0x4cc4008, _Src=0x8684020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.770] memcpy (in: _Dst=0x4dc26ac, _Src=0x4cec020, _Size=0x351c | out: _Dst=0x4dc26ac) returned 0x4dc26ac [0219.770] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x54001) returned 0x8980048 [0219.780] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0219.780] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cef53c, _Size=0x3e1c | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0219.781] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.782] memcpy (in: _Dst=0x4cc4008, _Src=0x868c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.785] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.785] memcpy (in: _Dst=0x4cc4008, _Src=0x8694020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.837] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.837] memcpy (in: _Dst=0x4cc4008, _Src=0x869c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.840] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.840] memcpy (in: _Dst=0x4cc4008, _Src=0x86a4020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.842] memcpy (in: _Dst=0x4dc59e4, _Src=0x4cec020, _Size=0x1e4 | out: _Dst=0x4dc59e4) returned 0x4dc59e4 [0219.842] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x58001) returned 0x4d5d2b0 [0219.846] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8980048 | out: hHeap=0x4d40000) returned 1 [0219.846] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cec204, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0219.846] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x5c001) returned 0x8980048 [0219.850] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0219.850] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf0204, _Size=0x32f6 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0219.852] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.852] memcpy (in: _Dst=0x4cc4008, _Src=0x86ac020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.855] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.855] memcpy (in: _Dst=0x4cc4008, _Src=0x86b4020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.859] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.859] memcpy (in: _Dst=0x4cc4008, _Src=0x86bc020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.863] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.863] memcpy (in: _Dst=0x4cc4008, _Src=0x86c4020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.863] memcpy (in: _Dst=0x4dc4ebe, _Src=0x4cec020, _Size=0xd0a | out: _Dst=0x4dc4ebe) returned 0x4dc4ebe [0219.863] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x60001) returned 0x4d5d2b0 [0219.868] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8980048 | out: hHeap=0x4d40000) returned 1 [0219.972] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cecd2a, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0219.972] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x64001) returned 0x8980048 [0219.978] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0219.979] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf0d2a, _Size=0x2747 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0219.983] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.983] memcpy (in: _Dst=0x4cc4008, _Src=0x86cc020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.986] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.986] memcpy (in: _Dst=0x4cc4008, _Src=0x86d4020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.990] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0219.990] memcpy (in: _Dst=0x4cc4008, _Src=0x86dc020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0219.993] memcpy (in: _Dst=0x4dc430f, _Src=0x4cec020, _Size=0x18b9 | out: _Dst=0x4dc430f) returned 0x4dc430f [0219.993] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x68001) returned 0x8020048 [0220.006] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8980048 | out: hHeap=0x4d40000) returned 1 [0220.191] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ced8d9, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0220.191] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x6c001) returned 0x8980048 [0220.197] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8020048 | out: hHeap=0x4d40000) returned 1 [0220.207] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf18d9, _Size=0x1d9f | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0220.208] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0220.208] memcpy (in: _Dst=0x4cc4008, _Src=0x86e4020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0220.213] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0220.213] memcpy (in: _Dst=0x4cc4008, _Src=0x86ec020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0220.216] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0220.216] memcpy (in: _Dst=0x4cc4008, _Src=0x86f4020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0220.219] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0220.219] memcpy (in: _Dst=0x4cc4008, _Src=0x86fc020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0220.220] memcpy (in: _Dst=0x4dc3967, _Src=0x4cec020, _Size=0x2261 | out: _Dst=0x4dc3967) returned 0x4dc3967 [0220.221] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x70001) returned 0x8020048 [0220.448] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8980048 | out: hHeap=0x4d40000) returned 1 [0220.448] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cee281, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0220.448] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x74001) returned 0x8090058 [0220.464] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8020048 | out: hHeap=0x4d40000) returned 1 [0220.466] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf2281, _Size=0x1362 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0220.468] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0220.468] memcpy (in: _Dst=0x4cc4008, _Src=0x8704020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0220.470] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0220.471] memcpy (in: _Dst=0x4cc4008, _Src=0x870c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0220.473] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0220.474] memcpy (in: _Dst=0x4cc4008, _Src=0x8714020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0220.728] memcpy (in: _Dst=0x4dc2f2a, _Src=0x4cec020, _Size=0x2c9e | out: _Dst=0x4dc2f2a) returned 0x4dc2f2a [0220.728] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x78001) returned 0x8104068 [0220.745] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8090058 | out: hHeap=0x4d40000) returned 1 [0220.755] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ceecbe, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0220.755] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x7c001) returned 0x817c078 [0220.772] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8104068 | out: hHeap=0x4d40000) returned 1 [0221.103] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf2cbe, _Size=0x732 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0221.104] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0221.104] memcpy (in: _Dst=0x4cc4008, _Src=0x871c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0221.106] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0221.106] memcpy (in: _Dst=0x4cc4008, _Src=0x8724020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0221.108] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0221.108] memcpy (in: _Dst=0x4cc4008, _Src=0x872c020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0221.111] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0221.111] memcpy (in: _Dst=0x4cc4008, _Src=0x8734020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0221.111] memcpy (in: _Dst=0x4dc22fa, _Src=0x4cec020, _Size=0x38ce | out: _Dst=0x4dc22fa) returned 0x4dc22fa [0221.111] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x80001) returned 0x74b3020 [0221.123] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x817c078 | out: hHeap=0x4d40000) returned 1 [0221.139] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x84001) returned 0x7542020 [0221.233] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74b3020 | out: hHeap=0x4d40000) returned 1 [0221.236] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x88001) returned 0x74b1020 [0221.248] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7542020 | out: hHeap=0x4d40000) returned 1 [0221.261] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x8c001) returned 0x7548020 [0221.274] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74b1020 | out: hHeap=0x4d40000) returned 1 [0221.372] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x90001) returned 0x7755020 [0221.425] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7548020 | out: hHeap=0x4d40000) returned 1 [0221.437] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x94001) returned 0x74bd020 [0221.582] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7755020 | out: hHeap=0x4d40000) returned 1 [0221.586] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x98001) returned 0x756d020 [0221.604] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74bd020 | out: hHeap=0x4d40000) returned 1 [0221.754] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x9c001) returned 0x74b3020 [0221.769] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x756d020 | out: hHeap=0x4d40000) returned 1 [0221.774] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa0001) returned 0x756e020 [0221.790] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74b3020 | out: hHeap=0x4d40000) returned 1 [0221.925] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa4001) returned 0x775e020 [0221.942] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x756e020 | out: hHeap=0x4d40000) returned 1 [0222.080] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa8001) returned 0x74b8020 [0222.099] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x775e020 | out: hHeap=0x4d40000) returned 1 [0222.113] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xac001) returned 0x7571020 [0222.215] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74b8020 | out: hHeap=0x4d40000) returned 1 [0222.229] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb0001) returned 0x74b9020 [0222.250] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7571020 | out: hHeap=0x4d40000) returned 1 [0222.372] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb4001) returned 0x7751020 [0222.428] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74b9020 | out: hHeap=0x4d40000) returned 1 [0222.442] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb8001) returned 0x74be020 [0222.683] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7751020 | out: hHeap=0x4d40000) returned 1 [0222.689] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xbc001) returned 0x7759020 [0222.709] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74be020 | out: hHeap=0x4d40000) returned 1 [0222.814] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc0001) returned 0x74b1020 [0222.831] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7759020 | out: hHeap=0x4d40000) returned 1 [0222.895] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc4001) returned 0x775e020 [0222.913] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74b1020 | out: hHeap=0x4d40000) returned 1 [0222.925] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc8001) returned 0x74b2020 [0223.037] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x775e020 | out: hHeap=0x4d40000) returned 1 [0223.043] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xcc001) returned 0x7757020 [0223.235] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74b2020 | out: hHeap=0x4d40000) returned 1 [0223.249] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd0001) returned 0x74b2020 [0223.268] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7757020 | out: hHeap=0x4d40000) returned 1 [0223.502] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd4001) returned 0x7755020 [0223.527] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74b2020 | out: hHeap=0x4d40000) returned 1 [0223.701] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd8001) returned 0x74b1020 [0223.726] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7755020 | out: hHeap=0x4d40000) returned 1 [0223.741] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xdc001) returned 0x775b020 [0223.980] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74b1020 | out: hHeap=0x4d40000) returned 1 [0223.986] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe0001) returned 0x74be020 [0224.009] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x775b020 | out: hHeap=0x4d40000) returned 1 [0224.162] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe4001) returned 0x7759020 [0224.186] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74be020 | out: hHeap=0x4d40000) returned 1 [0224.331] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe8001) returned 0x74b4020 [0224.358] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7759020 | out: hHeap=0x4d40000) returned 1 [0224.555] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xec001) returned 0x775e020 [0224.583] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74b4020 | out: hHeap=0x4d40000) returned 1 [0224.736] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xf0001) returned 0x74bb020 [0224.756] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x775e020 | out: hHeap=0x4d40000) returned 1 [0224.764] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xf4001) returned 0x775b020 [0224.919] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74bb020 | out: hHeap=0x4d40000) returned 1 [0224.935] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xf8001) returned 0x74b8020 [0225.252] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x775b020 | out: hHeap=0x4d40000) returned 1 [0225.260] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xfc001) returned 0x775c020 [0225.288] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74b8020 | out: hHeap=0x4d40000) returned 1 [0225.474] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x100001) returned 0x74bc020 [0225.607] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x775c020 | out: hHeap=0x4d40000) returned 1 [0225.615] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x104001) returned 0x7756020 [0225.703] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74bc020 | out: hHeap=0x4d40000) returned 1 [0225.724] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x108001) returned 0x74b7020 [0225.821] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7756020 | out: hHeap=0x4d40000) returned 1 [0225.828] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10c001) returned 0x775d020 [0225.929] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74b7020 | out: hHeap=0x4d40000) returned 1 [0226.053] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x110001) returned 0x74b0020 [0226.081] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x775d020 | out: hHeap=0x4d40000) returned 1 [0226.185] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x114001) returned 0x7759020 [0226.233] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74b0020 | out: hHeap=0x4d40000) returned 1 [0226.257] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x118001) returned 0x74be020 [0226.293] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7759020 | out: hHeap=0x4d40000) returned 1 [0226.309] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x11c001) returned 0x7750020 [0226.386] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74be020 | out: hHeap=0x4d40000) returned 1 [0226.449] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x120001) returned 0x74b8020 [0226.557] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7750020 | out: hHeap=0x4d40000) returned 1 [0226.567] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x124001) returned 0x775a020 [0226.642] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x74b8020 | out: hHeap=0x4d40000) returned 1 [0226.702] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x125060) returned 0x74b7020 [0226.726] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x775a020 | out: hHeap=0x4d40000) returned 1 [0226.735] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4cec020 | out: hHeap=0x4d40000) returned 1 [0226.737] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4cdc018 | out: hHeap=0x4d40000) returned 1 [0226.743] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4ccc010 | out: hHeap=0x4d40000) returned 1 [0226.745] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4cbc008 | out: hHeap=0x4d40000) returned 1 [0226.827] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc5bd0 | out: hHeap=0x4d40000) returned 1 [0226.828] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc1bc8 | out: hHeap=0x4d40000) returned 1 [0226.853] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8d8f020 | out: hHeap=0x4d40000) returned 1 [0226.964] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8484020 | out: hHeap=0x4d40000) returned 1 [0227.052] DeleteDC (hdc=0x320109f1) returned 1 [0227.052] DeleteDC (hdc=0x27010a3b) returned 1 [0227.052] DeleteObject (ho=0x40050982) returned 1 [0227.053] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x4cf988 | out: lpSystemTimeAsFileTime=0x4cf988*(dwLowDateTime=0x3ad74f61, dwHighDateTime=0x1d99f3b)) [0227.053] Sleep (dwMilliseconds=0x3a98) [0227.060] GetDC (hWnd=0x0) returned 0x27010a3b [0227.060] CreateCompatibleDC (hdc=0x27010a3b) returned 0x41010982 [0227.060] GetDeviceCaps (hdc=0x27010a3b, index=8) returned 1440 [0227.060] GetDeviceCaps (hdc=0x27010a3b, index=10) returned 900 [0227.060] CreateCompatibleBitmap (hdc=0x27010a3b, cx=1440, cy=900) returned 0x330509f1 [0227.171] SelectObject (hdc=0x41010982, h=0x330509f1) returned 0x185000f [0227.171] BitBlt (hdc=0x41010982, x=0, y=0, cx=1440, cy=900, hdcSrc=0x27010a3b, x1=0, y1=0, rop=0xcc0020) returned 1 [0227.806] GetCursorInfo (in: pci=0x4cf95c | out: pci=0x4cf95c) returned 1 [0227.806] CopyIcon (hIcon=0x10003) returned 0xf0391 [0227.815] GetIconInfo (in: hIcon=0xf0391, piconinfo=0x4cf908 | out: piconinfo=0x4cf908) returned 1 [0227.815] GetObjectW (in: h=0x130509cc, c=24, pv=0x4cf91c | out: pv=0x4cf91c) returned 24 [0227.815] DrawIconEx (hdc=0x41010982, xLeft=840, yTop=314, hIcon=0x10003, cxWidth=32, cyWidth=32, istepIfAniCur=0x0, hbrFlickerFreeDraw=0x0, diFlags=0x3) returned 1 [0227.816] SelectObject (hdc=0x41010982, h=0x185000f) returned 0x330509f1 [0227.816] GetObjectW (in: h=0x330509f1, c=24, pv=0x4cf8f0 | out: pv=0x4cf8f0) returned 24 [0227.816] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4f1a00) returned 0x8481020 [0227.853] GetDIBits (in: hdc=0x41010982, hbm=0x330509f1, start=0x0, cLines=0x384, lpvBits=0x8481020, lpbmi=0x4cf934, usage=0x0 | out: lpvBits=0x8481020, lpbmi=0x4cf934) returned 900 [0227.957] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4f1a36) returned 0x8d8d020 [0228.167] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4000) returned 0x4dc1bc8 [0228.169] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x16c4) returned 0x4dc5bd0 [0228.169] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4cbc008 [0228.171] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4ccc010 [0228.171] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4cdc018 [0228.172] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4cec020 [0228.248] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4001) returned 0x4dcae38 [0228.248] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf001e, _Size=0x1316 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0228.249] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.249] memcpy (in: _Dst=0x4cc4008, _Src=0x8e15020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.250] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.250] memcpy (in: _Dst=0x4cc4008, _Src=0x8e1d020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.252] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.252] memcpy (in: _Dst=0x4cc4008, _Src=0x8e25020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.253] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.253] memcpy (in: _Dst=0x4cc4008, _Src=0x8e2d020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.255] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.255] memcpy (in: _Dst=0x4cc4008, _Src=0x8e35020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.256] memcpy (in: _Dst=0x4dc2ede, _Src=0x4cec020, _Size=0x2cea | out: _Dst=0x4dc2ede) returned 0x4dc2ede [0228.256] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x8001) returned 0x4cfc028 [0228.260] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dcae38 | out: hHeap=0x4d40000) returned 1 [0228.260] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ceed0a, _Size=0x1e7d | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0228.261] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.261] memcpy (in: _Dst=0x4cc4008, _Src=0x8e3d020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.262] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.263] memcpy (in: _Dst=0x4cc4008, _Src=0x8e45020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.264] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.264] memcpy (in: _Dst=0x4cc4008, _Src=0x8e4d020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.266] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.266] memcpy (in: _Dst=0x4cc4008, _Src=0x8e55020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.266] memcpy (in: _Dst=0x4dc3a45, _Src=0x4cec020, _Size=0x2183 | out: _Dst=0x4dc3a45) returned 0x4dc3a45 [0228.266] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc001) returned 0x4c30450 [0228.270] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4cfc028 | out: hHeap=0x4d40000) returned 1 [0228.270] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cee1a3, _Size=0x2509 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0228.304] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.304] memcpy (in: _Dst=0x4cc4008, _Src=0x8e5d020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.305] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.305] memcpy (in: _Dst=0x4cc4008, _Src=0x8e65020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.307] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.307] memcpy (in: _Dst=0x4cc4008, _Src=0x8e6d020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.309] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.309] memcpy (in: _Dst=0x4cc4008, _Src=0x8e75020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.311] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.311] memcpy (in: _Dst=0x4cc4008, _Src=0x8e7d020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.313] memcpy (in: _Dst=0x4dc40d1, _Src=0x4cec020, _Size=0x1af7 | out: _Dst=0x4dc40d1) returned 0x4dc40d1 [0228.313] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10001) returned 0x4c3c460 [0228.315] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0228.315] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cedb17, _Size=0x2970 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0228.316] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.316] memcpy (in: _Dst=0x4cc4008, _Src=0x8e85020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.320] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.320] memcpy (in: _Dst=0x4cc4008, _Src=0x8e8d020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.324] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.324] memcpy (in: _Dst=0x4cc4008, _Src=0x8e95020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.329] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.329] memcpy (in: _Dst=0x4cc4008, _Src=0x8e9d020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.336] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.336] memcpy (in: _Dst=0x4cc4008, _Src=0x8ea5020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.341] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.341] memcpy (in: _Dst=0x4cc4008, _Src=0x8ead020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.346] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.346] memcpy (in: _Dst=0x4cc4008, _Src=0x8eb5020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.378] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.378] memcpy (in: _Dst=0x4cc4008, _Src=0x8ebd020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.378] memcpy (in: _Dst=0x4dc4538, _Src=0x4cec020, _Size=0x1690 | out: _Dst=0x4dc4538) returned 0x4dc4538 [0228.378] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x14001) returned 0x4c4c470 [0228.382] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c3c460 | out: hHeap=0x4d40000) returned 1 [0228.385] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ced6b0, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0228.385] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x18001) returned 0x4c30450 [0228.387] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c4c470 | out: hHeap=0x4d40000) returned 1 [0228.387] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf16b0, _Size=0x140c | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0228.389] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.389] memcpy (in: _Dst=0x4cc4008, _Src=0x8ec5020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.390] memcpy (in: _Dst=0x4dc2fd4, _Src=0x4cec020, _Size=0x2bf4 | out: _Dst=0x4dc2fd4) returned 0x4dc2fd4 [0228.390] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x1c001) returned 0x4c48460 [0228.392] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0228.392] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ceec14, _Size=0x29d0 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0228.393] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.393] memcpy (in: _Dst=0x4cc4008, _Src=0x8ecd020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.395] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.395] memcpy (in: _Dst=0x4cc4008, _Src=0x8ed5020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.399] memcpy (in: _Dst=0x4dc4598, _Src=0x4cec020, _Size=0x1630 | out: _Dst=0x4dc4598) returned 0x4dc4598 [0228.399] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20001) returned 0x4d5d2b0 [0228.404] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c48460 | out: hHeap=0x4d40000) returned 1 [0228.404] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ced650, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0228.404] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x24001) returned 0x4d7d2c0 [0228.408] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0228.408] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf1650, _Size=0x432 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0228.408] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.408] memcpy (in: _Dst=0x4cc4008, _Src=0x8edd020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.409] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.409] memcpy (in: _Dst=0x4cc4008, _Src=0x8ee5020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.411] memcpy (in: _Dst=0x4dc1ffa, _Src=0x4cec020, _Size=0x3bce | out: _Dst=0x4dc1ffa) returned 0x4dc1ffa [0228.411] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x28001) returned 0x4c30450 [0228.413] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d7d2c0 | out: hHeap=0x4d40000) returned 1 [0228.490] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cefbee, _Size=0x2039 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0228.490] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.490] memcpy (in: _Dst=0x4cc4008, _Src=0x8eed020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.491] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.492] memcpy (in: _Dst=0x4cc4008, _Src=0x8ef5020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.493] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.493] memcpy (in: _Dst=0x4cc4008, _Src=0x8efd020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.493] memcpy (in: _Dst=0x4dc3c01, _Src=0x4cec020, _Size=0x1fc7 | out: _Dst=0x4dc3c01) returned 0x4dc3c01 [0228.493] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x2c001) returned 0x4d5d2b0 [0228.496] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0228.496] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cedfe7, _Size=0x3f2d | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0228.497] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.497] memcpy (in: _Dst=0x4cc4008, _Src=0x8f05020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.499] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.499] memcpy (in: _Dst=0x4cc4008, _Src=0x8f0d020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.500] memcpy (in: _Dst=0x4dc5af5, _Src=0x4cec020, _Size=0xd3 | out: _Dst=0x4dc5af5) returned 0x4dc5af5 [0228.500] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x30001) returned 0x4d892c0 [0228.504] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0228.504] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cec0f3, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0228.504] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x34001) returned 0x4c30450 [0228.508] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d892c0 | out: hHeap=0x4d40000) returned 1 [0228.609] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf00f3, _Size=0x2153 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0228.610] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.610] memcpy (in: _Dst=0x4cc4008, _Src=0x8f15020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.612] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.612] memcpy (in: _Dst=0x4cc4008, _Src=0x8f1d020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.613] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.613] memcpy (in: _Dst=0x4cc4008, _Src=0x8f25020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.617] memcpy (in: _Dst=0x4dc3d1b, _Src=0x4cec020, _Size=0x1ead | out: _Dst=0x4dc3d1b) returned 0x4dc3d1b [0228.617] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x38001) returned 0x4d5d2b0 [0228.619] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0228.619] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cedecd, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0228.619] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x3c001) returned 0x4c30450 [0228.622] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0228.623] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf1ecd, _Size=0x861 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0228.624] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.624] memcpy (in: _Dst=0x4cc4008, _Src=0x8f2d020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.626] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.626] memcpy (in: _Dst=0x4cc4008, _Src=0x8f35020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.627] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.627] memcpy (in: _Dst=0x4cc4008, _Src=0x8f3d020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.628] memcpy (in: _Dst=0x4dc2429, _Src=0x4cec020, _Size=0x379f | out: _Dst=0x4dc2429) returned 0x4dc2429 [0228.628] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x40001) returned 0x4d5d2b0 [0228.631] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0228.680] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cef7bf, _Size=0x3356 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0228.681] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.681] memcpy (in: _Dst=0x4cc4008, _Src=0x8f45020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.683] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.683] memcpy (in: _Dst=0x4cc4008, _Src=0x8f4d020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.684] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.684] memcpy (in: _Dst=0x4cc4008, _Src=0x8f55020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.685] memcpy (in: _Dst=0x4dc4f1e, _Src=0x4cec020, _Size=0xcaa | out: _Dst=0x4dc4f1e) returned 0x4dc4f1e [0228.685] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x44001) returned 0x4c30450 [0228.691] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0228.691] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ceccca, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0228.691] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x48001) returned 0x4d5d2b0 [0228.694] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0228.697] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf0cca, _Size=0x1e80 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0228.698] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.698] memcpy (in: _Dst=0x4cc4008, _Src=0x8f5d020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.700] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.700] memcpy (in: _Dst=0x4cc4008, _Src=0x8f65020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.702] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.702] memcpy (in: _Dst=0x4cc4008, _Src=0x8f6d020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.704] memcpy (in: _Dst=0x4dc3a48, _Src=0x4cec020, _Size=0x2180 | out: _Dst=0x4dc3a48) returned 0x4dc3a48 [0228.704] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4c001) returned 0x4c30450 [0228.709] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0228.709] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cee1a0, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0228.709] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x50001) returned 0x4d5d2b0 [0228.713] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0228.713] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf21a0, _Size=0xae4 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0228.713] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.713] memcpy (in: _Dst=0x4cc4008, _Src=0x8f75020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.715] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.715] memcpy (in: _Dst=0x4cc4008, _Src=0x8f7d020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.717] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.718] memcpy (in: _Dst=0x4cc4008, _Src=0x8f85020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.720] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.720] memcpy (in: _Dst=0x4cc4008, _Src=0x8f8d020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.722] memcpy (in: _Dst=0x4dc26ac, _Src=0x4cec020, _Size=0x351c | out: _Dst=0x4dc26ac) returned 0x4dc26ac [0228.722] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x54001) returned 0x8980048 [0228.785] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0228.785] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cef53c, _Size=0x3e1c | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0228.786] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.786] memcpy (in: _Dst=0x4cc4008, _Src=0x8f95020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.789] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.789] memcpy (in: _Dst=0x4cc4008, _Src=0x8f9d020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.791] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.792] memcpy (in: _Dst=0x4cc4008, _Src=0x8fa5020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.794] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.794] memcpy (in: _Dst=0x4cc4008, _Src=0x8fad020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.796] memcpy (in: _Dst=0x4dc59e4, _Src=0x4cec020, _Size=0x1e4 | out: _Dst=0x4dc59e4) returned 0x4dc59e4 [0228.796] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x58001) returned 0x4d5d2b0 [0228.800] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8980048 | out: hHeap=0x4d40000) returned 1 [0228.800] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cec204, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0228.800] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x5c001) returned 0x8980048 [0228.805] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0228.807] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf0204, _Size=0x32f6 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0228.809] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.809] memcpy (in: _Dst=0x4cc4008, _Src=0x8fb5020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.811] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.811] memcpy (in: _Dst=0x4cc4008, _Src=0x8fbd020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.814] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.814] memcpy (in: _Dst=0x4cc4008, _Src=0x8fc5020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.817] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.817] memcpy (in: _Dst=0x4cc4008, _Src=0x8fcd020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.871] memcpy (in: _Dst=0x4dc4ebe, _Src=0x4cec020, _Size=0xd0a | out: _Dst=0x4dc4ebe) returned 0x4dc4ebe [0228.871] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x60001) returned 0x4d5d2b0 [0228.876] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8980048 | out: hHeap=0x4d40000) returned 1 [0228.876] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cecd2a, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0228.876] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x64001) returned 0x8980048 [0228.880] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0228.880] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf0d2a, _Size=0x2747 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0228.883] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.883] memcpy (in: _Dst=0x4cc4008, _Src=0x8fd5020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.886] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.886] memcpy (in: _Dst=0x4cc4008, _Src=0x8fdd020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.889] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0228.889] memcpy (in: _Dst=0x4cc4008, _Src=0x8fe5020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0228.891] memcpy (in: _Dst=0x4dc430f, _Src=0x4cec020, _Size=0x18b9 | out: _Dst=0x4dc430f) returned 0x4dc430f [0228.891] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x68001) returned 0x8020048 [0228.909] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8980048 | out: hHeap=0x4d40000) returned 1 [0228.909] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ced8d9, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0228.909] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x6c001) returned 0x8980048 [0228.914] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8020048 | out: hHeap=0x4d40000) returned 1 [0229.009] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf18d9, _Size=0x1d9f | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0229.010] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0229.010] memcpy (in: _Dst=0x4cc4008, _Src=0x8fed020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0229.012] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0229.012] memcpy (in: _Dst=0x4cc4008, _Src=0x8ff5020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0229.015] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0229.015] memcpy (in: _Dst=0x4cc4008, _Src=0x8ffd020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0229.017] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0229.017] memcpy (in: _Dst=0x4cc4008, _Src=0x9005020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0229.018] memcpy (in: _Dst=0x4dc3967, _Src=0x4cec020, _Size=0x2261 | out: _Dst=0x4dc3967) returned 0x4dc3967 [0229.018] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x70001) returned 0x8020048 [0229.027] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8980048 | out: hHeap=0x4d40000) returned 1 [0229.027] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cee281, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0229.027] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x74001) returned 0x8090058 [0229.039] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8020048 | out: hHeap=0x4d40000) returned 1 [0229.041] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf2281, _Size=0x1362 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0229.042] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0229.043] memcpy (in: _Dst=0x4cc4008, _Src=0x900d020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0229.045] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0229.045] memcpy (in: _Dst=0x4cc4008, _Src=0x9015020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0229.048] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0229.048] memcpy (in: _Dst=0x4cc4008, _Src=0x901d020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0229.050] memcpy (in: _Dst=0x4dc2f2a, _Src=0x4cec020, _Size=0x2c9e | out: _Dst=0x4dc2f2a) returned 0x4dc2f2a [0229.050] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x78001) returned 0x8104068 [0229.272] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8090058 | out: hHeap=0x4d40000) returned 1 [0229.280] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ceecbe, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0229.280] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x7c001) returned 0x8020048 [0229.293] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8104068 | out: hHeap=0x4d40000) returned 1 [0229.298] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf2cbe, _Size=0x732 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0229.299] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0229.299] memcpy (in: _Dst=0x4cc4008, _Src=0x9025020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0229.347] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0229.348] memcpy (in: _Dst=0x4cc4008, _Src=0x902d020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0229.350] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0229.350] memcpy (in: _Dst=0x4cc4008, _Src=0x9035020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0229.352] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0229.352] memcpy (in: _Dst=0x4cc4008, _Src=0x903d020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0229.353] memcpy (in: _Dst=0x4dc22fa, _Src=0x4cec020, _Size=0x38ce | out: _Dst=0x4dc22fa) returned 0x4dc22fa [0229.353] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x80001) returned 0x7751020 [0229.367] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8020048 | out: hHeap=0x4d40000) returned 1 [0229.378] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x84001) returned 0x77ea020 [0229.760] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7751020 | out: hHeap=0x4d40000) returned 1 [0229.769] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x88001) returned 0x7753020 [0229.790] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x77ea020 | out: hHeap=0x4d40000) returned 1 [0229.892] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x8c001) returned 0x77e3020 [0229.913] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7753020 | out: hHeap=0x4d40000) returned 1 [0229.925] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x90001) returned 0x79c0020 [0229.987] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x77e3020 | out: hHeap=0x4d40000) returned 1 [0230.001] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x94001) returned 0x775b020 [0230.017] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x79c0020 | out: hHeap=0x4d40000) returned 1 [0230.063] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x98001) returned 0x79cc020 [0230.079] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x775b020 | out: hHeap=0x4d40000) returned 1 [0230.094] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x9c001) returned 0x7759020 [0230.192] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x79cc020 | out: hHeap=0x4d40000) returned 1 [0230.221] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa0001) returned 0x79c8020 [0230.239] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7759020 | out: hHeap=0x4d40000) returned 1 [0230.254] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa4001) returned 0x7752020 [0230.338] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x79c8020 | out: hHeap=0x4d40000) returned 1 [0230.347] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa8001) returned 0x79ca020 [0230.372] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7752020 | out: hHeap=0x4d40000) returned 1 [0230.494] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xac001) returned 0x775f020 [0230.514] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x79ca020 | out: hHeap=0x4d40000) returned 1 [0230.752] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb0001) returned 0x79c6020 [0230.777] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x775f020 | out: hHeap=0x4d40000) returned 1 [0230.856] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb4001) returned 0x7752020 [0230.872] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x79c6020 | out: hHeap=0x4d40000) returned 1 [0230.960] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb8001) returned 0x79c0020 [0230.977] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7752020 | out: hHeap=0x4d40000) returned 1 [0231.043] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xbc001) returned 0x7757020 [0231.060] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x79c0020 | out: hHeap=0x4d40000) returned 1 [0231.071] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc0001) returned 0x79cd020 [0231.104] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7757020 | out: hHeap=0x4d40000) returned 1 [0231.109] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc4001) returned 0x775c020 [0231.126] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x79cd020 | out: hHeap=0x4d40000) returned 1 [0231.137] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc8001) returned 0x79c6020 [0231.182] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x775c020 | out: hHeap=0x4d40000) returned 1 [0231.187] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xcc001) returned 0x7758020 [0231.204] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x79c6020 | out: hHeap=0x4d40000) returned 1 [0231.298] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf30e1, _Size=0x35 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0231.299] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0231.299] memcpy (in: _Dst=0x4cc4008, _Src=0x9145020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0231.301] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0231.301] memcpy (in: _Dst=0x4cc4008, _Src=0x914d020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0231.304] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0231.304] memcpy (in: _Dst=0x4cc4008, _Src=0x9155020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0231.305] memcpy (in: _Dst=0x4dc1bfd, _Src=0x4cec020, _Size=0x3fcb | out: _Dst=0x4dc1bfd) returned 0x4dc1bfd [0231.305] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd0001) returned 0x79cc020 [0231.322] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7758020 | out: hHeap=0x4d40000) returned 1 [0231.424] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd4001) returned 0x7757020 [0231.442] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x79cc020 | out: hHeap=0x4d40000) returned 1 [0231.486] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd8001) returned 0x79c1020 [0231.503] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7757020 | out: hHeap=0x4d40000) returned 1 [0231.577] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xdc001) returned 0x775d020 [0231.600] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x79c1020 | out: hHeap=0x4d40000) returned 1 [0231.653] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe0001) returned 0x79c8020 [0231.680] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x775d020 | out: hHeap=0x4d40000) returned 1 [0231.750] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe4001) returned 0x775a020 [0231.779] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x79c8020 | out: hHeap=0x4d40000) returned 1 [0231.786] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe8001) returned 0x79cb020 [0231.847] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x775a020 | out: hHeap=0x4d40000) returned 1 [0231.860] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xec001) returned 0x7755020 [0231.949] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x79cb020 | out: hHeap=0x4d40000) returned 1 [0231.966] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xf0001) returned 0x79cb020 [0232.148] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7755020 | out: hHeap=0x4d40000) returned 1 [0232.297] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xf4001) returned 0x775c020 [0232.652] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x79cb020 | out: hHeap=0x4d40000) returned 1 [0232.679] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xf8001) returned 0x79c0020 [0232.873] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x775c020 | out: hHeap=0x4d40000) returned 1 [0232.883] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xfc001) returned 0x7755020 [0233.197] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x79c0020 | out: hHeap=0x4d40000) returned 1 [0233.372] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x100001) returned 0x79c7020 [0233.406] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7755020 | out: hHeap=0x4d40000) returned 1 [0233.602] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x104001) returned 0x775b020 [0233.638] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x79c7020 | out: hHeap=0x4d40000) returned 1 [0233.753] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x108001) returned 0x79c5020 [0233.782] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x775b020 | out: hHeap=0x4d40000) returned 1 [0233.900] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10c001) returned 0x7756020 [0233.926] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x79c5020 | out: hHeap=0x4d40000) returned 1 [0234.006] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x110001) returned 0x79c3020 [0234.034] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7756020 | out: hHeap=0x4d40000) returned 1 [0234.128] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x114001) returned 0x7756020 [0234.174] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x79c3020 | out: hHeap=0x4d40000) returned 1 [0234.283] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x118001) returned 0x79c9020 [0234.313] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7756020 | out: hHeap=0x4d40000) returned 1 [0234.378] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x11c001) returned 0x775e020 [0234.410] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x79c9020 | out: hHeap=0x4d40000) returned 1 [0234.586] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x120001) returned 0x79c0020 [0234.684] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x775e020 | out: hHeap=0x4d40000) returned 1 [0234.716] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x124001) returned 0x7afb020 [0234.833] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x79c0020 | out: hHeap=0x4d40000) returned 1 [0234.841] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x124f06) returned 0x7752020 [0234.983] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7afb020 | out: hHeap=0x4d40000) returned 1 [0234.998] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4cec020 | out: hHeap=0x4d40000) returned 1 [0235.000] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4cdc018 | out: hHeap=0x4d40000) returned 1 [0235.003] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4ccc010 | out: hHeap=0x4d40000) returned 1 [0235.008] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4cbc008 | out: hHeap=0x4d40000) returned 1 [0235.128] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc5bd0 | out: hHeap=0x4d40000) returned 1 [0235.130] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc1bc8 | out: hHeap=0x4d40000) returned 1 [0235.157] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8481020 | out: hHeap=0x4d40000) returned 1 [0235.319] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8d8d020 | out: hHeap=0x4d40000) returned 1 [0235.513] DeleteDC (hdc=0x41010982) returned 1 [0235.513] DeleteDC (hdc=0x27010a3b) returned 1 [0235.513] DeleteObject (ho=0x330509f1) returned 1 [0235.514] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x4cf988 | out: lpSystemTimeAsFileTime=0x4cf988*(dwLowDateTime=0x3fe34fe7, dwHighDateTime=0x1d99f3b)) [0235.514] Sleep (dwMilliseconds=0x3a98) [0235.621] GetDC (hWnd=0x0) returned 0xd010736 [0235.621] CreateCompatibleDC (hdc=0xd010736) returned 0x350109f1 [0235.621] GetDeviceCaps (hdc=0xd010736, index=8) returned 1440 [0235.621] GetDeviceCaps (hdc=0xd010736, index=10) returned 900 [0235.621] CreateCompatibleBitmap (hdc=0xd010736, cx=1440, cy=900) returned 0x42050982 [0235.690] SelectObject (hdc=0x350109f1, h=0x42050982) returned 0x185000f [0235.690] BitBlt (hdc=0x350109f1, x=0, y=0, cx=1440, cy=900, hdcSrc=0xd010736, x1=0, y1=0, rop=0xcc0020) returned 1 [0236.434] GetCursorInfo (in: pci=0x4cf95c | out: pci=0x4cf95c) returned 1 [0236.434] CopyIcon (hIcon=0x10019) returned 0xc039f [0236.436] GetIconInfo (in: hIcon=0xc039f, piconinfo=0x4cf908 | out: piconinfo=0x4cf908) returned 1 [0236.436] GetObjectW (in: h=0x2e050a3c, c=24, pv=0x4cf91c | out: pv=0x4cf91c) returned 24 [0236.436] DrawIconEx (hdc=0x350109f1, xLeft=582, yTop=567, hIcon=0x10019, cxWidth=32, cyWidth=32, istepIfAniCur=0x0, hbrFlickerFreeDraw=0x0, diFlags=0x3) returned 1 [0236.436] SelectObject (hdc=0x350109f1, h=0x185000f) returned 0x42050982 [0236.436] GetObjectW (in: h=0x42050982, c=24, pv=0x4cf8f0 | out: pv=0x4cf8f0) returned 24 [0236.436] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4f1a00) returned 0x8489020 [0236.453] GetDIBits (in: hdc=0x350109f1, hbm=0x42050982, start=0x0, cLines=0x384, lpvBits=0x8489020, lpbmi=0x4cf934, usage=0x0 | out: lpvBits=0x8489020, lpbmi=0x4cf934) returned 900 [0236.689] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4f1a36) returned 0x8d8b020 [0237.185] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4000) returned 0x4dc1bc8 [0237.187] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x16c4) returned 0x4dc5bd0 [0237.187] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4cbc008 [0237.189] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4ccc010 [0237.189] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4cdc018 [0237.190] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4cec020 [0237.210] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4001) returned 0x4dcae38 [0237.211] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf001e, _Size=0x1316 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0237.211] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0237.211] memcpy (in: _Dst=0x4cc4008, _Src=0x8e13020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0237.402] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0237.403] memcpy (in: _Dst=0x4cc4008, _Src=0x8e1b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0237.413] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0237.413] memcpy (in: _Dst=0x4cc4008, _Src=0x8e23020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0237.419] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0237.419] memcpy (in: _Dst=0x4cc4008, _Src=0x8e2b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0237.422] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0237.422] memcpy (in: _Dst=0x4cc4008, _Src=0x8e33020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0237.423] memcpy (in: _Dst=0x4dc2ede, _Src=0x4cec020, _Size=0x2cea | out: _Dst=0x4dc2ede) returned 0x4dc2ede [0237.423] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x8001) returned 0x4cfc028 [0237.425] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dcae38 | out: hHeap=0x4d40000) returned 1 [0237.425] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ceed0a, _Size=0x1e7d | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0237.427] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0237.427] memcpy (in: _Dst=0x4cc4008, _Src=0x8e3b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0237.429] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0237.429] memcpy (in: _Dst=0x4cc4008, _Src=0x8e43020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0237.433] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0237.433] memcpy (in: _Dst=0x4cc4008, _Src=0x8e4b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0237.435] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0237.435] memcpy (in: _Dst=0x4cc4008, _Src=0x8e53020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0237.436] memcpy (in: _Dst=0x4dc3a45, _Src=0x4cec020, _Size=0x2183 | out: _Dst=0x4dc3a45) returned 0x4dc3a45 [0237.436] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc001) returned 0x4c30450 [0237.439] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4cfc028 | out: hHeap=0x4d40000) returned 1 [0237.439] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cee1a3, _Size=0x2509 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0237.441] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0237.442] memcpy (in: _Dst=0x4cc4008, _Src=0x8e5b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0237.443] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0237.443] memcpy (in: _Dst=0x4cc4008, _Src=0x8e63020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0237.650] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0237.650] memcpy (in: _Dst=0x4cc4008, _Src=0x8e6b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0237.652] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0237.652] memcpy (in: _Dst=0x4cc4008, _Src=0x8e73020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0237.654] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0237.654] memcpy (in: _Dst=0x4cc4008, _Src=0x8e7b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0237.656] memcpy (in: _Dst=0x4dc40d1, _Src=0x4cec020, _Size=0x1af7 | out: _Dst=0x4dc40d1) returned 0x4dc40d1 [0237.656] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10001) returned 0x4c3c460 [0237.658] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0237.658] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cedb17, _Size=0x2970 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0237.659] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0237.659] memcpy (in: _Dst=0x4cc4008, _Src=0x8e83020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0237.662] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0237.662] memcpy (in: _Dst=0x4cc4008, _Src=0x8e8b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0237.666] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0237.666] memcpy (in: _Dst=0x4cc4008, _Src=0x8e93020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0237.671] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0237.671] memcpy (in: _Dst=0x4cc4008, _Src=0x8e9b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0237.677] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0237.677] memcpy (in: _Dst=0x4cc4008, _Src=0x8ea3020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0237.682] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0237.682] memcpy (in: _Dst=0x4cc4008, _Src=0x8eab020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0237.687] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0237.687] memcpy (in: _Dst=0x4cc4008, _Src=0x8eb3020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0237.691] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0237.691] memcpy (in: _Dst=0x4cc4008, _Src=0x8ebb020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0237.691] memcpy (in: _Dst=0x4dc4538, _Src=0x4cec020, _Size=0x1690 | out: _Dst=0x4dc4538) returned 0x4dc4538 [0237.691] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x14001) returned 0x4c4c470 [0237.694] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c3c460 | out: hHeap=0x4d40000) returned 1 [0237.694] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ced6b0, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0237.694] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x18001) returned 0x4c30450 [0237.695] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c4c470 | out: hHeap=0x4d40000) returned 1 [0237.695] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf16b0, _Size=0x140c | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0237.962] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0237.963] memcpy (in: _Dst=0x4cc4008, _Src=0x8ec3020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0237.964] memcpy (in: _Dst=0x4dc2fd4, _Src=0x4cec020, _Size=0x2bf4 | out: _Dst=0x4dc2fd4) returned 0x4dc2fd4 [0237.965] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x1c001) returned 0x4c48460 [0237.966] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0237.967] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ceec14, _Size=0x29d0 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0237.967] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0237.967] memcpy (in: _Dst=0x4cc4008, _Src=0x8ecb020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0237.968] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0237.968] memcpy (in: _Dst=0x4cc4008, _Src=0x8ed3020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0237.969] memcpy (in: _Dst=0x4dc4598, _Src=0x4cec020, _Size=0x1630 | out: _Dst=0x4dc4598) returned 0x4dc4598 [0237.970] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20001) returned 0x4d5d2b0 [0237.976] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c48460 | out: hHeap=0x4d40000) returned 1 [0237.976] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ced650, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0237.976] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x24001) returned 0x4d7d2c0 [0237.981] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0237.981] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf1650, _Size=0x432 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0237.982] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0237.982] memcpy (in: _Dst=0x4cc4008, _Src=0x8edb020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0237.983] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0237.983] memcpy (in: _Dst=0x4cc4008, _Src=0x8ee3020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0237.985] memcpy (in: _Dst=0x4dc1ffa, _Src=0x4cec020, _Size=0x3bce | out: _Dst=0x4dc1ffa) returned 0x4dc1ffa [0237.985] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x28001) returned 0x4c30450 [0237.986] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d7d2c0 | out: hHeap=0x4d40000) returned 1 [0237.986] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cefbee, _Size=0x2039 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0237.987] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0237.987] memcpy (in: _Dst=0x4cc4008, _Src=0x8eeb020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0237.988] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0237.988] memcpy (in: _Dst=0x4cc4008, _Src=0x8ef3020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0237.989] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0237.989] memcpy (in: _Dst=0x4cc4008, _Src=0x8efb020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0237.990] memcpy (in: _Dst=0x4dc3c01, _Src=0x4cec020, _Size=0x1fc7 | out: _Dst=0x4dc3c01) returned 0x4dc3c01 [0237.990] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x2c001) returned 0x4d5d2b0 [0237.992] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0237.992] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cedfe7, _Size=0x3f2d | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0237.993] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0237.993] memcpy (in: _Dst=0x4cc4008, _Src=0x8f03020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0237.994] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0237.994] memcpy (in: _Dst=0x4cc4008, _Src=0x8f0b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0237.995] memcpy (in: _Dst=0x4dc5af5, _Src=0x4cec020, _Size=0xd3 | out: _Dst=0x4dc5af5) returned 0x4dc5af5 [0237.995] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x30001) returned 0x4d892c0 [0237.999] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0237.999] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cec0f3, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0237.999] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x34001) returned 0x4c30450 [0238.001] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d892c0 | out: hHeap=0x4d40000) returned 1 [0238.001] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf00f3, _Size=0x2153 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0238.002] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.002] memcpy (in: _Dst=0x4cc4008, _Src=0x8f13020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.003] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.003] memcpy (in: _Dst=0x4cc4008, _Src=0x8f1b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.005] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.005] memcpy (in: _Dst=0x4cc4008, _Src=0x8f23020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.006] memcpy (in: _Dst=0x4dc3d1b, _Src=0x4cec020, _Size=0x1ead | out: _Dst=0x4dc3d1b) returned 0x4dc3d1b [0238.006] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x38001) returned 0x4d5d2b0 [0238.009] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0238.166] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cedecd, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0238.166] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x3c001) returned 0x4c30450 [0238.169] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0238.169] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf1ecd, _Size=0x861 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0238.170] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.170] memcpy (in: _Dst=0x4cc4008, _Src=0x8f2b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.173] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.173] memcpy (in: _Dst=0x4cc4008, _Src=0x8f33020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.175] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.175] memcpy (in: _Dst=0x4cc4008, _Src=0x8f3b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.177] memcpy (in: _Dst=0x4dc2429, _Src=0x4cec020, _Size=0x379f | out: _Dst=0x4dc2429) returned 0x4dc2429 [0238.177] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x40001) returned 0x4d5d2b0 [0238.179] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0238.179] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cef7bf, _Size=0x3372 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0238.180] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.180] memcpy (in: _Dst=0x4cc4008, _Src=0x8f43020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.182] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.182] memcpy (in: _Dst=0x4cc4008, _Src=0x8f4b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.183] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.183] memcpy (in: _Dst=0x4cc4008, _Src=0x8f53020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.184] memcpy (in: _Dst=0x4dc4f3a, _Src=0x4cec020, _Size=0xc8e | out: _Dst=0x4dc4f3a) returned 0x4dc4f3a [0238.184] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x44001) returned 0x4c30450 [0238.187] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0238.187] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ceccae, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0238.187] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x48001) returned 0x4d5d2b0 [0238.189] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0238.190] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf0cae, _Size=0x1e01 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0238.193] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.193] memcpy (in: _Dst=0x4cc4008, _Src=0x8f5b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.201] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.201] memcpy (in: _Dst=0x4cc4008, _Src=0x8f63020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.203] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.203] memcpy (in: _Dst=0x4cc4008, _Src=0x8f6b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.204] memcpy (in: _Dst=0x4dc39c9, _Src=0x4cec020, _Size=0x21ff | out: _Dst=0x4dc39c9) returned 0x4dc39c9 [0238.204] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4c001) returned 0x4c30450 [0238.208] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0238.208] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cee21f, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0238.208] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x50001) returned 0x4d5d2b0 [0238.211] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0238.211] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf221f, _Size=0xa3c | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0238.323] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.323] memcpy (in: _Dst=0x4cc4008, _Src=0x8f73020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.325] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.325] memcpy (in: _Dst=0x4cc4008, _Src=0x8f7b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.327] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.327] memcpy (in: _Dst=0x4cc4008, _Src=0x8f83020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.329] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.329] memcpy (in: _Dst=0x4cc4008, _Src=0x8f8b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.331] memcpy (in: _Dst=0x4dc2604, _Src=0x4cec020, _Size=0x35c4 | out: _Dst=0x4dc2604) returned 0x4dc2604 [0238.331] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x54001) returned 0x8980048 [0238.341] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0238.357] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cef5e4, _Size=0x3de0 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0238.358] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.358] memcpy (in: _Dst=0x4cc4008, _Src=0x8f93020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.361] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.361] memcpy (in: _Dst=0x4cc4008, _Src=0x8f9b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.363] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.364] memcpy (in: _Dst=0x4cc4008, _Src=0x8fa3020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.366] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.366] memcpy (in: _Dst=0x4cc4008, _Src=0x8fab020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.367] memcpy (in: _Dst=0x4dc59a8, _Src=0x4cec020, _Size=0x220 | out: _Dst=0x4dc59a8) returned 0x4dc59a8 [0238.367] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x58001) returned 0x4d5d2b0 [0238.374] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8980048 | out: hHeap=0x4d40000) returned 1 [0238.558] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cec240, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0238.559] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x5c001) returned 0x8980048 [0238.563] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0238.563] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf0240, _Size=0x327e | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0238.565] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.565] memcpy (in: _Dst=0x4cc4008, _Src=0x8fb3020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.567] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.568] memcpy (in: _Dst=0x4cc4008, _Src=0x8fbb020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.570] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.570] memcpy (in: _Dst=0x4cc4008, _Src=0x8fc3020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.574] memcpy (in: _Dst=0x4dc4e46, _Src=0x4cec020, _Size=0xd82 | out: _Dst=0x4dc4e46) returned 0x4dc4e46 [0238.574] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x60001) returned 0x4d5d2b0 [0238.577] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8980048 | out: hHeap=0x4d40000) returned 1 [0238.577] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cecda2, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0238.577] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x64001) returned 0x8980048 [0238.582] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0238.582] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf0da2, _Size=0x2731 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0238.582] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.582] memcpy (in: _Dst=0x4cc4008, _Src=0x8fcb020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.585] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.585] memcpy (in: _Dst=0x4cc4008, _Src=0x8fd3020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.589] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.589] memcpy (in: _Dst=0x4cc4008, _Src=0x8fdb020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.592] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.592] memcpy (in: _Dst=0x4cc4008, _Src=0x8fe3020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.594] memcpy (in: _Dst=0x4dc42f9, _Src=0x4cec020, _Size=0x18cf | out: _Dst=0x4dc42f9) returned 0x4dc42f9 [0238.594] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x68001) returned 0x8020048 [0238.607] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8980048 | out: hHeap=0x4d40000) returned 1 [0238.642] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ced8ef, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0238.642] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x6c001) returned 0x8980048 [0238.650] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8020048 | out: hHeap=0x4d40000) returned 1 [0238.651] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf18ef, _Size=0x1d59 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0238.652] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.652] memcpy (in: _Dst=0x4cc4008, _Src=0x8feb020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.655] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.655] memcpy (in: _Dst=0x4cc4008, _Src=0x8ff3020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.658] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.658] memcpy (in: _Dst=0x4cc4008, _Src=0x8ffb020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.661] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.661] memcpy (in: _Dst=0x4cc4008, _Src=0x9003020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.662] memcpy (in: _Dst=0x4dc3921, _Src=0x4cec020, _Size=0x22a7 | out: _Dst=0x4dc3921) returned 0x4dc3921 [0238.662] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x70001) returned 0x8020048 [0238.668] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8980048 | out: hHeap=0x4d40000) returned 1 [0238.668] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cee2c7, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0238.668] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x74001) returned 0x8090058 [0238.681] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8020048 | out: hHeap=0x4d40000) returned 1 [0238.728] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf22c7, _Size=0x12b1 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0238.729] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.730] memcpy (in: _Dst=0x4cc4008, _Src=0x900b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.731] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.732] memcpy (in: _Dst=0x4cc4008, _Src=0x9013020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.734] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.734] memcpy (in: _Dst=0x4cc4008, _Src=0x901b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.735] memcpy (in: _Dst=0x4dc2e79, _Src=0x4cec020, _Size=0x2d4f | out: _Dst=0x4dc2e79) returned 0x4dc2e79 [0238.735] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x78001) returned 0x8104068 [0238.746] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8090058 | out: hHeap=0x4d40000) returned 1 [0238.751] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ceed6f, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0238.751] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x7c001) returned 0x817c078 [0238.772] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8104068 | out: hHeap=0x4d40000) returned 1 [0238.772] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf2d6f, _Size=0x65b | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0238.825] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.825] memcpy (in: _Dst=0x4cc4008, _Src=0x9023020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.827] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.827] memcpy (in: _Dst=0x4cc4008, _Src=0x902b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.829] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.829] memcpy (in: _Dst=0x4cc4008, _Src=0x9033020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.832] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0238.832] memcpy (in: _Dst=0x4cc4008, _Src=0x903b020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0238.832] memcpy (in: _Dst=0x4dc2223, _Src=0x4cec020, _Size=0x39a5 | out: _Dst=0x4dc2223) returned 0x4dc2223 [0238.832] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x80001) returned 0x7ec7020 [0238.848] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x817c078 | out: hHeap=0x4d40000) returned 1 [0238.863] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x84001) returned 0x7f51020 [0238.956] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ec7020 | out: hHeap=0x4d40000) returned 1 [0238.960] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x88001) returned 0x9a8b020 [0238.974] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7f51020 | out: hHeap=0x4d40000) returned 1 [0238.990] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x8c001) returned 0x7ecc020 [0239.105] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x9a8b020 | out: hHeap=0x4d40000) returned 1 [0239.111] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x90001) returned 0x7f66020 [0239.132] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ecc020 | out: hHeap=0x4d40000) returned 1 [0239.285] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x94001) returned 0x7ec2020 [0239.305] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7f66020 | out: hHeap=0x4d40000) returned 1 [0239.311] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x98001) returned 0x7f67020 [0239.393] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ec2020 | out: hHeap=0x4d40000) returned 1 [0239.407] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x9c001) returned 0x9a85020 [0239.427] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7f67020 | out: hHeap=0x4d40000) returned 1 [0239.503] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa0001) returned 0x7ecd020 [0239.521] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x9a85020 | out: hHeap=0x4d40000) returned 1 [0239.575] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa4001) returned 0x7f76020 [0239.691] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ecd020 | out: hHeap=0x4d40000) returned 1 [0239.696] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa8001) returned 0x9a8c020 [0239.714] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7f76020 | out: hHeap=0x4d40000) returned 1 [0239.727] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xac001) returned 0x7ec8020 [0239.823] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x9a8c020 | out: hHeap=0x4d40000) returned 1 [0239.904] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb0001) returned 0x9a8e020 [0239.923] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ec8020 | out: hHeap=0x4d40000) returned 1 [0239.929] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb4001) returned 0x7ec1020 [0239.947] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x9a8e020 | out: hHeap=0x4d40000) returned 1 [0240.105] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb8001) returned 0x9a83020 [0240.128] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ec1020 | out: hHeap=0x4d40000) returned 1 [0240.308] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xbc001) returned 0x7ec6020 [0240.328] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x9a83020 | out: hHeap=0x4d40000) returned 1 [0240.341] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc0001) returned 0x9a89020 [0240.649] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ec6020 | out: hHeap=0x4d40000) returned 1 [0240.659] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc4001) returned 0x7ece020 [0240.683] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x9a89020 | out: hHeap=0x4d40000) returned 1 [0240.793] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc8001) returned 0x930c020 [0240.817] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ece020 | out: hHeap=0x4d40000) returned 1 [0240.939] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xcc001) returned 0x7ec5020 [0240.961] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x930c020 | out: hHeap=0x4d40000) returned 1 [0240.975] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd0001) returned 0x930f020 [0241.074] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ec5020 | out: hHeap=0x4d40000) returned 1 [0241.089] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd4001) returned 0x7ec1020 [0241.110] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x930f020 | out: hHeap=0x4d40000) returned 1 [0241.266] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd8001) returned 0x930c020 [0241.284] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ec1020 | out: hHeap=0x4d40000) returned 1 [0241.299] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xdc001) returned 0x7ecd020 [0241.410] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x930c020 | out: hHeap=0x4d40000) returned 1 [0241.416] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe0001) returned 0x9305020 [0241.439] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ecd020 | out: hHeap=0x4d40000) returned 1 [0241.600] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe4001) returned 0x7ec5020 [0241.619] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x9305020 | out: hHeap=0x4d40000) returned 1 [0241.626] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe8001) returned 0x930c020 [0241.653] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ec5020 | out: hHeap=0x4d40000) returned 1 [0241.667] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xec001) returned 0x7ec9020 [0241.740] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x930c020 | out: hHeap=0x4d40000) returned 1 [0241.756] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xf0001) returned 0x9308020 [0241.781] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ec9020 | out: hHeap=0x4d40000) returned 1 [0241.909] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xf4001) returned 0x7ec6020 [0241.940] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x9308020 | out: hHeap=0x4d40000) returned 1 [0242.004] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xf8001) returned 0x930b020 [0242.043] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ec6020 | out: hHeap=0x4d40000) returned 1 [0242.133] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xfc001) returned 0x7ec5020 [0242.159] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x930b020 | out: hHeap=0x4d40000) returned 1 [0242.263] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x100001) returned 0x9300020 [0242.284] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ec5020 | out: hHeap=0x4d40000) returned 1 [0242.375] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x104001) returned 0x7ec1020 [0242.396] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x9300020 | out: hHeap=0x4d40000) returned 1 [0242.414] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x108001) returned 0x9308020 [0242.516] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ec1020 | out: hHeap=0x4d40000) returned 1 [0242.523] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10c001) returned 0x7ec1020 [0242.544] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x9308020 | out: hHeap=0x4d40000) returned 1 [0242.671] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x110001) returned 0x930e020 [0242.694] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ec1020 | out: hHeap=0x4d40000) returned 1 [0242.857] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cee508, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0242.857] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x114001) returned 0x7ecd020 [0243.004] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x930e020 | out: hHeap=0x4d40000) returned 1 [0243.038] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x118001) returned 0x9305020 [0243.158] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ecd020 | out: hHeap=0x4d40000) returned 1 [0243.188] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x11c001) returned 0x7ec5020 [0243.220] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x9305020 | out: hHeap=0x4d40000) returned 1 [0243.347] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x120001) returned 0x930d020 [0243.412] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ec5020 | out: hHeap=0x4d40000) returned 1 [0243.425] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x124001) returned 0x7ece020 [0243.655] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x930d020 | out: hHeap=0x4d40000) returned 1 [0243.665] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x124fbc) returned 0x930b020 [0243.730] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ece020 | out: hHeap=0x4d40000) returned 1 [0243.742] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4cec020 | out: hHeap=0x4d40000) returned 1 [0243.784] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4cdc018 | out: hHeap=0x4d40000) returned 1 [0243.786] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4ccc010 | out: hHeap=0x4d40000) returned 1 [0243.788] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4cbc008 | out: hHeap=0x4d40000) returned 1 [0243.789] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc5bd0 | out: hHeap=0x4d40000) returned 1 [0243.790] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc1bc8 | out: hHeap=0x4d40000) returned 1 [0243.812] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8489020 | out: hHeap=0x4d40000) returned 1 [0243.898] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8d8b020 | out: hHeap=0x4d40000) returned 1 [0244.021] DeleteDC (hdc=0x350109f1) returned 1 [0244.021] DeleteDC (hdc=0xd010736) returned 1 [0244.022] DeleteObject (ho=0x42050982) returned 1 [0244.022] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x4cf988 | out: lpSystemTimeAsFileTime=0x4cf988*(dwLowDateTime=0x44f41e76, dwHighDateTime=0x1d99f3b)) [0244.023] Sleep (dwMilliseconds=0x3a98) [0244.075] GetDC (hWnd=0x0) returned 0xd010736 [0244.106] CreateCompatibleDC (hdc=0xd010736) returned 0x1c010a2f [0244.106] GetDeviceCaps (hdc=0xd010736, index=8) returned 1440 [0244.106] GetDeviceCaps (hdc=0xd010736, index=10) returned 900 [0244.106] CreateCompatibleBitmap (hdc=0xd010736, cx=1440, cy=900) returned 0x38050731 [0244.203] SelectObject (hdc=0x1c010a2f, h=0x38050731) returned 0x185000f [0244.203] BitBlt (hdc=0x1c010a2f, x=0, y=0, cx=1440, cy=900, hdcSrc=0xd010736, x1=0, y1=0, rop=0xcc0020) returned 1 [0244.636] GetCursorInfo (in: pci=0x4cf95c | out: pci=0x4cf95c) returned 1 [0244.636] CopyIcon (hIcon=0x10019) returned 0x370381 [0244.638] GetIconInfo (in: hIcon=0x370381, piconinfo=0x4cf908 | out: piconinfo=0x4cf908) returned 1 [0244.638] GetObjectW (in: h=0x39050a44, c=24, pv=0x4cf91c | out: pv=0x4cf91c) returned 24 [0244.638] DrawIconEx (hdc=0x1c010a2f, xLeft=903, yTop=655, hIcon=0x10019, cxWidth=32, cyWidth=32, istepIfAniCur=0x0, hbrFlickerFreeDraw=0x0, diFlags=0x3) returned 1 [0244.638] SelectObject (hdc=0x1c010a2f, h=0x185000f) returned 0x38050731 [0244.638] GetObjectW (in: h=0x38050731, c=24, pv=0x4cf8f0 | out: pv=0x4cf8f0) returned 24 [0244.638] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4f1a00) returned 0x8487020 [0244.685] GetDIBits (in: hdc=0x1c010a2f, hbm=0x38050731, start=0x0, cLines=0x384, lpvBits=0x8487020, lpbmi=0x4cf934, usage=0x0 | out: lpvBits=0x8487020, lpbmi=0x4cf934) returned 900 [0244.787] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4f1a36) returned 0x8d89020 [0244.904] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4000) returned 0x4dc1bc8 [0244.905] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x16c4) returned 0x4dc5bd0 [0244.905] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4cbc008 [0244.907] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4ccc010 [0244.907] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4cdc018 [0244.908] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10000) returned 0x4cec020 [0244.932] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4001) returned 0x4dcae38 [0244.933] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf001e, _Size=0x1316 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0244.933] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0244.933] memcpy (in: _Dst=0x4cc4008, _Src=0x8e11020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0244.935] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0244.935] memcpy (in: _Dst=0x4cc4008, _Src=0x8e19020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0244.936] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0244.936] memcpy (in: _Dst=0x4cc4008, _Src=0x8e21020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0244.938] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0244.938] memcpy (in: _Dst=0x4cc4008, _Src=0x8e29020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0244.940] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0244.940] memcpy (in: _Dst=0x4cc4008, _Src=0x8e31020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0244.940] memcpy (in: _Dst=0x4dc2ede, _Src=0x4cec020, _Size=0x2cea | out: _Dst=0x4dc2ede) returned 0x4dc2ede [0244.940] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x8001) returned 0x4cfc028 [0244.942] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dcae38 | out: hHeap=0x4d40000) returned 1 [0244.942] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ceed0a, _Size=0x1e7d | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0244.943] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0244.943] memcpy (in: _Dst=0x4cc4008, _Src=0x8e39020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0244.944] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0244.944] memcpy (in: _Dst=0x4cc4008, _Src=0x8e41020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0244.946] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0244.946] memcpy (in: _Dst=0x4cc4008, _Src=0x8e49020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0244.948] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0244.948] memcpy (in: _Dst=0x4cc4008, _Src=0x8e51020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0244.948] memcpy (in: _Dst=0x4dc3a45, _Src=0x4cec020, _Size=0x2183 | out: _Dst=0x4dc3a45) returned 0x4dc3a45 [0244.948] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc001) returned 0x4c30450 [0244.952] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4cfc028 | out: hHeap=0x4d40000) returned 1 [0244.952] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cee1a3, _Size=0x2509 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0244.954] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0244.954] memcpy (in: _Dst=0x4cc4008, _Src=0x8e59020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0244.955] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0244.955] memcpy (in: _Dst=0x4cc4008, _Src=0x8e61020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0244.957] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0244.957] memcpy (in: _Dst=0x4cc4008, _Src=0x8e69020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0244.959] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0244.959] memcpy (in: _Dst=0x4cc4008, _Src=0x8e71020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0244.961] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0244.961] memcpy (in: _Dst=0x4cc4008, _Src=0x8e79020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0244.965] memcpy (in: _Dst=0x4dc40d1, _Src=0x4cec020, _Size=0x1af7 | out: _Dst=0x4dc40d1) returned 0x4dc40d1 [0244.965] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10001) returned 0x4c3c460 [0244.967] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0244.967] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cedb17, _Size=0x2970 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0244.968] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0244.968] memcpy (in: _Dst=0x4cc4008, _Src=0x8e81020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0244.971] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0244.971] memcpy (in: _Dst=0x4cc4008, _Src=0x8e89020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0244.975] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0244.975] memcpy (in: _Dst=0x4cc4008, _Src=0x8e91020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0244.980] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0244.981] memcpy (in: _Dst=0x4cc4008, _Src=0x8e99020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0244.986] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0244.986] memcpy (in: _Dst=0x4cc4008, _Src=0x8ea1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0244.990] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0244.990] memcpy (in: _Dst=0x4cc4008, _Src=0x8ea9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.018] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.018] memcpy (in: _Dst=0x4cc4008, _Src=0x8eb1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.021] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.022] memcpy (in: _Dst=0x4cc4008, _Src=0x8eb9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.022] memcpy (in: _Dst=0x4dc4538, _Src=0x4cec020, _Size=0x1690 | out: _Dst=0x4dc4538) returned 0x4dc4538 [0245.022] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x14001) returned 0x4c4c470 [0245.025] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c3c460 | out: hHeap=0x4d40000) returned 1 [0245.057] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ced6b0, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0245.057] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x18001) returned 0x4c30450 [0245.060] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c4c470 | out: hHeap=0x4d40000) returned 1 [0245.060] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf16b0, _Size=0x140c | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0245.062] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.062] memcpy (in: _Dst=0x4cc4008, _Src=0x8ec1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.064] memcpy (in: _Dst=0x4dc2fd4, _Src=0x4cec020, _Size=0x2bf4 | out: _Dst=0x4dc2fd4) returned 0x4dc2fd4 [0245.064] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x1c001) returned 0x4c48460 [0245.066] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0245.066] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ceec14, _Size=0x29c1 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0245.067] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.067] memcpy (in: _Dst=0x4cc4008, _Src=0x8ec9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.069] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.069] memcpy (in: _Dst=0x4cc4008, _Src=0x8ed1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.071] memcpy (in: _Dst=0x4dc4589, _Src=0x4cec020, _Size=0x163f | out: _Dst=0x4dc4589) returned 0x4dc4589 [0245.071] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20001) returned 0x4d5d2b0 [0245.078] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c48460 | out: hHeap=0x4d40000) returned 1 [0245.078] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ced65f, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0245.078] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x24001) returned 0x4d7d2c0 [0245.082] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0245.082] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf165f, _Size=0x3f1 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0245.082] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.082] memcpy (in: _Dst=0x4cc4008, _Src=0x8ed9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.083] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.083] memcpy (in: _Dst=0x4cc4008, _Src=0x8ee1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.085] memcpy (in: _Dst=0x4dc1fb9, _Src=0x4cec020, _Size=0x3c0f | out: _Dst=0x4dc1fb9) returned 0x4dc1fb9 [0245.085] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x28001) returned 0x4c30450 [0245.087] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d7d2c0 | out: hHeap=0x4d40000) returned 1 [0245.087] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cefc2f, _Size=0x1fe0 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0245.088] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.088] memcpy (in: _Dst=0x4cc4008, _Src=0x8ee9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.089] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.089] memcpy (in: _Dst=0x4cc4008, _Src=0x8ef1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.091] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.091] memcpy (in: _Dst=0x4cc4008, _Src=0x8ef9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.091] memcpy (in: _Dst=0x4dc3ba8, _Src=0x4cec020, _Size=0x2020 | out: _Dst=0x4dc3ba8) returned 0x4dc3ba8 [0245.091] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x2c001) returned 0x4d5d2b0 [0245.094] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0245.094] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cee040, _Size=0x3ec9 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0245.095] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.095] memcpy (in: _Dst=0x4cc4008, _Src=0x8f01020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.096] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.096] memcpy (in: _Dst=0x4cc4008, _Src=0x8f09020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.097] memcpy (in: _Dst=0x4dc5a91, _Src=0x4cec020, _Size=0x137 | out: _Dst=0x4dc5a91) returned 0x4dc5a91 [0245.097] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x30001) returned 0x4d892c0 [0245.101] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0245.102] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cec157, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0245.102] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x34001) returned 0x4c30450 [0245.105] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d892c0 | out: hHeap=0x4d40000) returned 1 [0245.207] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf0157, _Size=0x20b1 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0245.208] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.208] memcpy (in: _Dst=0x4cc4008, _Src=0x8f11020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.210] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.210] memcpy (in: _Dst=0x4cc4008, _Src=0x8f19020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.211] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.212] memcpy (in: _Dst=0x4cc4008, _Src=0x8f21020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.213] memcpy (in: _Dst=0x4dc3c79, _Src=0x4cec020, _Size=0x1f4f | out: _Dst=0x4dc3c79) returned 0x4dc3c79 [0245.213] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x38001) returned 0x4d5d2b0 [0245.217] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0245.217] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cedf6f, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0245.217] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x3c001) returned 0x4c30450 [0245.221] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0245.221] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf1f6f, _Size=0x7df | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0245.222] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.222] memcpy (in: _Dst=0x4cc4008, _Src=0x8f29020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.224] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.224] memcpy (in: _Dst=0x4cc4008, _Src=0x8f31020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.225] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.226] memcpy (in: _Dst=0x4cc4008, _Src=0x8f39020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.227] memcpy (in: _Dst=0x4dc23a7, _Src=0x4cec020, _Size=0x3821 | out: _Dst=0x4dc23a7) returned 0x4dc23a7 [0245.227] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x40001) returned 0x4d5d2b0 [0245.240] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0245.240] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cef841, _Size=0x32ef | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0245.241] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.241] memcpy (in: _Dst=0x4cc4008, _Src=0x8f41020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.244] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.244] memcpy (in: _Dst=0x4cc4008, _Src=0x8f49020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.246] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.246] memcpy (in: _Dst=0x4cc4008, _Src=0x8f51020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.247] memcpy (in: _Dst=0x4dc4eb7, _Src=0x4cec020, _Size=0xd11 | out: _Dst=0x4dc4eb7) returned 0x4dc4eb7 [0245.247] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x44001) returned 0x4c30450 [0245.250] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0245.250] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cecd31, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0245.251] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x48001) returned 0x4d5d2b0 [0245.253] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0245.253] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf0d31, _Size=0x1da9 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0245.254] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.254] memcpy (in: _Dst=0x4cc4008, _Src=0x8f59020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.256] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.256] memcpy (in: _Dst=0x4cc4008, _Src=0x8f61020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.258] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.258] memcpy (in: _Dst=0x4cc4008, _Src=0x8f69020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.298] memcpy (in: _Dst=0x4dc3971, _Src=0x4cec020, _Size=0x2257 | out: _Dst=0x4dc3971) returned 0x4dc3971 [0245.298] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4c001) returned 0x4c30450 [0245.304] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0245.304] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cee277, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0245.304] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x50001) returned 0x4d5d2b0 [0245.309] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30450 | out: hHeap=0x4d40000) returned 1 [0245.311] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf2277, _Size=0xa1c | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0245.312] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.312] memcpy (in: _Dst=0x4cc4008, _Src=0x8f71020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.315] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.315] memcpy (in: _Dst=0x4cc4008, _Src=0x8f79020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.317] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.317] memcpy (in: _Dst=0x4cc4008, _Src=0x8f81020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.319] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.319] memcpy (in: _Dst=0x4cc4008, _Src=0x8f89020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.321] memcpy (in: _Dst=0x4dc25e4, _Src=0x4cec020, _Size=0x35e4 | out: _Dst=0x4dc25e4) returned 0x4dc25e4 [0245.321] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x54001) returned 0x8980048 [0245.331] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0245.331] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cef604, _Size=0x3dab | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0245.333] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.333] memcpy (in: _Dst=0x4cc4008, _Src=0x8f91020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.336] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.336] memcpy (in: _Dst=0x4cc4008, _Src=0x8f99020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.378] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.378] memcpy (in: _Dst=0x4cc4008, _Src=0x8fa1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.381] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.381] memcpy (in: _Dst=0x4cc4008, _Src=0x8fa9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.383] memcpy (in: _Dst=0x4dc5973, _Src=0x4cec020, _Size=0x255 | out: _Dst=0x4dc5973) returned 0x4dc5973 [0245.383] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x58001) returned 0x4d5d2b0 [0245.386] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8980048 | out: hHeap=0x4d40000) returned 1 [0245.391] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cec275, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0245.391] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x5c001) returned 0x8980048 [0245.396] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0245.396] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf0275, _Size=0x3222 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0245.399] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.399] memcpy (in: _Dst=0x4cc4008, _Src=0x8fb1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.402] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.402] memcpy (in: _Dst=0x4cc4008, _Src=0x8fb9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.406] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.406] memcpy (in: _Dst=0x4cc4008, _Src=0x8fc1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.410] memcpy (in: _Dst=0x4dc4dea, _Src=0x4cec020, _Size=0xdde | out: _Dst=0x4dc4dea) returned 0x4dc4dea [0245.410] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x60001) returned 0x4d5d2b0 [0245.416] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8980048 | out: hHeap=0x4d40000) returned 1 [0245.444] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cecdfe, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0245.444] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x64001) returned 0x8980048 [0245.452] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4d5d2b0 | out: hHeap=0x4d40000) returned 1 [0245.452] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf0dfe, _Size=0x26d9 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0245.452] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.453] memcpy (in: _Dst=0x4cc4008, _Src=0x8fc9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.456] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.456] memcpy (in: _Dst=0x4cc4008, _Src=0x8fd1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.459] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.459] memcpy (in: _Dst=0x4cc4008, _Src=0x8fd9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.462] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.463] memcpy (in: _Dst=0x4cc4008, _Src=0x8fe1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.465] memcpy (in: _Dst=0x4dc42a1, _Src=0x4cec020, _Size=0x1927 | out: _Dst=0x4dc42a1) returned 0x4dc42a1 [0245.465] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x68001) returned 0x8020048 [0245.478] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8980048 | out: hHeap=0x4d40000) returned 1 [0245.525] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ced947, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0245.525] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x6c001) returned 0x8980048 [0245.528] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8020048 | out: hHeap=0x4d40000) returned 1 [0245.529] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf1947, _Size=0x1cf3 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0245.530] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.530] memcpy (in: _Dst=0x4cc4008, _Src=0x8fe9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.533] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.533] memcpy (in: _Dst=0x4cc4008, _Src=0x8ff1020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.536] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.536] memcpy (in: _Dst=0x4cc4008, _Src=0x8ff9020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.538] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.538] memcpy (in: _Dst=0x4cc4008, _Src=0x9001020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.540] memcpy (in: _Dst=0x4dc38bb, _Src=0x4cec020, _Size=0x230d | out: _Dst=0x4dc38bb) returned 0x4dc38bb [0245.540] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x70001) returned 0x8020048 [0245.548] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8980048 | out: hHeap=0x4d40000) returned 1 [0245.548] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cee32d, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0245.548] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x74001) returned 0x8090058 [0245.582] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8020048 | out: hHeap=0x4d40000) returned 1 [0245.582] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf232d, _Size=0x1282 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0245.584] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.584] memcpy (in: _Dst=0x4cc4008, _Src=0x9009020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.586] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.586] memcpy (in: _Dst=0x4cc4008, _Src=0x9011020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.685] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.685] memcpy (in: _Dst=0x4cc4008, _Src=0x9019020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.687] memcpy (in: _Dst=0x4dc2e4a, _Src=0x4cec020, _Size=0x2d7e | out: _Dst=0x4dc2e4a) returned 0x4dc2e4a [0245.687] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x78001) returned 0x8104068 [0245.700] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8090058 | out: hHeap=0x4d40000) returned 1 [0245.707] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4ceed9e, _Size=0x4000 | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0245.707] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x7c001) returned 0x8020048 [0245.723] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8104068 | out: hHeap=0x4d40000) returned 1 [0245.822] memcpy (in: _Dst=0x4dc1bc8, _Src=0x4cf2d9e, _Size=0x64b | out: _Dst=0x4dc1bc8) returned 0x4dc1bc8 [0245.823] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.823] memcpy (in: _Dst=0x4cc4008, _Src=0x9021020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.826] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.826] memcpy (in: _Dst=0x4cc4008, _Src=0x9029020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.828] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.828] memcpy (in: _Dst=0x4cc4008, _Src=0x9031020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.830] memcpy (in: _Dst=0x4cbc008, _Src=0x4cc4008, _Size=0x8000 | out: _Dst=0x4cbc008) returned 0x4cbc008 [0245.830] memcpy (in: _Dst=0x4cc4008, _Src=0x9039020, _Size=0x8000 | out: _Dst=0x4cc4008) returned 0x4cc4008 [0245.831] memcpy (in: _Dst=0x4dc2213, _Src=0x4cec020, _Size=0x39b5 | out: _Dst=0x4dc2213) returned 0x4dc2213 [0245.831] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x80001) returned 0x7ec1020 [0245.841] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8020048 | out: hHeap=0x4d40000) returned 1 [0245.850] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x84001) returned 0x7f56020 [0245.866] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ec1020 | out: hHeap=0x4d40000) returned 1 [0245.986] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x88001) returned 0x7ec6020 [0246.003] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7f56020 | out: hHeap=0x4d40000) returned 1 [0246.019] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x8c001) returned 0x7f5d020 [0246.128] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ec6020 | out: hHeap=0x4d40000) returned 1 [0246.132] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x90001) returned 0x944d020 [0246.147] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7f5d020 | out: hHeap=0x4d40000) returned 1 [0246.158] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x94001) returned 0x7ec7020 [0246.230] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x944d020 | out: hHeap=0x4d40000) returned 1 [0246.249] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x98001) returned 0x7f61020 [0246.265] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ec7020 | out: hHeap=0x4d40000) returned 1 [0246.423] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x9c001) returned 0x944e020 [0246.440] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7f61020 | out: hHeap=0x4d40000) returned 1 [0246.445] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa0001) returned 0x7ecb020 [0246.462] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x944e020 | out: hHeap=0x4d40000) returned 1 [0246.484] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa4001) returned 0x7f70020 [0246.503] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ecb020 | out: hHeap=0x4d40000) returned 1 [0246.508] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa8001) returned 0x7ec1020 [0246.527] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7f70020 | out: hHeap=0x4d40000) returned 1 [0246.550] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xac001) returned 0x9449020 [0246.601] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ec1020 | out: hHeap=0x4d40000) returned 1 [0246.653] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb0001) returned 0x7ecc020 [0246.672] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x9449020 | out: hHeap=0x4d40000) returned 1 [0246.735] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb4001) returned 0x9446020 [0246.759] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ecc020 | out: hHeap=0x4d40000) returned 1 [0246.830] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb8001) returned 0x7ec1020 [0246.855] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x9446020 | out: hHeap=0x4d40000) returned 1 [0246.865] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xbc001) returned 0x9449020 [0246.964] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ec1020 | out: hHeap=0x4d40000) returned 1 [0246.985] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc0001) returned 0x7ec9020 [0247.068] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x9449020 | out: hHeap=0x4d40000) returned 1 [0247.075] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc4001) returned 0x944a020 [0247.097] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ec9020 | out: hHeap=0x4d40000) returned 1 [0247.145] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc8001) returned 0x7ec0020 [0247.168] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x944a020 | out: hHeap=0x4d40000) returned 1 [0247.234] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xcc001) returned 0x9443020 [0247.266] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ec0020 | out: hHeap=0x4d40000) returned 1 [0247.273] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd0001) returned 0x7ec2020 [0247.385] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x9443020 | out: hHeap=0x4d40000) returned 1 [0247.399] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd4001) returned 0x944c020 [0247.417] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ec2020 | out: hHeap=0x4d40000) returned 1 [0247.492] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd8001) returned 0x7ecb020 [0247.515] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x944c020 | out: hHeap=0x4d40000) returned 1 [0247.569] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xdc001) returned 0x944f020 [0247.703] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ecb020 | out: hHeap=0x4d40000) returned 1 [0247.709] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe0001) returned 0x7ecb020 [0247.809] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x944f020 | out: hHeap=0x4d40000) returned 1 [0247.827] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe4001) returned 0x944e020 [0247.933] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ecb020 | out: hHeap=0x4d40000) returned 1 [0247.941] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe8001) returned 0x7eca020 [0247.969] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x944e020 | out: hHeap=0x4d40000) returned 1 [0248.023] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xec001) returned 0x9442020 [0248.050] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7eca020 | out: hHeap=0x4d40000) returned 1 [0248.102] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xf0001) returned 0x7ec8020 [0248.123] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x9442020 | out: hHeap=0x4d40000) returned 1 [0248.194] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xf4001) returned 0x9443020 [0248.222] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ec8020 | out: hHeap=0x4d40000) returned 1 [0248.318] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xf8001) returned 0x7ec1020 [0248.342] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x9443020 | out: hHeap=0x4d40000) returned 1 [0248.400] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xfc001) returned 0x9445020 [0248.429] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ec1020 | out: hHeap=0x4d40000) returned 1 [0248.497] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x100001) returned 0x7ec8020 [0248.525] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x9445020 | out: hHeap=0x4d40000) returned 1 [0248.562] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x104001) returned 0x9441020 [0248.586] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ec8020 | out: hHeap=0x4d40000) returned 1 [0248.689] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x108001) returned 0x7ec5020 [0248.761] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x9441020 | out: hHeap=0x4d40000) returned 1 [0248.768] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10c001) returned 0x9449020 [0248.866] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ec5020 | out: hHeap=0x4d40000) returned 1 [0248.909] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x110001) returned 0x7ec0020 [0248.943] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x9449020 | out: hHeap=0x4d40000) returned 1 [0248.974] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x114001) returned 0x9440020 [0249.009] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ec0020 | out: hHeap=0x4d40000) returned 1 [0249.057] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x118001) returned 0x7ec7020 [0249.080] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x9440020 | out: hHeap=0x4d40000) returned 1 [0249.207] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x11c001) returned 0x944d020 [0249.238] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ec7020 | out: hHeap=0x4d40000) returned 1 [0249.299] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x120001) returned 0x7ec6020 [0249.322] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x944d020 | out: hHeap=0x4d40000) returned 1 [0249.387] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x124001) returned 0x944e020 [0249.412] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x7ec6020 | out: hHeap=0x4d40000) returned 1 [0249.464] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x124eea) returned 0x7ec3020 [0249.488] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x944e020 | out: hHeap=0x4d40000) returned 1 [0249.502] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4cec020 | out: hHeap=0x4d40000) returned 1 [0249.503] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4cdc018 | out: hHeap=0x4d40000) returned 1 [0249.781] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4ccc010 | out: hHeap=0x4d40000) returned 1 [0249.783] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4cbc008 | out: hHeap=0x4d40000) returned 1 [0249.784] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc5bd0 | out: hHeap=0x4d40000) returned 1 [0249.785] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc1bc8 | out: hHeap=0x4d40000) returned 1 [0249.808] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8487020 | out: hHeap=0x4d40000) returned 1 [0250.012] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x8d89020 | out: hHeap=0x4d40000) returned 1 [0250.209] DeleteDC (hdc=0x1c010a2f) returned 1 [0250.209] DeleteDC (hdc=0xd010736) returned 1 [0250.226] DeleteObject (ho=0x38050731) returned 1 [0250.227] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x4cf988 | out: lpSystemTimeAsFileTime=0x4cf988*(dwLowDateTime=0x48a80ffc, dwHighDateTime=0x1d99f3b)) Thread: id = 441 os_tid = 0xd04 [0154.933] WaitForSingleObject (hHandle=0x298, dwMilliseconds=0x3a98) returned 0x0 [0154.934] CloseHandle (hObject=0x298) returned 1 [0154.934] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4dbfc90 [0155.229] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x20019, phkResult=0x4c2f428 | out: phkResult=0x4c2f428*=0x250) returned 0x0 [0155.230] RegQueryValueExA (in: hKey=0x250, lpValueName="3665b42c", lpReserved=0x0, lpType=0x4c2f420, lpData=0x0, lpcbData=0x4c2f424*=0x0 | out: lpType=0x4c2f420*=0x0, lpData=0x0, lpcbData=0x4c2f424*=0x0) returned 0x2 [0155.230] RegCloseKey (hKey=0x250) returned 0x0 [0155.230] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc90 | out: hHeap=0x4d40000) returned 1 [0155.230] WaitForSingleObject (hHandle=0x234, dwMilliseconds=0x7530) returned 0x0 [0155.230] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc18 | out: hHeap=0x4d40000) returned 1 [0155.231] CloseHandle (hObject=0x29c) returned 1 [0155.231] ReleaseMutex (hMutex=0x234) returned 1 Thread: id = 442 os_tid = 0xd20 [0154.935] WaitForSingleObject (hHandle=0x290, dwMilliseconds=0x3a98) returned 0x0 [0154.935] CloseHandle (hObject=0x290) returned 1 [0154.935] ConnectNamedPipe (hNamedPipe=0x28c, lpOverlapped=0x0) Thread: id = 443 os_tid = 0x9c8 [0154.936] WaitForSingleObject (hHandle=0x264, dwMilliseconds=0x3a98) returned 0x0 [0154.936] CloseHandle (hObject=0x264) returned 1 [0154.936] GetModuleHandleA (lpModuleName=0x0) returned 0x910000 [0154.937] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.937] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.937] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.937] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.937] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.937] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.937] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.937] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.937] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.937] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.937] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.937] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.937] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.937] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.937] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.937] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.937] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.937] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.938] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.938] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.938] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.938] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.938] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.938] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.938] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.938] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.938] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.938] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.938] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.938] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.938] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.938] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.938] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.938] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.938] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.938] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.938] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.938] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.939] lstrlenW (lpString="䉁䑃䙅") returned 3 [0154.939] RegisterClassExA (param_1=0x49efa3c) returned 0xc1da [0160.932] CreateWindowExA (dwExStyle=0x0, lpClassName="tqivanvtalwkqcduuetoyuzkkcdxyqccbihoyw", lpWindowName="tqivanvtalwkqcduuetoyuzkkcdxyqccbihoyw", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=500, nHeight=100, hWndParent=0x0, hMenu=0x0, hInstance=0x910000, lpParam=0x0) returned 0x31020e [0160.956] ShowWindow (hWnd=0x31020e, nCmdShow=0) returned 0 [0160.957] UpdateWindow (hWnd=0x31020e) returned 1 [0160.957] GetMessageA (in: lpMsg=0x49efa20, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x49efa20) returned 1 [0160.959] TranslateMessage (lpMsg=0x49efa20) returned 0 [0160.959] DispatchMessageA (lpMsg=0x49efa20) returned 0x0 [0160.959] GetMessageA (lpMsg=0x49efa20, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0) Thread: id = 444 os_tid = 0xcf0 [0154.939] WaitForSingleObject (hHandle=0x250, dwMilliseconds=0x3a98) returned 0x0 [0154.939] CloseHandle (hObject=0x250) returned 1 [0154.939] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4dbfc90 [0155.235] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x20019, phkResult=0x55f834 | out: phkResult=0x55f834*=0x29c) returned 0x0 [0155.235] RegQueryValueExA (in: hKey=0x29c, lpValueName="6e06a47a", lpReserved=0x0, lpType=0x55f82c, lpData=0x0, lpcbData=0x55f830*=0x0 | out: lpType=0x55f82c*=0x0, lpData=0x0, lpcbData=0x55f830*=0x0) returned 0x2 [0155.235] RegCloseKey (hKey=0x29c) returned 0x0 [0155.236] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dbfc90 | out: hHeap=0x4d40000) returned 1 [0155.236] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x296) returned 0x4dca1d0 [0155.236] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xac) returned 0x4dca470 [0155.236] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x1e) returned 0x4dbfc90 [0155.236] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x1e) returned 0x4dca528 [0155.236] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc) returned 0x4dbfcb8 [0155.236] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc) returned 0x4dbfc18 [0155.236] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd) returned 0x4dca550 [0155.236] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe) returned 0x4dca568 [0155.236] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd) returned 0x4dca580 [0155.236] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc) returned 0x4dca598 [0155.236] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x12) returned 0x4dca5b0 [0155.236] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xf) returned 0x4dca5d0 [0155.236] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa) returned 0x4dca5e8 [0155.236] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc) returned 0x4dca600 [0155.236] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x11) returned 0x4dca618 [0155.236] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x11) returned 0x4dca638 [0155.236] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x12) returned 0x4dca658 [0155.236] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc) returned 0x4dca678 [0155.236] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc) returned 0x4dca690 [0155.236] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc) returned 0x4dca6a8 [0155.236] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb) returned 0x4dca6c0 [0155.236] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe) returned 0x4dca6d8 [0155.236] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc) returned 0x4dca898 [0155.236] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe) returned 0x4dca7d8 [0155.236] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb) returned 0x4dca8b0 [0155.236] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x11) returned 0x4dcacf8 [0155.237] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x12) returned 0x4dcad18 [0155.237] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10) returned 0x4dca778 [0155.237] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe) returned 0x4dca748 [0155.237] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x12) returned 0x4dcad38 [0155.237] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x11) returned 0x4dcad58 [0155.237] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x13) returned 0x4dcad78 [0155.237] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb) returned 0x4dca7c0 [0155.237] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc) returned 0x4dca7f0 [0155.237] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe) returned 0x4dca7a8 [0155.237] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10) returned 0x4dca838 [0155.237] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x13) returned 0x4dcad98 [0155.237] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x15) returned 0x4dcadb8 [0155.237] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xf) returned 0x4dca8c8 [0155.237] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xf) returned 0x4dca718 [0155.237] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x13) returned 0x4dcadd8 [0155.237] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xf) returned 0x4dca730 [0155.237] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x11) returned 0x4dcadf8 [0155.237] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x13) returned 0x4dcae18 [0155.237] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x9) returned 0x4dca760 [0155.237] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa) returned 0x4dca808 [0155.237] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x29c [0155.249] Process32First (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0155.251] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20) returned 0x4dcae38 [0155.251] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dcae38 | out: hHeap=0x4d40000) returned 1 [0155.251] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x77, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0155.253] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0x4) returned 0xffffffff [0155.257] GetLastError () returned 0x5 [0155.257] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0155.260] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0x138) returned 0xffffffff [0155.263] GetLastError () returned 0x5 [0155.263] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0155.264] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0x180) returned 0xffffffff [0155.267] GetLastError () returned 0x5 [0155.267] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0155.269] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0x1bc) returned 0xffffffff [0155.272] GetLastError () returned 0x5 [0155.272] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1b4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0160.892] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0x1c8) returned 0xffffffff [0160.894] GetLastError () returned 0x5 [0160.894] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1b4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0160.895] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0x1fc) returned 0xffffffff [0160.897] GetLastError () returned 0x5 [0160.897] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x214, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1bc, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0160.898] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0x214) returned 0xffffffff [0160.900] GetLastError () returned 0x5 [0160.901] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x21c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1bc, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0160.901] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0x21c) returned 0xffffffff [0160.903] GetLastError () returned 0x5 [0160.903] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0160.904] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0x274) returned 0xffffffff [0160.906] GetLastError () returned 0x5 [0160.906] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0160.907] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0x294) returned 0xffffffff [0160.910] GetLastError () returned 0x5 [0160.910] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1fc, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0160.911] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0x304) returned 0xffffffff [0160.913] GetLastError () returned 0x5 [0160.913] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0160.913] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0x364) returned 0xffffffff [0160.916] GetLastError () returned 0x5 [0160.916] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x37c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0160.917] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0x37c) returned 0xffffffff [0160.919] GetLastError () returned 0x5 [0160.919] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0160.920] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0x390) returned 0xffffffff [0160.922] GetLastError () returned 0x5 [0160.922] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0160.923] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0x3a0) returned 0xffffffff [0160.925] GetLastError () returned 0x5 [0160.925] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0160.926] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0x3f0) returned 0xffffffff [0160.928] GetLastError () returned 0x5 [0160.928] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0160.929] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0x210) returned 0xffffffff [0166.811] GetLastError () returned 0x5 [0166.811] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0166.812] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0x45c) returned 0xffffffff [0166.815] GetLastError () returned 0x5 [0166.816] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0166.816] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0x508) returned 0xffffffff [0166.820] GetLastError () returned 0x5 [0166.820] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x364, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0166.822] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0x538) returned 0xffffffff [0166.826] GetLastError () returned 0x12b [0166.826] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x274, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0166.827] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0x604) returned 0xffffffff [0166.831] GetLastError () returned 0x12b [0166.831] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x644, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0166.832] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0x644) returned 0xffffffff [0166.835] GetLastError () returned 0x5 [0166.835] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x778, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2c, th32ParentProcessID=0x764, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0166.836] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0x778) returned 0xffffffff [0166.841] GetLastError () returned 0x12b [0166.841] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x364, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0166.842] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0x7fc) returned 0xffffffff [0166.845] GetLastError () returned 0x12b [0166.845] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x274, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0166.846] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0x8b4) returned 0xffffffff [0172.713] GetLastError () returned 0x12b [0172.713] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x274, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0172.714] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0x92c) returned 0xffffffff [0172.717] GetLastError () returned 0x12b [0172.717] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x828, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0172.718] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0x828) returned 0xffffffff [0172.721] GetLastError () returned 0x12b [0172.721] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x274, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0172.722] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xf8) returned 0xffffffff [0172.725] GetLastError () returned 0x5 [0172.725] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x274, pcPriClassBase=8, dwFlags=0x0, szExeFile="ApplicationFrameHost.exe")) returned 1 [0172.726] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xa54) returned 0xffffffff [0172.729] GetLastError () returned 0x12b [0172.729] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x274, pcPriClassBase=8, dwFlags=0x0, szExeFile="SystemSettings.exe")) returned 1 [0172.730] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xa50) returned 0xffffffff [0172.734] GetLastError () returned 0x12b [0172.734] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x274, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0172.735] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0x86c) returned 0xffffffff [0172.738] GetLastError () returned 0x12b [0172.738] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x274, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0172.739] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xb64) returned 0xffffffff [0172.741] GetLastError () returned 0x57 [0172.741] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0172.743] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0x330) returned 0xffffffff [0172.745] GetLastError () returned 0x5 [0172.745] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0172.746] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0x324) returned 0xffffffff [0172.749] GetLastError () returned 0x12b [0172.749] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="require-wife.exe")) returned 1 [0172.750] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xde0) returned 0x2b0 [0178.640] Module32First (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0178.641] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0178.641] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0178.642] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0178.643] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0178.643] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0178.644] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0178.645] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0178.645] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0178.646] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0178.647] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0178.647] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0178.648] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0178.649] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0178.649] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0178.650] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0178.651] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0178.651] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0178.652] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 0 [0178.653] CloseHandle (hObject=0x2b0) returned 1 [0178.654] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="hold_just.exe")) returned 1 [0178.655] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xde8) returned 0x250 [0178.667] Module32First (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0178.668] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0178.668] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0178.669] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0178.670] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0178.670] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0178.671] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0178.672] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0178.672] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0178.673] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0178.674] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0178.674] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0178.675] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0178.676] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0178.676] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0178.677] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0178.678] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0178.678] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0178.679] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 0 [0178.680] CloseHandle (hObject=0x250) returned 1 [0183.384] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="hear.exe")) returned 1 [0183.386] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xdf4) returned 0x2b0 [0183.402] Module32First (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0183.403] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0183.404] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0183.405] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0183.406] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0183.407] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0183.407] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0183.408] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0183.409] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0183.410] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0183.411] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0183.412] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0183.413] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0183.414] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0183.415] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0183.416] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0183.417] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0183.418] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0183.419] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 0 [0183.420] CloseHandle (hObject=0x2b0) returned 1 [0183.420] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="sourcecampaignmake.exe")) returned 1 [0183.421] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xe04) returned 0x250 [0188.145] Module32First (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0188.146] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0188.147] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0188.148] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0188.149] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0188.149] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0188.150] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0188.151] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0188.152] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0188.153] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0188.154] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0188.155] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0188.156] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0188.157] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0188.158] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0188.158] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0188.159] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0188.160] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0188.161] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 0 [0188.162] CloseHandle (hObject=0x250) returned 1 [0188.162] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="natureinformationidea.exe")) returned 1 [0188.163] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xe0c) returned 0x2b0 [0188.179] Module32First (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0188.180] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0188.181] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0188.182] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0188.183] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0188.183] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0192.884] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0192.885] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0192.886] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0192.886] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0192.887] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0192.888] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0192.888] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0192.889] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0192.890] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0192.890] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0192.891] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0192.892] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0192.892] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 0 [0192.893] CloseHandle (hObject=0x2b0) returned 1 [0192.893] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="entire-oil-if.exe")) returned 1 [0192.894] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xe20) returned 0x250 [0192.907] Module32First (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0192.908] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0192.908] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0192.909] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0192.910] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0192.910] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0192.911] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0192.912] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0192.913] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0192.914] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0192.914] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0192.915] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0192.916] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0192.916] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0192.917] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0192.918] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0192.919] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0192.919] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0192.920] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 0 [0192.921] CloseHandle (hObject=0x250) returned 1 [0192.921] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="him_between.exe")) returned 1 [0192.922] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xe2c) returned 0x2b0 [0197.639] Module32First (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0197.640] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0197.641] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0197.641] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0197.642] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0197.643] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0197.644] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0197.644] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0197.645] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0197.646] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0197.646] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0197.647] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0197.648] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0197.649] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0197.650] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0197.650] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0197.651] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0197.652] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0197.652] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 0 [0197.653] CloseHandle (hObject=0x2b0) returned 1 [0197.653] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="sort few.exe")) returned 1 [0197.654] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xe38) returned 0x250 [0197.666] Module32First (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0197.667] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0197.668] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0197.668] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0197.669] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0197.670] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0197.671] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0197.671] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0197.672] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0197.673] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0197.673] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0197.674] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0197.675] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0197.675] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0197.676] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0197.677] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0197.677] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0197.678] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0197.679] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 0 [0202.383] CloseHandle (hObject=0x250) returned 1 [0202.384] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="involve_her_hundred.exe")) returned 1 [0202.385] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xe40) returned 0x2b0 [0202.398] Module32First (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0202.399] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0202.399] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0202.400] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0202.401] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0202.401] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0202.402] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0202.403] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0202.403] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0202.404] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0202.405] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0202.405] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0202.406] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0202.407] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0202.407] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0202.408] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0202.409] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0202.410] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0202.410] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 0 [0202.411] CloseHandle (hObject=0x2b0) returned 1 [0202.411] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="page.exe")) returned 1 [0202.412] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xe54) returned 0x250 [0207.152] Module32First (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0207.154] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0207.155] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0207.156] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0207.157] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0207.158] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0207.159] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0207.159] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0207.160] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0207.161] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0207.162] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0207.184] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0207.185] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0207.186] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0207.186] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0207.187] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0207.188] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0207.188] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0207.189] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 0 [0207.190] CloseHandle (hObject=0x250) returned 1 [0207.191] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe5c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="say glass.exe")) returned 1 [0207.192] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xe5c) returned 0x2b0 [0213.128] Module32First (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0213.128] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0213.129] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0213.130] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0213.131] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0213.131] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0213.132] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0213.133] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0213.134] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0213.134] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0213.135] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0213.136] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0213.136] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0213.137] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0213.138] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0213.138] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0213.139] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0213.140] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0213.140] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 0 [0213.141] CloseHandle (hObject=0x2b0) returned 1 [0213.141] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="hour.exe")) returned 1 [0213.142] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xe6c) returned 0x250 [0213.156] Module32First (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0213.157] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0213.157] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0213.158] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0213.159] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0213.159] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0213.160] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0213.161] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0213.161] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0213.162] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0213.163] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0219.044] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0219.044] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0219.045] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0219.046] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0219.047] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0219.047] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0219.048] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0219.049] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 0 [0219.050] CloseHandle (hObject=0x250) returned 1 [0219.050] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="red.exe")) returned 1 [0219.052] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xe74) returned 0x2b0 [0219.065] Module32First (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0219.065] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0219.066] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0219.067] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0219.067] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0219.068] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0219.069] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0219.070] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0219.070] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0219.071] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0219.072] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0219.072] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0219.073] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0219.074] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0219.074] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0219.075] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0219.076] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0219.076] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0219.077] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 0 [0219.078] CloseHandle (hObject=0x2b0) returned 1 [0219.078] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="stockupon.exe")) returned 1 [0219.079] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xe84) returned 0x250 [0224.955] Module32First (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0224.956] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0224.957] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0224.958] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0224.958] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0224.959] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0224.960] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0224.961] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0224.961] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0224.962] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0224.963] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0224.963] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0224.964] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0224.965] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0224.965] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0224.966] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0224.967] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0224.967] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0224.968] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 0 [0224.969] CloseHandle (hObject=0x250) returned 1 [0224.970] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="method.exe")) returned 1 [0224.971] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xe90) returned 0x2b0 [0224.983] Module32First (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0224.983] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0224.984] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0224.985] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0224.986] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0224.986] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0224.987] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0224.988] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0224.988] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0224.989] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0224.990] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0224.990] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0224.991] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0229.695] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0229.696] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0229.697] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0229.698] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0229.699] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0229.700] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 0 [0229.701] CloseHandle (hObject=0x2b0) returned 1 [0229.702] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xea0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="huge-on-his.exe")) returned 1 [0229.704] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xea0) returned 0x250 [0229.723] Module32First (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0229.725] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0229.726] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0229.727] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0229.728] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0229.729] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0229.730] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0229.730] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0229.731] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0229.732] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0229.733] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0229.734] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0229.735] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0229.736] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0229.737] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0229.737] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0229.738] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0229.739] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0234.449] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 0 [0234.450] CloseHandle (hObject=0x250) returned 1 [0234.451] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xeb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0234.452] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xeb0) returned 0x2b0 [0234.464] Module32First (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0234.465] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0234.465] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0234.466] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0234.467] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0234.467] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0234.468] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0234.469] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0234.470] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0234.470] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0234.471] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0234.472] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0234.472] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0234.473] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0234.474] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0234.474] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0234.475] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0234.476] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0234.476] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 0 [0234.477] CloseHandle (hObject=0x2b0) returned 1 [0234.516] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xec0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0234.517] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xec0) returned 0x250 [0240.393] Module32First (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0240.394] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0240.395] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0240.396] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0240.397] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0240.398] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0240.398] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0240.400] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0240.400] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0240.401] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0240.402] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0240.403] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0240.404] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0240.405] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0240.406] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0240.406] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0240.407] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0240.408] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0240.409] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 0 [0240.410] CloseHandle (hObject=0x250) returned 1 [0240.411] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xec8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0240.412] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xec8) returned 0x2b0 [0240.430] Module32First (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0245.134] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0245.135] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0245.136] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0245.137] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0245.138] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0245.139] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0245.140] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0245.140] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0245.141] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0245.142] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0245.143] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0245.144] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0245.145] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0245.145] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0245.146] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0245.147] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0245.148] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 1 [0245.149] Module32Next (hSnapshot=0x2b0, lpme=0x55f63c) returned 0 [0245.151] CloseHandle (hObject=0x2b0) returned 1 [0245.152] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xed0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0245.153] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xed0) returned 0x1fc [0245.169] Module32First (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0245.169] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0245.170] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0245.171] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0245.172] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0245.173] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0245.174] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0245.175] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0245.176] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0245.177] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0245.178] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0245.179] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0245.180] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0249.889] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0249.890] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0249.891] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0249.892] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0249.893] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0249.894] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 0 [0249.894] CloseHandle (hObject=0x1fc) returned 1 [0249.895] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xedc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0249.895] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xedc) returned 0x1d8 [0249.908] Module32First (hSnapshot=0x1d8, lpme=0x55f63c) returned 1 [0249.908] Module32Next (hSnapshot=0x1d8, lpme=0x55f63c) returned 1 [0249.909] Module32Next (hSnapshot=0x1d8, lpme=0x55f63c) returned 1 [0249.910] Module32Next (hSnapshot=0x1d8, lpme=0x55f63c) returned 1 [0249.911] Module32Next (hSnapshot=0x1d8, lpme=0x55f63c) returned 1 [0249.911] Module32Next (hSnapshot=0x1d8, lpme=0x55f63c) returned 1 [0249.912] Module32Next (hSnapshot=0x1d8, lpme=0x55f63c) returned 1 [0249.913] Module32Next (hSnapshot=0x1d8, lpme=0x55f63c) returned 1 [0249.913] Module32Next (hSnapshot=0x1d8, lpme=0x55f63c) returned 1 [0249.914] Module32Next (hSnapshot=0x1d8, lpme=0x55f63c) returned 1 [0249.915] Module32Next (hSnapshot=0x1d8, lpme=0x55f63c) returned 1 [0249.915] Module32Next (hSnapshot=0x1d8, lpme=0x55f63c) returned 1 [0249.916] Module32Next (hSnapshot=0x1d8, lpme=0x55f63c) returned 1 [0249.917] Module32Next (hSnapshot=0x1d8, lpme=0x55f63c) returned 1 [0249.918] Module32Next (hSnapshot=0x1d8, lpme=0x55f63c) returned 1 [0249.918] Module32Next (hSnapshot=0x1d8, lpme=0x55f63c) returned 1 [0249.919] Module32Next (hSnapshot=0x1d8, lpme=0x55f63c) returned 1 [0249.920] Module32Next (hSnapshot=0x1d8, lpme=0x55f63c) returned 1 [0249.920] Module32Next (hSnapshot=0x1d8, lpme=0x55f63c) returned 0 [0249.921] CloseHandle (hObject=0x1d8) returned 1 [0249.921] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xef0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0249.922] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xef0) returned 0x1fc [0254.641] Module32First (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0254.642] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0254.643] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0254.644] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0254.644] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0254.645] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0254.646] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0254.647] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0254.648] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0254.649] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0254.650] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0254.651] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0254.651] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0254.652] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0254.653] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0254.654] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0254.655] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0254.656] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0254.657] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 0 [0254.657] CloseHandle (hObject=0x1fc) returned 1 [0254.659] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xef8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0254.660] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xef8) returned 0x1d8 [0254.675] Module32First (hSnapshot=0x1d8, lpme=0x55f63c) returned 1 [0254.676] Module32Next (hSnapshot=0x1d8, lpme=0x55f63c) returned 1 [0254.677] Module32Next (hSnapshot=0x1d8, lpme=0x55f63c) returned 1 [0254.677] Module32Next (hSnapshot=0x1d8, lpme=0x55f63c) returned 1 [0254.678] Module32Next (hSnapshot=0x1d8, lpme=0x55f63c) returned 1 [0254.679] Module32Next (hSnapshot=0x1d8, lpme=0x55f63c) returned 1 [0254.680] Module32Next (hSnapshot=0x1d8, lpme=0x55f63c) returned 1 [0259.390] Module32Next (hSnapshot=0x1d8, lpme=0x55f63c) returned 1 [0259.392] Module32Next (hSnapshot=0x1d8, lpme=0x55f63c) returned 1 [0259.392] Module32Next (hSnapshot=0x1d8, lpme=0x55f63c) returned 1 [0259.393] Module32Next (hSnapshot=0x1d8, lpme=0x55f63c) returned 1 [0259.394] Module32Next (hSnapshot=0x1d8, lpme=0x55f63c) returned 1 [0259.395] Module32Next (hSnapshot=0x1d8, lpme=0x55f63c) returned 1 [0259.396] Module32Next (hSnapshot=0x1d8, lpme=0x55f63c) returned 1 [0259.397] Module32Next (hSnapshot=0x1d8, lpme=0x55f63c) returned 1 [0259.398] Module32Next (hSnapshot=0x1d8, lpme=0x55f63c) returned 1 [0259.399] Module32Next (hSnapshot=0x1d8, lpme=0x55f63c) returned 1 [0259.400] Module32Next (hSnapshot=0x1d8, lpme=0x55f63c) returned 1 [0259.400] Module32Next (hSnapshot=0x1d8, lpme=0x55f63c) returned 0 [0259.401] CloseHandle (hObject=0x1d8) returned 1 [0259.403] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0259.407] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xf04) returned 0x1fc [0259.424] Module32First (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0259.425] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0259.426] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0259.427] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0259.428] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0259.429] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0259.430] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0259.431] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0259.431] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0259.432] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0259.433] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0259.434] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0264.139] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0264.140] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0264.141] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0264.142] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0264.143] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0264.144] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 1 [0264.145] Module32Next (hSnapshot=0x1fc, lpme=0x55f63c) returned 0 [0264.146] CloseHandle (hObject=0x1fc) returned 1 [0264.146] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0264.148] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xf0c) returned 0x250 [0264.164] Module32First (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0264.164] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0264.165] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0264.166] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0264.167] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0264.168] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0264.171] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0264.172] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0264.173] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0264.174] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0264.175] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0264.176] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0264.177] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0264.177] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0264.178] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0264.179] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0264.180] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0264.180] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0264.181] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 0 [0264.182] CloseHandle (hObject=0x250) returned 1 [0264.182] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0264.183] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xf1c) returned 0x2cc [0268.901] Module32First (hSnapshot=0x2cc, lpme=0x55f63c) returned 1 [0268.901] Module32Next (hSnapshot=0x2cc, lpme=0x55f63c) returned 1 [0268.902] Module32Next (hSnapshot=0x2cc, lpme=0x55f63c) returned 1 [0268.903] Module32Next (hSnapshot=0x2cc, lpme=0x55f63c) returned 1 [0268.904] Module32Next (hSnapshot=0x2cc, lpme=0x55f63c) returned 1 [0268.904] Module32Next (hSnapshot=0x2cc, lpme=0x55f63c) returned 1 [0268.905] Module32Next (hSnapshot=0x2cc, lpme=0x55f63c) returned 1 [0268.906] Module32Next (hSnapshot=0x2cc, lpme=0x55f63c) returned 1 [0268.906] Module32Next (hSnapshot=0x2cc, lpme=0x55f63c) returned 1 [0268.907] Module32Next (hSnapshot=0x2cc, lpme=0x55f63c) returned 1 [0268.908] Module32Next (hSnapshot=0x2cc, lpme=0x55f63c) returned 1 [0268.908] Module32Next (hSnapshot=0x2cc, lpme=0x55f63c) returned 1 [0268.909] Module32Next (hSnapshot=0x2cc, lpme=0x55f63c) returned 1 [0268.910] Module32Next (hSnapshot=0x2cc, lpme=0x55f63c) returned 1 [0268.910] Module32Next (hSnapshot=0x2cc, lpme=0x55f63c) returned 1 [0268.911] Module32Next (hSnapshot=0x2cc, lpme=0x55f63c) returned 1 [0268.912] Module32Next (hSnapshot=0x2cc, lpme=0x55f63c) returned 1 [0268.912] Module32Next (hSnapshot=0x2cc, lpme=0x55f63c) returned 1 [0268.913] Module32Next (hSnapshot=0x2cc, lpme=0x55f63c) returned 0 [0268.914] CloseHandle (hObject=0x2cc) returned 1 [0268.914] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0268.916] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xf2c) returned 0x250 [0268.929] Module32First (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0268.930] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0268.930] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0268.931] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0268.932] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0268.932] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0268.933] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0268.934] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0268.934] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0273.640] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0273.641] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0273.642] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0273.642] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0273.643] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0273.644] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0273.644] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0273.645] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0273.646] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0273.647] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 0 [0273.647] CloseHandle (hObject=0x250) returned 1 [0273.647] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0273.649] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xf34) returned 0x31c [0273.661] Module32First (hSnapshot=0x31c, lpme=0x55f63c) returned 1 [0273.662] Module32Next (hSnapshot=0x31c, lpme=0x55f63c) returned 1 [0273.663] Module32Next (hSnapshot=0x31c, lpme=0x55f63c) returned 1 [0273.664] Module32Next (hSnapshot=0x31c, lpme=0x55f63c) returned 1 [0273.664] Module32Next (hSnapshot=0x31c, lpme=0x55f63c) returned 1 [0273.665] Module32Next (hSnapshot=0x31c, lpme=0x55f63c) returned 1 [0273.666] Module32Next (hSnapshot=0x31c, lpme=0x55f63c) returned 1 [0273.666] Module32Next (hSnapshot=0x31c, lpme=0x55f63c) returned 1 [0273.667] Module32Next (hSnapshot=0x31c, lpme=0x55f63c) returned 1 [0273.668] Module32Next (hSnapshot=0x31c, lpme=0x55f63c) returned 1 [0273.669] Module32Next (hSnapshot=0x31c, lpme=0x55f63c) returned 1 [0273.670] Module32Next (hSnapshot=0x31c, lpme=0x55f63c) returned 1 [0273.670] Module32Next (hSnapshot=0x31c, lpme=0x55f63c) returned 1 [0273.671] Module32Next (hSnapshot=0x31c, lpme=0x55f63c) returned 1 [0273.672] Module32Next (hSnapshot=0x31c, lpme=0x55f63c) returned 1 [0273.673] Module32Next (hSnapshot=0x31c, lpme=0x55f63c) returned 1 [0273.673] Module32Next (hSnapshot=0x31c, lpme=0x55f63c) returned 1 [0273.674] Module32Next (hSnapshot=0x31c, lpme=0x55f63c) returned 1 [0273.675] Module32Next (hSnapshot=0x31c, lpme=0x55f63c) returned 0 [0273.675] CloseHandle (hObject=0x31c) returned 1 [0273.675] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0273.677] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xf44) returned 0x250 [0278.396] Module32First (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0278.397] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0278.399] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0278.400] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0278.402] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0278.403] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0278.405] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0278.406] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0278.408] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0278.409] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0278.410] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0278.411] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0278.413] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0278.414] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0278.417] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0278.420] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0278.422] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0278.425] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 1 [0278.427] Module32Next (hSnapshot=0x250, lpme=0x55f63c) returned 0 [0278.429] CloseHandle (hObject=0x250) returned 1 [0278.431] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0288.575] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xf4c) returned 0x36c [0288.606] Module32First (hSnapshot=0x36c, lpme=0x55f63c) returned 1 [0288.606] Module32Next (hSnapshot=0x36c, lpme=0x55f63c) returned 1 [0288.607] Module32Next (hSnapshot=0x36c, lpme=0x55f63c) returned 1 [0288.608] Module32Next (hSnapshot=0x36c, lpme=0x55f63c) returned 1 [0288.608] Module32Next (hSnapshot=0x36c, lpme=0x55f63c) returned 1 [0288.609] Module32Next (hSnapshot=0x36c, lpme=0x55f63c) returned 1 [0288.610] Module32Next (hSnapshot=0x36c, lpme=0x55f63c) returned 1 [0288.611] Module32Next (hSnapshot=0x36c, lpme=0x55f63c) returned 1 [0288.611] Module32Next (hSnapshot=0x36c, lpme=0x55f63c) returned 1 [0288.612] Module32Next (hSnapshot=0x36c, lpme=0x55f63c) returned 1 [0288.613] Module32Next (hSnapshot=0x36c, lpme=0x55f63c) returned 1 [0288.614] Module32Next (hSnapshot=0x36c, lpme=0x55f63c) returned 1 [0288.614] Module32Next (hSnapshot=0x36c, lpme=0x55f63c) returned 1 [0288.615] Module32Next (hSnapshot=0x36c, lpme=0x55f63c) returned 1 [0288.616] Module32Next (hSnapshot=0x36c, lpme=0x55f63c) returned 1 [0288.616] Module32Next (hSnapshot=0x36c, lpme=0x55f63c) returned 1 [0288.617] Module32Next (hSnapshot=0x36c, lpme=0x55f63c) returned 1 [0288.618] Module32Next (hSnapshot=0x36c, lpme=0x55f63c) returned 1 [0288.618] Module32Next (hSnapshot=0x36c, lpme=0x55f63c) returned 0 [0288.619] CloseHandle (hObject=0x36c) returned 1 [0288.619] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf5c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0288.621] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xf5c) returned 0x320 [0294.479] Module32First (hSnapshot=0x320, lpme=0x55f63c) returned 1 [0294.480] Module32Next (hSnapshot=0x320, lpme=0x55f63c) returned 1 [0294.481] Module32Next (hSnapshot=0x320, lpme=0x55f63c) returned 1 [0294.482] Module32Next (hSnapshot=0x320, lpme=0x55f63c) returned 1 [0294.482] Module32Next (hSnapshot=0x320, lpme=0x55f63c) returned 1 [0294.483] Module32Next (hSnapshot=0x320, lpme=0x55f63c) returned 1 [0294.484] Module32Next (hSnapshot=0x320, lpme=0x55f63c) returned 1 [0294.485] Module32Next (hSnapshot=0x320, lpme=0x55f63c) returned 1 [0294.485] Module32Next (hSnapshot=0x320, lpme=0x55f63c) returned 1 [0294.486] Module32Next (hSnapshot=0x320, lpme=0x55f63c) returned 1 [0294.487] Module32Next (hSnapshot=0x320, lpme=0x55f63c) returned 1 [0294.488] Module32Next (hSnapshot=0x320, lpme=0x55f63c) returned 1 [0294.488] Module32Next (hSnapshot=0x320, lpme=0x55f63c) returned 1 [0294.489] Module32Next (hSnapshot=0x320, lpme=0x55f63c) returned 1 [0294.490] Module32Next (hSnapshot=0x320, lpme=0x55f63c) returned 1 [0294.491] Module32Next (hSnapshot=0x320, lpme=0x55f63c) returned 1 [0294.492] Module32Next (hSnapshot=0x320, lpme=0x55f63c) returned 1 [0294.493] Module32Next (hSnapshot=0x320, lpme=0x55f63c) returned 1 [0294.493] Module32Next (hSnapshot=0x320, lpme=0x55f63c) returned 0 [0294.494] CloseHandle (hObject=0x320) returned 1 [0294.494] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0294.496] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xf64) returned 0x36c [0294.508] Module32First (hSnapshot=0x36c, lpme=0x55f63c) returned 1 [0294.509] Module32Next (hSnapshot=0x36c, lpme=0x55f63c) returned 1 [0294.510] Module32Next (hSnapshot=0x36c, lpme=0x55f63c) returned 1 [0294.510] Module32Next (hSnapshot=0x36c, lpme=0x55f63c) returned 1 [0294.511] Module32Next (hSnapshot=0x36c, lpme=0x55f63c) returned 1 [0294.512] Module32Next (hSnapshot=0x36c, lpme=0x55f63c) returned 1 [0294.513] Module32Next (hSnapshot=0x36c, lpme=0x55f63c) returned 1 [0294.513] Module32Next (hSnapshot=0x36c, lpme=0x55f63c) returned 1 [0294.514] Module32Next (hSnapshot=0x36c, lpme=0x55f63c) returned 1 [0294.515] Module32Next (hSnapshot=0x36c, lpme=0x55f63c) returned 1 [0294.516] Module32Next (hSnapshot=0x36c, lpme=0x55f63c) returned 1 [0294.516] Module32Next (hSnapshot=0x36c, lpme=0x55f63c) returned 1 [0294.517] Module32Next (hSnapshot=0x36c, lpme=0x55f63c) returned 1 [0294.518] Module32Next (hSnapshot=0x36c, lpme=0x55f63c) returned 1 [0294.519] Module32Next (hSnapshot=0x36c, lpme=0x55f63c) returned 1 [0294.520] Module32Next (hSnapshot=0x36c, lpme=0x55f63c) returned 1 [0294.521] Module32Next (hSnapshot=0x36c, lpme=0x55f63c) returned 1 [0300.319] Module32Next (hSnapshot=0x36c, lpme=0x55f63c) returned 1 [0300.320] Module32Next (hSnapshot=0x36c, lpme=0x55f63c) returned 0 [0300.321] CloseHandle (hObject=0x36c) returned 1 [0300.322] Process32Next (in: hSnapshot=0x29c, lppe=0x55f8a0 | out: lppe=0x55f8a0*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0300.323] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0xf74) returned 0x320 [0300.348] Module32First (hSnapshot=0x320, lpme=0x55f63c) returned 1 [0300.349] Module32Next (hSnapshot=0x320, lpme=0x55f63c) returned 1 [0300.351] Module32Next (hSnapshot=0x320, lpme=0x55f63c) returned 1 [0300.352] Module32Next (hSnapshot=0x320, lpme=0x55f63c) returned 1 [0300.353] Module32Next (hSnapshot=0x320, lpme=0x55f63c) returned 1 [0300.355] Module32Next (hSnapshot=0x320, lpme=0x55f63c) returned 1 [0300.356] Module32Next (hSnapshot=0x320, lpme=0x55f63c) returned 1 [0300.357] Module32Next (hSnapshot=0x320, lpme=0x55f63c) returned 1 [0300.358] Module32Next (hSnapshot=0x320, lpme=0x55f63c) returned 1 [0300.359] Module32Next (hSnapshot=0x320, lpme=0x55f63c) returned 1 [0300.360] Module32Next (hSnapshot=0x320, lpme=0x55f63c) returned 1 [0300.361] Module32Next (hSnapshot=0x320, lpme=0x55f63c) returned 1 [0300.362] Module32Next (hSnapshot=0x320, lpme=0x55f63c) returned 1 [0300.363] Module32Next (hSnapshot=0x320, lpme=0x55f63c) returned 1 [0300.364] Module32Next (hSnapshot=0x320, lpme=0x55f63c) returned 1 [0300.365] Module32Next (hSnapshot=0x320, lpme=0x55f63c) Thread: id = 516 os_tid = 0x125c Thread: id = 519 os_tid = 0xe34 Thread: id = 736 os_tid = 0xe1c [0246.326] WaitForSingleObject (hHandle=0x250, dwMilliseconds=0x3a98) returned 0x0 [0246.327] CloseHandle (hObject=0x250) returned 1 [0246.328] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4c30310 [0246.329] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x20019, phkResult=0x92ffb60 | out: phkResult=0x92ffb60*=0x250) returned 0x0 [0246.330] RegQueryValueExA (in: hKey=0x250, lpValueName="3665b42c", lpReserved=0x0, lpType=0x92ffb58, lpData=0x0, lpcbData=0x92ffb5c*=0x0 | out: lpType=0x92ffb58*=0x0, lpData=0x0, lpcbData=0x92ffb5c*=0x0) returned 0x2 [0246.330] RegCloseKey (hKey=0x250) returned 0x0 [0246.331] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30310 | out: hHeap=0x4d40000) returned 1 [0246.331] WaitForSingleObject (hHandle=0x234, dwMilliseconds=0x7530) returned 0x0 [0246.331] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dca850 | out: hHeap=0x4d40000) returned 1 [0246.331] CloseHandle (hObject=0x1d8) returned 1 [0246.331] ReleaseMutex (hMutex=0x234) returned 1 Thread: id = 825 os_tid = 0x13e8 [0266.564] WaitForSingleObject (hHandle=0x1d8, dwMilliseconds=0x3a98) returned 0x0 [0266.564] CloseHandle (hObject=0x1d8) returned 1 [0266.564] WaitForSingleObject (hHandle=0x258, dwMilliseconds=0x0) returned 0x0 [0266.564] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x94bfb88 | out: lpSystemTimeAsFileTime=0x94bfb88*(dwLowDateTime=0x526528e1, dwHighDateTime=0x1d99f3b)) [0266.565] GetCurrentProcess () returned 0xffffffff [0266.565] GetCurrentThread () returned 0xfffffffe [0266.565] GetCurrentProcess () returned 0xffffffff [0266.565] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x497106c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x497106c*=0x1d8) returned 1 [0266.569] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4c30310 [0266.570] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x20019, phkResult=0x94bf9f0 | out: phkResult=0x94bf9f0*=0x1fc) returned 0x0 [0266.570] RegQueryValueExA (in: hKey=0x1fc, lpValueName="114fcb8c", lpReserved=0x0, lpType=0x94bf9e8, lpData=0x0, lpcbData=0x94bf9ec*=0x0 | out: lpType=0x94bf9e8*=0x3, lpData=0x0, lpcbData=0x94bf9ec*=0x54) returned 0x0 [0266.570] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x55) returned 0x4dc1bc8 [0266.570] RegQueryValueExA (in: hKey=0x1fc, lpValueName="114fcb8c", lpReserved=0x0, lpType=0x94bf9e8, lpData=0x4dc1bc8, lpcbData=0x94bf9ec*=0x54 | out: lpType=0x94bf9e8*=0x3, lpData=0x4dc1bc8*, lpcbData=0x94bf9ec*=0x54) returned 0x0 [0266.570] RegCloseKey (hKey=0x1fc) returned 0x0 [0266.571] lstrlenW (lpString="䉁䑃䙅䡇䩉䱋\x14") returned 7 [0266.571] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb) returned 0x4dca790 [0266.572] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc1bc8 | out: hHeap=0x4d40000) returned 1 [0266.572] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30310 | out: hHeap=0x4d40000) returned 1 [0266.573] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x73) returned 0x4dc1bc8 [0266.573] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x28) returned 0x4c301f0 [0266.573] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe) returned 0x4dca850 [0266.573] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb) returned 0x4dca8e0 [0266.573] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa) returned 0x4dca868 [0266.573] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb) returned 0x4dca880 [0266.573] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd) returned 0x4dc1e88 [0266.573] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd) returned 0x4dc1eb8 [0266.573] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa) returned 0x4dc1c90 [0266.573] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc) returned 0x4dc1db0 [0266.573] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x8) returned 0x4dc03a0 [0266.573] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd) returned 0x4dc1ee8 [0266.573] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc1bc8 | out: hHeap=0x4d40000) returned 1 [0266.574] lstrlenW (lpString="䉁䑃䙅ҕטּो￿ÿנּो㷲ҕوҘ") returned 14 [0266.574] lstrlenW (lpString="䉁䑃䙅ҕ") returned 4 [0266.574] lstrlenW (lpString="䉁䑃䙅ҕ") returned 4 [0266.574] lstrlenW (lpString="䉁䑃䙅ҕ") returned 4 [0266.574] lstrlenW (lpString="䉁䑃䙅ҕ") returned 4 [0266.574] lstrlenW (lpString="䉁䑃䙅ҕ") returned 4 [0266.574] lstrlenW (lpString="䉁䑃䙅ҕ") returned 4 [0266.574] lstrlenW (lpString="䉁䑃䙅ҕ") returned 4 [0266.574] lstrlenW (lpString="䉁䑃䙅ҕ") returned 4 [0266.575] lstrlenW (lpString="䉁䑃䙅ҕ") returned 4 [0266.575] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x6) returned 0x4dc1bc8 [0266.580] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x6) returned 0x4dc1bd8 [0266.580] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x15) returned 0x4dc1be8 [0266.580] lstrcatA (in: lpString1="", lpString2="https" | out: lpString1="https") returned="https" [0266.580] lstrcatA (in: lpString1="https", lpString2="://" | out: lpString1="https://") returned="https://" [0266.580] lstrcatA (in: lpString1="https://", lpString2="irs.gov" | out: lpString1="https://irs.gov") returned="https://irs.gov" [0266.580] lstrcatA (in: lpString1="https://irs.gov", lpString2=":" | out: lpString1="https://irs.gov:") returned="https://irs.gov:" [0266.580] lstrcatA (in: lpString1="https://irs.gov:", lpString2="443" | out: lpString1="https://irs.gov:443") returned="https://irs.gov:443" [0266.580] lstrcatA (in: lpString1="https://irs.gov:443", lpString2="/" | out: lpString1="https://irs.gov:443/") returned="https://irs.gov:443/" [0266.580] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc1bd8 | out: hHeap=0x4d40000) returned 1 [0266.581] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x1e) returned 0x4dc1c08 [0266.581] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xa) returned 0x4dc1ca8 [0266.581] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xb) returned 0x4dc1e28 [0266.581] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xc) returned 0x4dc1f00 [0266.581] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x4) returned 0x4dc1bd8 [0266.581] InternetCrackUrlA (in: lpszUrl="https://irs.gov:443/", dwUrlLength=0x14, dwFlags=0x0, lpUrlComponents=0x94bfa28 | out: lpUrlComponents=0x94bfa28) returned 1 [0266.588] InternetOpenA (lpszAgent="Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0278.475] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x3, lpBuffer=0x94bf7fc*, dwBufferLength=0x4) returned 1 [0278.475] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x2, lpBuffer=0x94bf7fc*, dwBufferLength=0x4) returned 1 [0278.475] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x6, lpBuffer=0x94bf7fc*, dwBufferLength=0x4) returned 1 [0278.475] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x5, lpBuffer=0x94bf7fc*, dwBufferLength=0x4) returned 1 [0288.565] InternetConnectA (hInternet=0xcc0004, lpszServerName="irs.gov", nServerPort=0x1bb, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0288.769] HttpOpenRequestA (hConnect=0xcc0008, lpszVerb="GET", lpszObjectName="/", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x94bfa64*="application/x-shockwave-flash", dwFlags=0x8484f700, dwContext=0x0) returned 0xcc000c [0288.771] InternetQueryOptionA (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x94bf7fc, lpdwBufferLength=0x94bf7f8 | out: lpBuffer=0x94bf7fc, lpdwBufferLength=0x94bf7f8) returned 1 [0288.771] InternetSetOptionA (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x94bf7fc*, dwBufferLength=0x4) returned 1 [0288.772] HttpSendRequestA (hRequest=0xcc000c, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0293.977] HttpQueryInfoA (in: hRequest=0xcc000c, dwInfoLevel=0x13, lpBuffer=0x94bfa90, lpdwBufferLength=0x94bfa84, lpdwIndex=0x0 | out: lpBuffer=0x94bfa90*, lpdwBufferLength=0x94bfa84*=0x3, lpdwIndex=0x0) returned 1 [0293.977] SetLastError (dwErrCode=0x0) [0293.977] HttpQueryInfoA (in: hRequest=0xcc000c, dwInfoLevel=0x20000005, lpBuffer=0x94bfa84, lpdwBufferLength=0x94bfa80, lpdwIndex=0x0 | out: lpBuffer=0x94bfa84, lpdwBufferLength=0x94bfa80, lpdwIndex=0x0) returned 0 [0293.977] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10400) returned 0x4cbc008 [0293.980] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xfa001) returned 0x79c0020 [0293.983] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x4cbc008, dwNumberOfBytesToRead=0x10400, lpdwNumberOfBytesRead=0x94bfa9c | out: lpBuffer=0x4cbc008*, lpdwNumberOfBytesRead=0x94bfa9c*=0x3834) returned 1 [0293.985] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x4cbc008, dwNumberOfBytesToRead=0x10400, lpdwNumberOfBytesRead=0x94bfa9c | out: lpBuffer=0x4cbc008*, lpdwNumberOfBytesRead=0x94bfa9c*=0x67c2) returned 1 [0293.987] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x4cbc008, dwNumberOfBytesToRead=0x10400, lpdwNumberOfBytesRead=0x94bfa9c | out: lpBuffer=0x4cbc008*, lpdwNumberOfBytesRead=0x94bfa9c*=0x200a) returned 1 [0293.987] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x4cbc008, dwNumberOfBytesToRead=0x10400, lpdwNumberOfBytesRead=0x94bfa9c | out: lpBuffer=0x4cbc008*, lpdwNumberOfBytesRead=0x94bfa9c*=0x52c) returned 1 [0293.989] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x4cbc008, dwNumberOfBytesToRead=0x10400, lpdwNumberOfBytesRead=0x94bfa9c | out: lpBuffer=0x4cbc008*, lpdwNumberOfBytesRead=0x94bfa9c*=0x3ff6) returned 1 [0294.045] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x4cbc008, dwNumberOfBytesToRead=0x10400, lpdwNumberOfBytesRead=0x94bfa9c | out: lpBuffer=0x4cbc008*, lpdwNumberOfBytesRead=0x94bfa9c*=0xa) returned 1 [0294.045] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x4cbc008, dwNumberOfBytesToRead=0x10400, lpdwNumberOfBytesRead=0x94bfa9c | out: lpBuffer=0x4cbc008*, lpdwNumberOfBytesRead=0x94bfa9c*=0x3ff6) returned 1 [0294.150] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x4cbc008, dwNumberOfBytesToRead=0x10400, lpdwNumberOfBytesRead=0x94bfa9c | out: lpBuffer=0x4cbc008*, lpdwNumberOfBytesRead=0x94bfa9c*=0x400a) returned 1 [0294.152] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x4cbc008, dwNumberOfBytesToRead=0x10400, lpdwNumberOfBytesRead=0x94bfa9c | out: lpBuffer=0x4cbc008*, lpdwNumberOfBytesRead=0x94bfa9c*=0x3ff6) returned 1 [0294.249] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x4cbc008, dwNumberOfBytesToRead=0x10400, lpdwNumberOfBytesRead=0x94bfa9c | out: lpBuffer=0x4cbc008*, lpdwNumberOfBytesRead=0x94bfa9c*=0x400a) returned 1 [0294.250] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x4cbc008, dwNumberOfBytesToRead=0x10400, lpdwNumberOfBytesRead=0x94bfa9c | out: lpBuffer=0x4cbc008*, lpdwNumberOfBytesRead=0x94bfa9c*=0x1c3b) returned 1 [0294.324] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x4cbc008, dwNumberOfBytesToRead=0x10400, lpdwNumberOfBytesRead=0x94bfa9c | out: lpBuffer=0x4cbc008*, lpdwNumberOfBytesRead=0x94bfa9c*=0x0) returned 1 [0294.331] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4cbc008 | out: hHeap=0x4d40000) returned 1 [0294.331] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0299.180] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0299.180] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0299.180] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc1be8 | out: hHeap=0x4d40000) returned 1 [0299.186] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x79c0020 | out: hHeap=0x4d40000) returned 1 [0299.190] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4c30310 [0299.190] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x20019, phkResult=0x94bf9a8 | out: phkResult=0x94bf9a8*=0x370) returned 0x0 [0299.191] RegQueryValueExA (in: hKey=0x370, lpValueName="2caa5c0b", lpReserved=0x0, lpType=0x94bf9a0, lpData=0x0, lpcbData=0x94bf9a4*=0x0 | out: lpType=0x94bf9a0*=0x0, lpData=0x0, lpcbData=0x94bf9a4*=0x0) returned 0x2 [0299.191] RegCloseKey (hKey=0x370) returned 0x0 [0299.192] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30310 | out: hHeap=0x4d40000) returned 1 [0299.192] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4c30160 [0299.192] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x20019, phkResult=0x94bf990 | out: phkResult=0x94bf990*=0x370) returned 0x0 [0299.192] RegQueryValueExA (in: hKey=0x370, lpValueName="3e1ff3e5", lpReserved=0x0, lpType=0x94bf988, lpData=0x0, lpcbData=0x94bf98c*=0x0 | out: lpType=0x94bf988*=0x0, lpData=0x0, lpcbData=0x94bf98c*=0x0) returned 0x2 [0299.192] RegCloseKey (hKey=0x370) returned 0x0 [0299.192] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30160 | out: hHeap=0x4d40000) returned 1 [0299.192] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x20) returned 0x4dc2050 [0299.192] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4c30100 [0299.193] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x20019, phkResult=0x94bf980 | out: phkResult=0x94bf980*=0x370) returned 0x0 [0299.193] RegQueryValueExA (in: hKey=0x370, lpValueName="f3d19cc3", lpReserved=0x0, lpType=0x94bf978, lpData=0x0, lpcbData=0x94bf97c*=0x0 | out: lpType=0x94bf978*=0x0, lpData=0x0, lpcbData=0x94bf97c*=0x0) returned 0x2 [0299.193] RegCloseKey (hKey=0x370) returned 0x0 [0299.193] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c30100 | out: hHeap=0x4d40000) returned 1 [0299.195] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xd) returned 0x4dc1d68 [0299.195] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x1a) returned 0x4dc2078 [0299.195] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x4dc1d68, cbMultiByte=-1, lpWideCharStr=0x4dc2078, cchWideChar=13 | out: lpWideCharStr="Component_08") returned 13 [0299.196] lstrlenW (lpString="䉁䑃䙅Ӝ￿￿⁸Ü﬈ो\x03ҖوҘ\x1e") returned 15 [0299.196] FindResourceW (hModule=0x4950000, lpName="Component_08", lpType=0xa) returned 0x0 [0299.196] lstrlenW (lpString="䉁䑃䙅") returned 3 [0299.196] FindResourceW (hModule=0x4950000, lpName="Component_08", lpType=0x3) returned 0x0 [0299.196] lstrlenW (lpString="䉁䑃䙅") returned 3 [0299.196] FindResourceW (hModule=0x4950000, lpName="Component_08", lpType=0x2) returned 0x4972078 [0299.196] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc2078 | out: hHeap=0x4d40000) returned 1 [0299.196] SizeofResource (hModule=0x4950000, hResInfo=0x4972078) returned 0x3fc [0299.196] LoadResource (hModule=0x4950000, hResInfo=0x4972078) returned 0x4972114 [0299.196] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x3fe) returned 0x4dc2078 [0299.196] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc1d68 | out: hHeap=0x4d40000) returned 1 [0299.196] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x29) returned 0x4dc2480 [0299.196] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x448) returned 0x4dc24b8 [0299.196] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x3fc) returned 0x4dc2908 [0299.196] lstrlenW (lpString="䉁䑃䙅䡇䩉䱋\x14") returned 7 [0299.196] lstrlenW (lpString="䉁䑃䙅䡇䩉䱋\x14") returned 7 [0299.197] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc2480 | out: hHeap=0x4d40000) returned 1 [0299.197] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x448) returned 0x4dc2d10 [0299.202] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x3e8) returned 0x4dc3160 [0299.202] lstrlenW (lpString="䉁䑃䙅䡇䩉䱋\x14") returned 7 [0299.202] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x264) returned 0x4dc3550 [0299.202] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0xe7c) returned 0x4dc37c0 [0299.202] lstrlenW (lpString="䉁䑃䙅ो鈎ҕ") returned 6 [0299.202] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.202] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.202] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.202] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.202] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.202] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.202] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.202] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.203] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.203] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.203] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.203] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.203] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.203] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.203] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.203] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.203] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.203] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.203] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.203] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.203] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.203] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.203] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.203] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.203] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.203] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.203] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.203] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.204] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.204] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.204] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.204] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.204] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.204] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.204] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.204] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.204] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.204] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.204] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.204] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.204] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.204] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.204] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.204] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.204] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.204] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.204] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.204] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.204] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.205] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.205] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.205] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.205] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.205] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.205] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.205] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.205] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.205] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.205] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.205] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.205] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.205] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.205] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.205] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.205] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.205] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.205] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.205] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.206] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.206] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.206] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.206] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.206] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.206] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.206] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.206] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.206] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.206] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.206] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.206] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.206] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.206] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.206] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.206] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.206] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.206] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.206] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.207] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.207] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.207] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.207] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.207] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.207] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.207] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.207] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.207] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.207] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.207] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.207] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.207] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.207] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.207] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.207] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.207] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.207] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.207] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.207] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.208] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.208] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.208] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.208] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.208] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.208] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.208] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.208] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.208] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.208] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.208] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.208] lstrlenW (lpString="䉁䑃䙅Ӝ$") returned 5 [0299.209] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc3160 | out: hHeap=0x4d40000) returned 1 [0299.209] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc2d10 | out: hHeap=0x4d40000) returned 1 [0299.210] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc2908 | out: hHeap=0x4d40000) returned 1 [0299.210] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc24b8 | out: hHeap=0x4d40000) returned 1 [0299.211] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4dc2078 | out: hHeap=0x4d40000) returned 1 [0299.211] inet_ntoa (in=0x2809824) returned="36.152.128.2" [0299.213] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x21) returned 0x4c300d0 [0299.213] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x20019, phkResult=0x94bf950 | out: phkResult=0x94bf950*=0x370) returned 0x0 [0299.213] RegQueryValueExA (in: hKey=0x370, lpValueName="d6bac31f", lpReserved=0x0, lpType=0x94bf948, lpData=0x0, lpcbData=0x94bf94c*=0x0 | out: lpType=0x94bf948*=0x0, lpData=0x0, lpcbData=0x94bf94c*=0x0) returned 0x2 [0299.213] RegCloseKey (hKey=0x370) returned 0x0 [0299.214] HeapFree (in: hHeap=0x4d40000, dwFlags=0x0, lpMem=0x4c300d0 | out: hHeap=0x4d40000) returned 1 [0299.214] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x94bfab8 | out: lpSystemTimeAsFileTime=0x94bfab8*(dwLowDateTime=0x65db15b2, dwHighDateTime=0x1d99f3b)) [0299.214] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x94bfab8 | out: lpSystemTimeAsFileTime=0x94bfab8*(dwLowDateTime=0x65db15b2, dwHighDateTime=0x1d99f3b)) [0299.214] WaitForSingleObject (hHandle=0x234, dwMilliseconds=0x7530) returned 0x0 [0299.214] WaitForSingleObject (hHandle=0x254, dwMilliseconds=0x0) returned 0x102 [0299.214] WaitForSingleObject (hHandle=0x268, dwMilliseconds=0x0) returned 0x102 [0299.214] WaitForSingleObject (hHandle=0x294, dwMilliseconds=0x0) returned 0x102 [0299.214] WaitForSingleObject (hHandle=0x2a0, dwMilliseconds=0x0) returned 0x102 [0299.214] RtlAllocateHeap (HeapHandle=0x4d40000, Flags=0x8, Size=0x10) returned 0x4dc1d20 [0299.214] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=1, lpName=0x0) returned 0x370 [0299.214] GetLastError () returned 0x0 [0299.214] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x495ebc9, lpParameter=0x4dc06f0, dwCreationFlags=0x0, lpThreadId=0x4dc06f4 | out: lpThreadId=0x4dc06f4*=0x79c) returned 0x374 [0299.215] SetThreadPriority (hThread=0x374, nPriority=-1) returned 1 [0299.215] ReleaseMutex (hMutex=0x370) returned 1 [0299.215] ReleaseMutex (hMutex=0x234) returned 1 [0299.215] WaitForSingleObject (hHandle=0x374, dwMilliseconds=0x3e8) Thread: id = 857 os_tid = 0xf24 Thread: id = 907 os_tid = 0xae4 Process: id = "178" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x71e8d000" os_pid = "0x59c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "176" os_parent_pid = "0x12c4" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getPromptMask /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "179" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x733f2000" os_pid = "0x768" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getUserData /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11850 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11851 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11852 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 11853 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 11854 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 11855 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 11856 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 11857 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 11858 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 11859 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 11860 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 11861 start_va = 0x7e840000 end_va = 0x7e862fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e840000" filename = "" Region: id = 11862 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11863 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 11864 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11865 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 11866 start_va = 0x400000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 11867 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 11868 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 11869 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 11870 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 11871 start_va = 0x5b0000 end_va = 0x83ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 11872 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 11873 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 11874 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11875 start_va = 0x7e740000 end_va = 0x7e83ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e740000" filename = "" Region: id = 11876 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11877 start_va = 0x5a0000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 11878 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 11879 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 11880 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 11881 start_va = 0x5b0000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 11882 start_va = 0x740000 end_va = 0x83ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 11883 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 11884 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 11885 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 11886 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 11887 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 11888 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 11889 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 11890 start_va = 0x1b0000 end_va = 0x1b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 11891 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 11892 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 11893 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 11894 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 11895 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 11896 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 11897 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 11898 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 11899 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 11900 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 11901 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 11902 start_va = 0x840000 end_va = 0x9c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 11903 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 11904 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 11905 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 11906 start_va = 0x9d0000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 11907 start_va = 0xb60000 end_va = 0xc6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 11908 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 11909 start_va = 0x500000 end_va = 0x590fff monitored = 0 entry_point = 0x538cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 11910 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 11911 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 11912 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 11913 start_va = 0x1f0000 end_va = 0x1f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 11914 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 11915 start_va = 0x500000 end_va = 0x501fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 11916 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 11917 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 11918 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 11919 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Thread: id = 356 os_tid = 0x1188 [0137.280] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0137.280] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0137.281] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0137.281] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0137.281] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0137.281] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0137.282] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0137.282] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0137.282] GetProcessHeap () returned 0x740000 [0137.282] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0137.283] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0137.283] GetLastError () returned 0x7e [0137.283] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0137.283] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0137.283] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x364) returned 0x7509a0 [0137.283] SetLastError (dwErrCode=0x7e) [0137.284] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0xe00) returned 0x750d10 [0137.285] GetStartupInfoW (in: lpStartupInfo=0x18fd30 | out: lpStartupInfo=0x18fd30*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0137.286] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0137.286] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0137.286] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0137.286] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getUserData /fn_args=\"0\"" [0137.286] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getUserData /fn_args=\"0\"" [0137.286] GetACP () returned 0x4e4 [0137.286] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x0, Size=0x220) returned 0x751b18 [0137.286] IsValidCodePage (CodePage=0x4e4) returned 1 [0137.286] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fd50 | out: lpCPInfo=0x18fd50) returned 1 [0137.286] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f618 | out: lpCPInfo=0x18f618) returned 1 [0137.286] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc2c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0137.286] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc2c, cbMultiByte=256, lpWideCharStr=0x18f3b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0137.286] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f62c | out: lpCharType=0x18f62c) returned 1 [0137.286] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc2c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0137.286] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc2c, cbMultiByte=256, lpWideCharStr=0x18f368, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0137.286] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0137.287] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0137.287] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0137.287] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f158, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0137.287] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fb2c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿGæý9hý\x18", lpUsedDefaultChar=0x0) returned 256 [0137.287] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc2c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0137.287] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc2c, cbMultiByte=256, lpWideCharStr=0x18f388, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0137.287] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0137.287] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f178, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0137.287] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fa2c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿGæý9hý\x18", lpUsedDefaultChar=0x0) returned 256 [0137.287] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x0, Size=0x80) returned 0x743878 [0137.287] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0137.287] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x192) returned 0x751d40 [0137.287] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0137.287] GetLastError () returned 0x0 [0137.287] SetLastError (dwErrCode=0x0) [0137.288] GetEnvironmentStringsW () returned 0x751ee0* [0137.288] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x0, Size=0xa8c) returned 0x752978 [0137.288] FreeEnvironmentStringsW (penv=0x751ee0) returned 1 [0137.288] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x90) returned 0x744568 [0137.288] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x3e) returned 0x74aa98 [0137.288] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x5c) returned 0x748aa0 [0137.288] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x6e) returned 0x744630 [0137.288] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x78) returned 0x7536b8 [0137.289] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x62) returned 0x744c60 [0137.289] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x28) returned 0x743d98 [0137.289] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x48) returned 0x743fe8 [0137.289] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x1a) returned 0x740570 [0137.289] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x3a) returned 0x74ac90 [0137.289] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x62) returned 0x743bf8 [0137.289] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x2a) returned 0x7488e0 [0137.289] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x2e) returned 0x748918 [0137.289] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x1c) returned 0x743dc8 [0137.289] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x144) returned 0x749cb8 [0137.289] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x7c) returned 0x748300 [0137.289] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x36) returned 0x74e2f0 [0137.289] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x3a) returned 0x74aa08 [0137.289] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x90) returned 0x7443a0 [0137.289] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x24) returned 0x743918 [0137.289] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x30) returned 0x748678 [0137.289] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x36) returned 0x74e4b0 [0137.289] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x48) returned 0x742908 [0137.289] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x52) returned 0x7404b8 [0137.289] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x3c) returned 0x74b110 [0137.289] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0xd6) returned 0x749e78 [0137.289] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x2e) returned 0x748950 [0137.289] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x1e) returned 0x742958 [0137.289] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x2c) returned 0x7486b0 [0137.289] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x54) returned 0x743e10 [0137.290] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x52) returned 0x744070 [0137.290] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x24) returned 0x743e70 [0137.290] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x42) returned 0x7440d0 [0137.290] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x2c) returned 0x748720 [0137.290] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x44) returned 0x749fa8 [0137.290] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x24) returned 0x743948 [0137.291] HeapFree (in: hHeap=0x740000, dwFlags=0x0, lpMem=0x752978 | out: hHeap=0x740000) returned 1 [0137.291] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x8, Size=0x800) returned 0x751ee0 [0137.291] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0137.291] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0137.291] GetStartupInfoW (in: lpStartupInfo=0x18fd94 | out: lpStartupInfo=0x18fd94*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0137.291] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getUserData /fn_args=\"0\"" [0137.291] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getUserData /fn_args=\"0\"", pNumArgs=0x18fd80 | out: pNumArgs=0x18fd80) returned 0x752b30*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0137.292] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0137.295] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x0, Size=0x1000) returned 0x754418 [0137.295] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x0, Size=0x40) returned 0x74ad20 [0137.296] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_getUserData", cchWideChar=-1, lpMultiByteStr=0x74ad20, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_getUserData", lpUsedDefaultChar=0x0) returned 32 [0137.296] GetLastError () returned 0x0 [0137.296] SetLastError (dwErrCode=0x0) [0137.296] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_getUserDataW") returned 0x0 [0137.296] GetLastError () returned 0x7f [0137.296] SetLastError (dwErrCode=0x7f) [0137.296] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_getUserDataA") returned 0x0 [0137.296] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_getUserData") returned 0x647c80a5 [0137.296] RtlAllocateHeap (HeapHandle=0x740000, Flags=0x0, Size=0x4) returned 0x743820 [0137.297] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x743820, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0137.297] GetActiveWindow () returned 0x0 [0137.298] GetLastError () returned 0x7f [0137.298] SetLastError (dwErrCode=0x7f) Thread: id = 359 os_tid = 0x136c Process: id = "180" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x74b60000" os_pid = "0x81c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "179" os_parent_pid = "0x768" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getUserData /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "181" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6390a000" os_pid = "0x1108" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_lockSession /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 11925 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 11926 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 11927 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 11928 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 11929 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 11930 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 11931 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 11932 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 11933 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 11934 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 11935 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 11936 start_va = 0x7f1f0000 end_va = 0x7f212fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f1f0000" filename = "" Region: id = 11937 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 11938 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 11939 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 11940 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 11948 start_va = 0x400000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 11949 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 11950 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 11951 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 11952 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 11953 start_va = 0x570000 end_va = 0x77ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 11954 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 11955 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 11958 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 11959 start_va = 0x7f0f0000 end_va = 0x7f1effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f0f0000" filename = "" Region: id = 11960 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 11961 start_va = 0x560000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 11962 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 11963 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 11964 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 11965 start_va = 0x570000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 11966 start_va = 0x680000 end_va = 0x77ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 11967 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 11968 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 11969 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 11970 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 11971 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 11972 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 11973 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 11974 start_va = 0x4c0000 end_va = 0x4c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 11975 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 11976 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 11977 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 11978 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 11979 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 11980 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 11981 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 11982 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 11983 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 11984 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 11985 start_va = 0x4d0000 end_va = 0x4f9fff monitored = 0 entry_point = 0x4d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 11986 start_va = 0x780000 end_va = 0x907fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 11987 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 11988 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 11989 start_va = 0x4d0000 end_va = 0x4d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 11990 start_va = 0x4e0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 11991 start_va = 0x910000 end_va = 0xa90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000910000" filename = "" Region: id = 11992 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 11993 start_va = 0xaa0000 end_va = 0xb30fff monitored = 0 entry_point = 0xad8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 11994 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 11995 start_va = 0x4e0000 end_va = 0x4e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 11996 start_va = 0x500000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 11997 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 11998 start_va = 0x4f0000 end_va = 0x4f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 11999 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 12000 start_va = 0x510000 end_va = 0x511fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 12001 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 12002 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 12003 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 12004 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Thread: id = 363 os_tid = 0x13e4 [0137.717] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0137.718] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0137.718] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0137.718] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0137.718] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0137.718] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0137.719] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0137.719] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0137.719] GetProcessHeap () returned 0x680000 [0137.719] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0137.719] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0137.720] GetLastError () returned 0x7e [0137.720] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0137.720] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0137.720] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x364) returned 0x6909a0 [0137.720] SetLastError (dwErrCode=0x7e) [0137.720] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0xe00) returned 0x690d10 [0137.722] GetStartupInfoW (in: lpStartupInfo=0x18fa5c | out: lpStartupInfo=0x18fa5c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0137.722] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0137.722] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0137.722] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0137.722] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_lockSession /fn_args=\"0\"" [0137.722] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_lockSession /fn_args=\"0\"" [0137.722] GetACP () returned 0x4e4 [0137.722] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x220) returned 0x691b18 [0137.722] IsValidCodePage (CodePage=0x4e4) returned 1 [0137.722] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fa7c | out: lpCPInfo=0x18fa7c) returned 1 [0137.722] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f344 | out: lpCPInfo=0x18f344) returned 1 [0137.722] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f958, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0137.722] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f958, cbMultiByte=256, lpWideCharStr=0x18f0e8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0137.722] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f358 | out: lpCharType=0x18f358) returned 1 [0137.723] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f958, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0137.723] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f958, cbMultiByte=256, lpWideCharStr=0x18f098, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0137.723] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0137.723] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0137.723] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0137.723] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ee88, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0137.723] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f858, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿê\"Hù\x94ú\x18", lpUsedDefaultChar=0x0) returned 256 [0137.723] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f958, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0137.723] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f958, cbMultiByte=256, lpWideCharStr=0x18f0b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0137.723] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0137.723] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18eea8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0137.723] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f758, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿê\"Hù\x94ú\x18", lpUsedDefaultChar=0x0) returned 256 [0137.723] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x80) returned 0x683878 [0137.723] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0137.723] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x192) returned 0x691d40 [0137.723] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0137.723] GetLastError () returned 0x0 [0137.724] SetLastError (dwErrCode=0x0) [0137.724] GetEnvironmentStringsW () returned 0x691ee0* [0137.724] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0xa8c) returned 0x692978 [0137.724] FreeEnvironmentStringsW (penv=0x691ee0) returned 1 [0137.724] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x90) returned 0x684568 [0137.724] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x3e) returned 0x68ab28 [0137.724] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x5c) returned 0x688840 [0137.724] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x6e) returned 0x684630 [0137.724] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x78) returned 0x693838 [0137.724] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x62) returned 0x684a00 [0137.725] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x28) returned 0x683d98 [0137.725] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x48) returned 0x683fe8 [0137.725] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x1a) returned 0x680570 [0137.725] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x3a) returned 0x68ad68 [0137.725] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x62) returned 0x683bf8 [0137.725] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x2a) returned 0x6884c0 [0137.725] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x2e) returned 0x688530 [0137.725] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x1c) returned 0x683dc8 [0137.725] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x144) returned 0x689cb8 [0137.725] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x7c) returned 0x6880a0 [0137.725] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x36) returned 0x68e530 [0137.725] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x3a) returned 0x68af18 [0137.725] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x90) returned 0x6843a0 [0137.725] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x24) returned 0x683918 [0137.725] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x30) returned 0x688680 [0137.725] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x36) returned 0x68e0b0 [0137.725] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x48) returned 0x682908 [0137.725] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x52) returned 0x6804b8 [0137.725] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x3c) returned 0x68b0c8 [0137.725] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0xd6) returned 0x689e78 [0137.725] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x2e) returned 0x688418 [0137.725] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x1e) returned 0x682958 [0137.725] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x2c) returned 0x6885a0 [0137.725] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x54) returned 0x683e10 [0137.725] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x52) returned 0x684070 [0137.725] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x24) returned 0x683e70 [0137.725] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x42) returned 0x6840d0 [0137.725] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x2c) returned 0x688610 [0137.725] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x44) returned 0x689fa8 [0137.725] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x24) returned 0x683948 [0137.726] HeapFree (in: hHeap=0x680000, dwFlags=0x0, lpMem=0x692978 | out: hHeap=0x680000) returned 1 [0137.726] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x8, Size=0x800) returned 0x691ee0 [0137.726] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0137.726] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0137.726] GetStartupInfoW (in: lpStartupInfo=0x18fac0 | out: lpStartupInfo=0x18fac0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0137.726] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_lockSession /fn_args=\"0\"" [0137.727] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_lockSession /fn_args=\"0\"", pNumArgs=0x18faac | out: pNumArgs=0x18faac) returned 0x692b30*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0137.727] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0137.739] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x1000) returned 0x694418 [0137.739] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x40) returned 0x68b080 [0137.739] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_lockSession", cchWideChar=-1, lpMultiByteStr=0x68b080, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_lockSession", lpUsedDefaultChar=0x0) returned 32 [0137.739] GetLastError () returned 0x0 [0137.739] SetLastError (dwErrCode=0x0) [0137.739] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_lockSessionW") returned 0x0 [0137.739] GetLastError () returned 0x7f [0137.739] SetLastError (dwErrCode=0x7f) [0137.739] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_lockSessionA") returned 0x0 [0137.740] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_lockSession") returned 0x647c6f74 [0137.740] RtlAllocateHeap (HeapHandle=0x680000, Flags=0x0, Size=0x4) returned 0x683820 [0137.740] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x683820, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0137.740] GetActiveWindow () returned 0x0 [0137.741] GetLastError () returned 0x7f [0137.741] SetLastError (dwErrCode=0x7f) Thread: id = 367 os_tid = 0x11e4 Process: id = "182" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x50163000" os_pid = "0x137c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "181" os_parent_pid = "0x1108" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_lockSession /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "183" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x7971f000" os_pid = "0x12ac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_releaseSession /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12005 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12006 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12007 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 12008 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 12009 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 12010 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 12011 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 12012 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 12013 start_va = 0xdd0000 end_va = 0xdd1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 12014 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 12015 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 12016 start_va = 0x7ea80000 end_va = 0x7eaa2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ea80000" filename = "" Region: id = 12017 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12018 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 12019 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12020 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 12022 start_va = 0x400000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 12023 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 12024 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 12025 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 12026 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 12027 start_va = 0xde0000 end_va = 0xf6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 12028 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 12029 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 12037 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12038 start_va = 0x7e980000 end_va = 0x7ea7ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e980000" filename = "" Region: id = 12039 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12040 start_va = 0x570000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 12041 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 12042 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 12043 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 12044 start_va = 0x580000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 12045 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 12046 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 12047 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 12048 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 12049 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 12052 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 12053 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 12054 start_va = 0xdd0000 end_va = 0xdd3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 12055 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 12056 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 12057 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 12058 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 12059 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 12060 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 12061 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 12062 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 12063 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 12064 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 12065 start_va = 0x680000 end_va = 0x807fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 12066 start_va = 0xde0000 end_va = 0xe09fff monitored = 0 entry_point = 0xde5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 12067 start_va = 0xe70000 end_va = 0xf6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 12068 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 12069 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 12070 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 12071 start_va = 0x810000 end_va = 0x990fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 12072 start_va = 0xf70000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f70000" filename = "" Region: id = 12073 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 12074 start_va = 0xf70000 end_va = 0x1000fff monitored = 0 entry_point = 0xfa8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 12075 start_va = 0x1030000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001030000" filename = "" Region: id = 12076 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 12077 start_va = 0xde0000 end_va = 0xde0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 12078 start_va = 0xdf0000 end_va = 0xdf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000df0000" filename = "" Region: id = 12079 start_va = 0xdf0000 end_va = 0xdf7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000df0000" filename = "" Region: id = 12086 start_va = 0xdf0000 end_va = 0xdf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000df0000" filename = "" Region: id = 12087 start_va = 0xe00000 end_va = 0xe01fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e00000" filename = "" Region: id = 12088 start_va = 0xdf0000 end_va = 0xdf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000df0000" filename = "" Region: id = 12089 start_va = 0xe00000 end_va = 0xe00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e00000" filename = "" Region: id = 12090 start_va = 0xdf0000 end_va = 0xdf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000df0000" filename = "" Region: id = 12091 start_va = 0xe00000 end_va = 0xe00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Thread: id = 371 os_tid = 0xe28 [0138.136] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0138.137] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0138.137] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0138.137] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0138.137] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0138.137] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0138.138] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0138.138] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0138.139] GetProcessHeap () returned 0xe70000 [0138.139] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0138.139] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0138.139] GetLastError () returned 0x7e [0138.139] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0138.139] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0138.139] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x364) returned 0xe809a8 [0138.140] SetLastError (dwErrCode=0x7e) [0138.140] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0xe00) returned 0xe80d18 [0138.142] GetStartupInfoW (in: lpStartupInfo=0x18fc44 | out: lpStartupInfo=0x18fc44*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0138.142] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0138.142] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0138.142] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0138.142] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_releaseSession /fn_args=\"0\"" [0138.142] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_releaseSession /fn_args=\"0\"" [0138.142] GetACP () returned 0x4e4 [0138.142] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x0, Size=0x220) returned 0xe81b20 [0138.142] IsValidCodePage (CodePage=0x4e4) returned 1 [0138.142] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fc64 | out: lpCPInfo=0x18fc64) returned 1 [0138.142] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f52c | out: lpCPInfo=0x18f52c) returned 1 [0138.142] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb40, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0138.142] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb40, cbMultiByte=256, lpWideCharStr=0x18f2c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0138.142] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f540 | out: lpCharType=0x18f540) returned 1 [0138.143] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb40, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0138.143] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb40, cbMultiByte=256, lpWideCharStr=0x18f288, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0138.143] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0138.143] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0138.143] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0138.143] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f078, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0138.143] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fa40, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÇ1Úµ|ü\x18", lpUsedDefaultChar=0x0) returned 256 [0138.143] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb40, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0138.143] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb40, cbMultiByte=256, lpWideCharStr=0x18f298, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0138.143] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0138.143] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f088, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0138.143] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f940, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÇ1Úµ|ü\x18", lpUsedDefaultChar=0x0) returned 256 [0138.144] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x0, Size=0x80) returned 0xe73880 [0138.144] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0138.144] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x198) returned 0xe81d48 [0138.144] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0138.144] GetLastError () returned 0x0 [0138.144] SetLastError (dwErrCode=0x0) [0138.144] GetEnvironmentStringsW () returned 0xe81ee8* [0138.144] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x0, Size=0xa8c) returned 0xe82980 [0138.144] FreeEnvironmentStringsW (penv=0xe81ee8) returned 1 [0138.145] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x90) returned 0xe74570 [0138.145] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x3e) returned 0xe7b040 [0138.145] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x5c) returned 0xe78aa8 [0138.145] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x6e) returned 0xe74638 [0138.145] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x78) returned 0xe83f40 [0138.145] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x62) returned 0xe74c68 [0138.145] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x28) returned 0xe73da0 [0138.145] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x48) returned 0xe73ff0 [0138.145] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x1a) returned 0xe70570 [0138.145] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x3a) returned 0xe7ae90 [0138.145] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x62) returned 0xe73c00 [0138.145] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x2a) returned 0xe788b0 [0138.145] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x2e) returned 0xe788e8 [0138.145] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x1c) returned 0xe73dd0 [0138.145] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x144) returned 0xe79cc0 [0138.145] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x7c) returned 0xe78308 [0138.145] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x36) returned 0xe7e1f8 [0138.145] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x3a) returned 0xe7ab30 [0138.145] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x90) returned 0xe743a8 [0138.145] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x24) returned 0xe73920 [0138.145] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x30) returned 0xe78920 [0138.145] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x36) returned 0xe7e338 [0138.145] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x48) returned 0xe72910 [0138.146] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x52) returned 0xe704b8 [0138.146] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x3c) returned 0xe7b088 [0138.146] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0xd6) returned 0xe79e80 [0138.146] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x2e) returned 0xe786b8 [0138.146] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x1e) returned 0xe72960 [0138.146] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x2c) returned 0xe787d0 [0138.146] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x54) returned 0xe73e18 [0138.146] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x52) returned 0xe74078 [0138.146] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x24) returned 0xe73e78 [0138.146] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x42) returned 0xe740d8 [0138.146] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x2c) returned 0xe786f0 [0138.146] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x44) returned 0xe79fb0 [0138.146] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x24) returned 0xe73950 [0138.147] HeapFree (in: hHeap=0xe70000, dwFlags=0x0, lpMem=0xe82980 | out: hHeap=0xe70000) returned 1 [0138.147] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x8, Size=0x800) returned 0xe81ee8 [0138.147] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0138.147] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0138.148] GetStartupInfoW (in: lpStartupInfo=0x18fca8 | out: lpStartupInfo=0x18fca8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0138.148] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_releaseSession /fn_args=\"0\"" [0138.148] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_releaseSession /fn_args=\"0\"", pNumArgs=0x18fc94 | out: pNumArgs=0x18fc94) returned 0xe82b38*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0138.148] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0138.151] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x0, Size=0x1000) returned 0xe84420 [0138.151] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x0, Size=0x46) returned 0xe7a6f8 [0138.151] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_releaseSession", cchWideChar=-1, lpMultiByteStr=0xe7a6f8, cbMultiByte=70, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_releaseSession", lpUsedDefaultChar=0x0) returned 35 [0138.151] GetLastError () returned 0x0 [0138.151] SetLastError (dwErrCode=0x0) [0138.151] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_releaseSessionW") returned 0x0 [0138.151] GetLastError () returned 0x7f [0138.151] SetLastError (dwErrCode=0x7f) [0138.151] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_releaseSessionA") returned 0x0 [0138.152] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_releaseSession") returned 0x647c7018 [0138.152] RtlAllocateHeap (HeapHandle=0xe70000, Flags=0x0, Size=0x4) returned 0xe73828 [0138.152] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0xe73828, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0138.152] GetActiveWindow () returned 0x0 [0138.153] GetLastError () returned 0x7f [0138.153] SetLastError (dwErrCode=0x7f) Thread: id = 373 os_tid = 0x904 Process: id = "184" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x50176000" os_pid = "0xc98" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "183" os_parent_pid = "0x12ac" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_releaseSession /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "185" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x16e37000" os_pid = "0x134c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_serializeCertificateId /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12095 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12096 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12097 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 12098 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 12099 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 12100 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 12101 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 12102 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 12103 start_va = 0xd70000 end_va = 0xd71fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d70000" filename = "" Region: id = 12104 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 12105 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 12106 start_va = 0x7f720000 end_va = 0x7f742fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f720000" filename = "" Region: id = 12107 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12108 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 12109 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12110 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 12111 start_va = 0x400000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 12112 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 12113 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 12114 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 12115 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 12116 start_va = 0xd80000 end_va = 0x101ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d80000" filename = "" Region: id = 12117 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 12118 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 12119 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12120 start_va = 0x7f620000 end_va = 0x7f71ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f620000" filename = "" Region: id = 12121 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12122 start_va = 0x560000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 12123 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 12124 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 12125 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 12126 start_va = 0x570000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 12127 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 12128 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 12129 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 12130 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 12131 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 12132 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 12133 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 12134 start_va = 0xd70000 end_va = 0xd73fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d70000" filename = "" Region: id = 12135 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 12136 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 12137 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 12138 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 12139 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 12140 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 12141 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 12142 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 12143 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 12144 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 12145 start_va = 0x670000 end_va = 0x7f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 12146 start_va = 0xd80000 end_va = 0xda9fff monitored = 0 entry_point = 0xd85680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 12147 start_va = 0xf20000 end_va = 0x101ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f20000" filename = "" Region: id = 12148 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 12149 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 12150 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 12151 start_va = 0x800000 end_va = 0x980fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 12152 start_va = 0xd80000 end_va = 0xddffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d80000" filename = "" Region: id = 12153 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 12154 start_va = 0xde0000 end_va = 0xe70fff monitored = 0 entry_point = 0xe18cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 12155 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 12156 start_va = 0xd80000 end_va = 0xd80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d80000" filename = "" Region: id = 12157 start_va = 0xdd0000 end_va = 0xddffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 12158 start_va = 0xd90000 end_va = 0xd90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d90000" filename = "" Region: id = 12159 start_va = 0xd90000 end_va = 0xd97fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d90000" filename = "" Region: id = 12178 start_va = 0xd90000 end_va = 0xd90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d90000" filename = "" Region: id = 12179 start_va = 0xda0000 end_va = 0xda1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000da0000" filename = "" Region: id = 12180 start_va = 0xd90000 end_va = 0xd90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d90000" filename = "" Region: id = 12181 start_va = 0xda0000 end_va = 0xda0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000da0000" filename = "" Region: id = 12182 start_va = 0xd90000 end_va = 0xd90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d90000" filename = "" Region: id = 12183 start_va = 0xda0000 end_va = 0xda0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Thread: id = 374 os_tid = 0x12d0 [0138.664] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0138.664] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0138.665] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0138.665] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0138.665] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0138.665] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0138.666] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0138.666] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0138.666] GetProcessHeap () returned 0xf20000 [0138.666] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0138.667] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0138.667] GetLastError () returned 0x7e [0138.667] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0138.667] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0138.667] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x364) returned 0xf30a90 [0138.667] SetLastError (dwErrCode=0x7e) [0138.667] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0xe00) returned 0xf30e00 [0138.670] GetStartupInfoW (in: lpStartupInfo=0x18f788 | out: lpStartupInfo=0x18f788*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0138.670] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0138.670] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0138.670] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0138.670] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_serializeCertificateId /fn_args=\"0\"" [0138.670] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_serializeCertificateId /fn_args=\"0\"" [0138.670] GetACP () returned 0x4e4 [0138.670] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x0, Size=0x220) returned 0xf31c08 [0138.670] IsValidCodePage (CodePage=0x4e4) returned 1 [0138.670] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f7a8 | out: lpCPInfo=0x18f7a8) returned 1 [0138.670] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f070 | out: lpCPInfo=0x18f070) returned 1 [0138.670] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f684, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0138.670] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f684, cbMultiByte=256, lpWideCharStr=0x18ee18, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0138.670] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f084 | out: lpCharType=0x18f084) returned 1 [0138.671] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f684, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0138.671] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f684, cbMultiByte=256, lpWideCharStr=0x18edc8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0138.671] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0138.671] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0138.671] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0138.671] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ebb8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0138.671] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f584, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿlÞ¹°À÷\x18", lpUsedDefaultChar=0x0) returned 256 [0138.671] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f684, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0138.671] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f684, cbMultiByte=256, lpWideCharStr=0x18ede8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0138.671] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0138.671] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ebd8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0138.671] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f484, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿlÞ¹°À÷\x18", lpUsedDefaultChar=0x0) returned 256 [0138.671] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x0, Size=0x80) returned 0xf23898 [0138.672] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0138.672] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x1a8) returned 0xf31e30 [0138.672] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0138.672] GetLastError () returned 0x0 [0138.672] SetLastError (dwErrCode=0x0) [0138.672] GetEnvironmentStringsW () returned 0xf31fe8* [0138.672] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x0, Size=0xa8c) returned 0xf32a80 [0138.672] FreeEnvironmentStringsW (penv=0xf31fe8) returned 1 [0138.672] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x90) returned 0xf247e8 [0138.672] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x3e) returned 0xf2af38 [0138.673] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x5c) returned 0xf28ac0 [0138.673] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x6e) returned 0xf248b0 [0138.673] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x78) returned 0xf335c0 [0138.673] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x62) returned 0xf24c80 [0138.673] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x28) returned 0xf24018 [0138.673] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x48) returned 0xf24268 [0138.673] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x1a) returned 0xf20570 [0138.673] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x3a) returned 0xf2ae60 [0138.673] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x62) returned 0xf23c18 [0138.673] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x2a) returned 0xf28900 [0138.673] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x2e) returned 0xf28778 [0138.673] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x1c) returned 0xf24048 [0138.673] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x144) returned 0xf29cd8 [0138.673] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x7c) returned 0xf28320 [0138.673] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x36) returned 0xf2e1e0 [0138.673] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x3a) returned 0xf2af80 [0138.673] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x90) returned 0xf24620 [0138.673] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x24) returned 0xf23938 [0138.674] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x30) returned 0xf28938 [0138.674] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x36) returned 0xf2e6e0 [0138.674] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x48) returned 0xf22920 [0138.674] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x52) returned 0xf204b8 [0138.674] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x3c) returned 0xf2add0 [0138.674] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0xd6) returned 0xf29e98 [0138.674] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x2e) returned 0xf287b0 [0138.674] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x1e) returned 0xf22970 [0138.674] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x2c) returned 0xf28970 [0138.674] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x54) returned 0xf24090 [0138.674] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x52) returned 0xf242f0 [0138.674] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x24) returned 0xf240f0 [0138.674] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x42) returned 0xf24350 [0138.674] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x2c) returned 0xf286d0 [0138.674] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x44) returned 0xf29fc8 [0138.674] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x24) returned 0xf23968 [0138.675] HeapFree (in: hHeap=0xf20000, dwFlags=0x0, lpMem=0xf32a80 | out: hHeap=0xf20000) returned 1 [0138.675] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x8, Size=0x800) returned 0xf31fe8 [0138.675] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0138.675] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0138.675] GetStartupInfoW (in: lpStartupInfo=0x18f7ec | out: lpStartupInfo=0x18f7ec*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0138.675] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_serializeCertificateId /fn_args=\"0\"" [0138.675] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_serializeCertificateId /fn_args=\"0\"", pNumArgs=0x18f7d8 | out: pNumArgs=0x18f7d8) returned 0xf32c38*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0138.676] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0138.679] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x0, Size=0x1000) returned 0xf34520 [0138.679] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x0, Size=0x56) returned 0xf2a7f8 [0138.679] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_serializeCertificateId", cchWideChar=-1, lpMultiByteStr=0xf2a7f8, cbMultiByte=86, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_serializeCertificateId", lpUsedDefaultChar=0x0) returned 43 [0138.679] GetLastError () returned 0x0 [0138.679] SetLastError (dwErrCode=0x0) [0138.679] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_serializeCertificateIdW") returned 0x0 [0138.680] GetLastError () returned 0x7f [0138.680] SetLastError (dwErrCode=0x7f) [0138.680] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_serializeCertificateIdA") returned 0x0 [0138.680] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_serializeCertificateId") returned 0x647cdb79 [0138.680] RtlAllocateHeap (HeapHandle=0xf20000, Flags=0x0, Size=0x4) returned 0xf23840 [0138.680] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0xf23840, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0138.680] GetActiveWindow () returned 0x0 [0138.681] GetLastError () returned 0x7f [0138.681] SetLastError (dwErrCode=0x7f) Thread: id = 376 os_tid = 0x12f4 Process: id = "186" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x17b4e000" os_pid = "0x12f0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setCertificateIdCertificateBlob /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12162 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12163 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12164 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 12165 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 12166 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 12167 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 12168 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 12169 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 12170 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 12171 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 12172 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 12173 start_va = 0x7f0f0000 end_va = 0x7f112fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f0f0000" filename = "" Region: id = 12174 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12175 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 12176 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12177 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 12184 start_va = 0x410000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 12185 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 12186 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 12187 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 12188 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 12189 start_va = 0x410000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 12190 start_va = 0x5a0000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 12192 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 12193 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 12194 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12195 start_va = 0x7eff0000 end_va = 0x7f0effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eff0000" filename = "" Region: id = 12196 start_va = 0x5b0000 end_va = 0x66dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12197 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 12198 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 12199 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 12200 start_va = 0x670000 end_va = 0x76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 12201 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 12202 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 12203 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 12204 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 12205 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 12206 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 12207 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 12208 start_va = 0x400000 end_va = 0x403fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 12209 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 12210 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 12211 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 12212 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 12213 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 12214 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 12215 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 12216 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 12217 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 12218 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 12221 start_va = 0x410000 end_va = 0x439fff monitored = 0 entry_point = 0x415680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 12222 start_va = 0x460000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 12223 start_va = 0x770000 end_va = 0x8f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 12224 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 12225 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 12226 start_va = 0x410000 end_va = 0x410fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 12227 start_va = 0x900000 end_va = 0xa80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000900000" filename = "" Region: id = 12228 start_va = 0xa90000 end_va = 0xb8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a90000" filename = "" Region: id = 12229 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 12230 start_va = 0xa90000 end_va = 0xb20fff monitored = 0 entry_point = 0xac8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 12231 start_va = 0xb80000 end_va = 0xb8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 12236 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 12237 start_va = 0x420000 end_va = 0x420fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 12238 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 12239 start_va = 0x430000 end_va = 0x437fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 12240 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 12241 start_va = 0x440000 end_va = 0x441fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 12242 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 12243 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 12244 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 12245 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Thread: id = 377 os_tid = 0x11b8 [0139.172] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0139.172] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0139.173] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0139.173] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0139.173] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0139.173] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0139.173] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0139.174] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0139.174] GetProcessHeap () returned 0x460000 [0139.174] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0139.174] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0139.174] GetLastError () returned 0x7e [0139.174] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0139.175] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0139.175] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x364) returned 0x470ab0 [0139.175] SetLastError (dwErrCode=0x7e) [0139.175] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xe00) returned 0x470e20 [0139.176] GetStartupInfoW (in: lpStartupInfo=0x18fddc | out: lpStartupInfo=0x18fddc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0139.177] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0139.177] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0139.177] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0139.177] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setCertificateIdCertificateBlob /fn_args=\"0\"" [0139.177] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setCertificateIdCertificateBlob /fn_args=\"0\"" [0139.177] GetACP () returned 0x4e4 [0139.177] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x0, Size=0x220) returned 0x471c28 [0139.177] IsValidCodePage (CodePage=0x4e4) returned 1 [0139.177] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fdfc | out: lpCPInfo=0x18fdfc) returned 1 [0139.177] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f6c4 | out: lpCPInfo=0x18f6c4) returned 1 [0139.177] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcd8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0139.177] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcd8, cbMultiByte=256, lpWideCharStr=0x18f468, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0139.177] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f6d8 | out: lpCharType=0x18f6d8) returned 1 [0139.177] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcd8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0139.177] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcd8, cbMultiByte=256, lpWideCharStr=0x18f418, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0139.177] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0139.177] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0139.177] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0139.177] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f208, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0139.178] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fbd8, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿkï?j\x14þ\x18", lpUsedDefaultChar=0x0) returned 256 [0139.178] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcd8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0139.178] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcd8, cbMultiByte=256, lpWideCharStr=0x18f438, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0139.178] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0139.178] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f228, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0139.178] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fad8, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿkï?j\x14þ\x18", lpUsedDefaultChar=0x0) returned 256 [0139.178] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x0, Size=0x80) returned 0x4638b8 [0139.178] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0139.178] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x1ba) returned 0x471e50 [0139.178] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0139.178] GetLastError () returned 0x0 [0139.178] SetLastError (dwErrCode=0x0) [0139.178] GetEnvironmentStringsW () returned 0x472018* [0139.178] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x0, Size=0xa8c) returned 0x472ab0 [0139.179] FreeEnvironmentStringsW (penv=0x472018) returned 1 [0139.179] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x90) returned 0x464808 [0139.179] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x3e) returned 0x46afa0 [0139.179] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x5c) returned 0x468ae0 [0139.179] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x6e) returned 0x4648d0 [0139.179] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x78) returned 0x473570 [0139.179] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x62) returned 0x464ca0 [0139.179] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x28) returned 0x463dd8 [0139.179] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x48) returned 0x464028 [0139.179] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x1a) returned 0x460570 [0139.179] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x3a) returned 0x46b108 [0139.179] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x62) returned 0x463c38 [0139.179] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x2a) returned 0x468a38 [0139.179] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x2e) returned 0x4686f0 [0139.179] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x1c) returned 0x463e08 [0139.179] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x144) returned 0x469cf8 [0139.179] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x7c) returned 0x468340 [0139.179] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x36) returned 0x46e700 [0139.179] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x3a) returned 0x46ab68 [0139.179] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x90) returned 0x4643e0 [0139.179] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x24) returned 0x463958 [0139.179] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x30) returned 0x468798 [0139.180] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x36) returned 0x46e040 [0139.180] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x48) returned 0x462930 [0139.180] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x52) returned 0x4604b8 [0139.180] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x3c) returned 0x46abb0 [0139.180] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0xd6) returned 0x469eb8 [0139.180] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x2e) returned 0x4686b8 [0139.180] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x1e) returned 0x462980 [0139.180] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x2c) returned 0x4687d0 [0139.180] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x54) returned 0x463e50 [0139.180] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x52) returned 0x4640b0 [0139.180] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x24) returned 0x463eb0 [0139.180] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x42) returned 0x464110 [0139.180] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x2c) returned 0x4688e8 [0139.180] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x44) returned 0x469fe8 [0139.180] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x24) returned 0x463988 [0139.181] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x472ab0 | out: hHeap=0x460000) returned 1 [0139.181] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x800) returned 0x472018 [0139.181] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0139.181] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0139.181] GetStartupInfoW (in: lpStartupInfo=0x18fe40 | out: lpStartupInfo=0x18fe40*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0139.181] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setCertificateIdCertificateBlob /fn_args=\"0\"" [0139.181] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setCertificateIdCertificateBlob /fn_args=\"0\"", pNumArgs=0x18fe2c | out: pNumArgs=0x18fe2c) returned 0x472c68*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0139.182] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0139.184] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x0, Size=0x1000) returned 0x474550 [0139.184] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x0, Size=0x68) returned 0x46a730 [0139.184] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_setCertificateIdCertificateBlob", cchWideChar=-1, lpMultiByteStr=0x46a730, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_setCertificateIdCertificateBlob", lpUsedDefaultChar=0x0) returned 52 [0139.184] GetLastError () returned 0x0 [0139.184] SetLastError (dwErrCode=0x0) [0139.185] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_setCertificateIdCertificateBlobW") returned 0x0 [0139.185] GetLastError () returned 0x7f [0139.185] SetLastError (dwErrCode=0x7f) [0139.185] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_setCertificateIdCertificateBlobA") returned 0x0 [0139.185] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_setCertificateIdCertificateBlob") returned 0x647c6cfd [0139.185] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x0, Size=0x4) returned 0x463860 [0139.185] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x463860, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0139.185] GetActiveWindow () returned 0x0 [0139.186] GetLastError () returned 0x7f [0139.186] SetLastError (dwErrCode=0x7f) Thread: id = 379 os_tid = 0x12a4 Process: id = "187" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x501ad000" os_pid = "0xc90" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "185" os_parent_pid = "0x134c" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_serializeCertificateId /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "188" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x50121000" os_pid = "0x79c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "186" os_parent_pid = "0x12f0" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setCertificateIdCertificateBlob /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "189" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x13865000" os_pid = "0xcac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setPromptMask /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12250 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12251 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12252 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 12253 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 12254 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 12255 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 12256 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 12257 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 12258 start_va = 0x680000 end_va = 0x681fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 12259 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 12260 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 12261 start_va = 0x7f6a0000 end_va = 0x7f6c2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6a0000" filename = "" Region: id = 12262 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12263 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 12264 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12265 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 12266 start_va = 0x400000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 12267 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 12268 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 12269 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 12270 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 12271 start_va = 0x690000 end_va = 0x8effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 12272 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 12273 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 12274 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12275 start_va = 0x7f5a0000 end_va = 0x7f69ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f5a0000" filename = "" Region: id = 12276 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12277 start_va = 0x590000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 12278 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 12279 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 12280 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 12281 start_va = 0x5a0000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 12282 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 12283 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 12284 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 12285 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 12286 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 12287 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 12288 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 12289 start_va = 0x6a0000 end_va = 0x6a3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 12290 start_va = 0x7f0000 end_va = 0x8effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 12291 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 12292 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 12293 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 12294 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 12295 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 12296 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 12297 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 12298 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 12299 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 12300 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 12301 start_va = 0x6b0000 end_va = 0x6d9fff monitored = 0 entry_point = 0x6b5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 12302 start_va = 0x8f0000 end_va = 0xa77fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 12303 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 12304 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 12305 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 12306 start_va = 0xa80000 end_va = 0xc00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a80000" filename = "" Region: id = 12307 start_va = 0xc10000 end_va = 0xdbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 12308 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 12309 start_va = 0x6b0000 end_va = 0x740fff monitored = 0 entry_point = 0x6e8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 12310 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 12311 start_va = 0x6b0000 end_va = 0x6b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 12312 start_va = 0x6c0000 end_va = 0x6c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 12313 start_va = 0x6c0000 end_va = 0x6c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 12314 start_va = 0x6c0000 end_va = 0x6c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 12315 start_va = 0x6d0000 end_va = 0x6d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 12316 start_va = 0x6c0000 end_va = 0x6c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 12317 start_va = 0x6d0000 end_va = 0x6d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 12318 start_va = 0x6c0000 end_va = 0x6c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 12319 start_va = 0x6d0000 end_va = 0x6d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Thread: id = 381 os_tid = 0x11d0 [0139.643] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0139.643] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0139.644] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0139.644] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0139.644] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0139.644] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0139.645] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0139.645] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0139.645] GetProcessHeap () returned 0x7f0000 [0139.645] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0139.645] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0139.645] GetLastError () returned 0x7e [0139.645] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0139.646] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0139.646] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x364) returned 0x8009a8 [0139.646] SetLastError (dwErrCode=0x7e) [0139.646] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0xe00) returned 0x800d18 [0139.648] GetStartupInfoW (in: lpStartupInfo=0x18f894 | out: lpStartupInfo=0x18f894*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0139.648] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0139.648] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0139.648] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0139.648] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setPromptMask /fn_args=\"0\"" [0139.648] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setPromptMask /fn_args=\"0\"" [0139.648] GetACP () returned 0x4e4 [0139.648] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x0, Size=0x220) returned 0x801b20 [0139.648] IsValidCodePage (CodePage=0x4e4) returned 1 [0139.648] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f8b4 | out: lpCPInfo=0x18f8b4) returned 1 [0139.648] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f17c | out: lpCPInfo=0x18f17c) returned 1 [0139.648] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f790, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0139.648] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f790, cbMultiByte=256, lpWideCharStr=0x18ef18, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0139.648] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f190 | out: lpCharType=0x18f190) returned 1 [0139.648] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f790, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0139.648] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f790, cbMultiByte=256, lpWideCharStr=0x18eed8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0139.648] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0139.648] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0139.648] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0139.649] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ecc8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0139.649] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f690, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿö©Ê\x8dÌø\x18", lpUsedDefaultChar=0x0) returned 256 [0139.649] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f790, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0139.649] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f790, cbMultiByte=256, lpWideCharStr=0x18eee8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0139.649] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0139.649] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ecd8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0139.649] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f590, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿö©Ê\x8dÌø\x18", lpUsedDefaultChar=0x0) returned 256 [0139.649] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x0, Size=0x80) returned 0x7f3880 [0139.649] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0139.649] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x196) returned 0x801d48 [0139.649] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0139.649] GetLastError () returned 0x0 [0139.649] SetLastError (dwErrCode=0x0) [0139.649] GetEnvironmentStringsW () returned 0x801ee8* [0139.649] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x0, Size=0xa8c) returned 0x802980 [0139.650] FreeEnvironmentStringsW (penv=0x801ee8) returned 1 [0139.650] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x90) returned 0x7f4570 [0139.650] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x3e) returned 0x7faa10 [0139.650] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x5c) returned 0x7f8848 [0139.650] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x6e) returned 0x7f4638 [0139.650] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x78) returned 0x803ec0 [0139.650] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x62) returned 0x7f4a08 [0139.650] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x28) returned 0x7f3da0 [0139.650] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x48) returned 0x7f3ff0 [0139.650] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x1a) returned 0x7f0570 [0139.650] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x3a) returned 0x7fac50 [0139.650] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x62) returned 0x7f3c00 [0139.650] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x2a) returned 0x7f8650 [0139.650] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x2e) returned 0x7f8538 [0139.650] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x1c) returned 0x7f3dd0 [0139.650] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x144) returned 0x7f9cc0 [0139.650] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x7c) returned 0x7f80a8 [0139.650] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x36) returned 0x7fe638 [0139.650] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x3a) returned 0x7fb088 [0139.650] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x90) returned 0x7f43a8 [0139.650] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x24) returned 0x7f3920 [0139.650] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x30) returned 0x7f8688 [0139.651] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x36) returned 0x7fe1f8 [0139.651] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x48) returned 0x7f2910 [0139.651] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x52) returned 0x7f04b8 [0139.651] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x3c) returned 0x7faa58 [0139.651] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0xd6) returned 0x7f9e80 [0139.651] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x2e) returned 0x7f8570 [0139.651] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x1e) returned 0x7f2960 [0139.651] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x2c) returned 0x7f85a8 [0139.651] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x54) returned 0x7f3e18 [0139.651] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x52) returned 0x7f4078 [0139.651] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x24) returned 0x7f3e78 [0139.651] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x42) returned 0x7f40d8 [0139.651] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x2c) returned 0x7f86c0 [0139.651] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x44) returned 0x7f9fb0 [0139.651] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x24) returned 0x7f3950 [0139.651] HeapFree (in: hHeap=0x7f0000, dwFlags=0x0, lpMem=0x802980 | out: hHeap=0x7f0000) returned 1 [0139.651] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x8, Size=0x800) returned 0x801ee8 [0139.652] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0139.652] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0139.652] GetStartupInfoW (in: lpStartupInfo=0x18f8f8 | out: lpStartupInfo=0x18f8f8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0139.652] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setPromptMask /fn_args=\"0\"" [0139.652] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setPromptMask /fn_args=\"0\"", pNumArgs=0x18f8e4 | out: pNumArgs=0x18f8e4) returned 0x802b38*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0139.652] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0139.657] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x0, Size=0x1000) returned 0x804420 [0139.658] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x0, Size=0x44) returned 0x7fa6f8 [0139.658] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_setPromptMask", cchWideChar=-1, lpMultiByteStr=0x7fa6f8, cbMultiByte=68, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_setPromptMask", lpUsedDefaultChar=0x0) returned 34 [0139.658] GetLastError () returned 0x0 [0139.658] SetLastError (dwErrCode=0x0) [0139.658] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_setPromptMaskW") returned 0x0 [0139.658] GetLastError () returned 0x7f [0139.658] SetLastError (dwErrCode=0x7f) [0139.658] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_setPromptMaskA") returned 0x0 [0139.658] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_setPromptMask") returned 0x647c8071 [0139.658] RtlAllocateHeap (HeapHandle=0x7f0000, Flags=0x0, Size=0x4) returned 0x7f3828 [0139.658] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x7f3828, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0139.659] GetActiveWindow () returned 0x0 [0139.659] GetLastError () returned 0x7f [0139.659] SetLastError (dwErrCode=0x7f) Thread: id = 383 os_tid = 0x83c Process: id = "190" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x73ccd000" os_pid = "0x11ec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "189" os_parent_pid = "0xcac" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setPromptMask /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "191" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x2ca7d000" os_pid = "0x1374" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setUserData /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12327 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12328 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12329 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 12330 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 12331 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 12332 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 12333 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 12334 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 12335 start_va = 0xc40000 end_va = 0xc41fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 12336 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 12337 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 12338 start_va = 0x7e620000 end_va = 0x7e642fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e620000" filename = "" Region: id = 12339 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12340 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 12341 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12342 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 12344 start_va = 0x400000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 12345 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 12346 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 12347 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 12348 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 12349 start_va = 0xc50000 end_va = 0xf2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 12350 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 12351 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 12352 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12353 start_va = 0x7e520000 end_va = 0x7e61ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e520000" filename = "" Region: id = 12354 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12355 start_va = 0x5e0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 12356 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 12357 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 12358 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 12359 start_va = 0x4c0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 12360 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 12362 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 12363 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 12364 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 12365 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 12366 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 12367 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 12368 start_va = 0xc40000 end_va = 0xc43fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 12369 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 12370 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 12371 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 12372 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 12373 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 12374 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 12375 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 12376 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 12377 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 12378 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 12379 start_va = 0x5f0000 end_va = 0x777fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 12380 start_va = 0xc50000 end_va = 0xc79fff monitored = 0 entry_point = 0xc55680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 12381 start_va = 0xe30000 end_va = 0xf2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e30000" filename = "" Region: id = 12382 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 12383 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 12384 start_va = 0x5c0000 end_va = 0x5c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 12385 start_va = 0x780000 end_va = 0x900fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 12386 start_va = 0xc50000 end_va = 0xe2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 12387 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 12388 start_va = 0xc50000 end_va = 0xce0fff monitored = 0 entry_point = 0xc88cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 12389 start_va = 0xe20000 end_va = 0xe2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e20000" filename = "" Region: id = 12390 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 12391 start_va = 0xc50000 end_va = 0xc50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 12392 start_va = 0xc60000 end_va = 0xc60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c60000" filename = "" Region: id = 12393 start_va = 0xc60000 end_va = 0xc67fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c60000" filename = "" Region: id = 12394 start_va = 0xc60000 end_va = 0xc60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 12395 start_va = 0xc70000 end_va = 0xc71fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c70000" filename = "" Region: id = 12396 start_va = 0xc60000 end_va = 0xc60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 12397 start_va = 0xc70000 end_va = 0xc70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c70000" filename = "" Region: id = 12398 start_va = 0xc60000 end_va = 0xc60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c60000" filename = "" Region: id = 12399 start_va = 0xc70000 end_va = 0xc70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c70000" filename = "" Thread: id = 384 os_tid = 0xd10 [0140.146] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0140.146] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0140.146] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0140.146] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0140.147] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0140.147] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0140.147] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0140.148] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0140.148] GetProcessHeap () returned 0xe30000 [0140.148] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0140.148] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0140.148] GetLastError () returned 0x7e [0140.149] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0140.149] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0140.149] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x364) returned 0xe409a0 [0140.149] SetLastError (dwErrCode=0x7e) [0140.149] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xe00) returned 0xe40d10 [0140.151] GetStartupInfoW (in: lpStartupInfo=0x18f870 | out: lpStartupInfo=0x18f870*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0140.151] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0140.151] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0140.151] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0140.151] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setUserData /fn_args=\"0\"" [0140.151] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setUserData /fn_args=\"0\"" [0140.152] GetACP () returned 0x4e4 [0140.152] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x0, Size=0x220) returned 0xe41b18 [0140.152] IsValidCodePage (CodePage=0x4e4) returned 1 [0140.152] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f890 | out: lpCPInfo=0x18f890) returned 1 [0140.152] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f158 | out: lpCPInfo=0x18f158) returned 1 [0140.152] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f76c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0140.152] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f76c, cbMultiByte=256, lpWideCharStr=0x18eef8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0140.152] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f16c | out: lpCharType=0x18f16c) returned 1 [0140.152] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f76c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0140.152] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f76c, cbMultiByte=256, lpWideCharStr=0x18eea8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0140.152] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0140.152] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0140.152] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0140.152] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ec98, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0140.153] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f66c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿìX\x19ÿ¨ø\x18", lpUsedDefaultChar=0x0) returned 256 [0140.153] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f76c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0140.153] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f76c, cbMultiByte=256, lpWideCharStr=0x18eec8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0140.153] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0140.153] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ecb8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0140.153] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f56c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿìX\x19ÿ¨ø\x18", lpUsedDefaultChar=0x0) returned 256 [0140.153] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x0, Size=0x80) returned 0xe33878 [0140.153] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0140.153] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x192) returned 0xe41d40 [0140.153] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0140.153] GetLastError () returned 0x0 [0140.153] SetLastError (dwErrCode=0x0) [0140.153] GetEnvironmentStringsW () returned 0xe41ee0* [0140.154] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x0, Size=0xa8c) returned 0xe42978 [0140.154] FreeEnvironmentStringsW (penv=0xe41ee0) returned 1 [0140.154] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x90) returned 0xe347c8 [0140.154] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x3e) returned 0xe3aff0 [0140.154] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x5c) returned 0xe38aa0 [0140.154] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x6e) returned 0xe34890 [0140.154] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x78) returned 0xe439b8 [0140.155] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x62) returned 0xe34c60 [0140.155] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x28) returned 0xe33ff8 [0140.155] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x48) returned 0xe34248 [0140.155] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x1a) returned 0xe30570 [0140.155] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x3a) returned 0xe3a9c0 [0140.155] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x62) returned 0xe33e58 [0140.155] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x2a) returned 0xe386e8 [0140.155] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x2e) returned 0xe38678 [0140.155] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x1c) returned 0xe34028 [0140.155] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x144) returned 0xe39cb8 [0140.155] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x7c) returned 0xe38300 [0140.155] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x36) returned 0xe3df70 [0140.155] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x3a) returned 0xe3aa50 [0140.155] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x90) returned 0xe34600 [0140.155] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x24) returned 0xe33918 [0140.155] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x30) returned 0xe388a8 [0140.155] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x36) returned 0xe3e230 [0140.155] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x48) returned 0xe32908 [0140.155] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x52) returned 0xe304b8 [0140.155] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x3c) returned 0xe3b0c8 [0140.155] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xd6) returned 0xe39e78 [0140.155] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x2e) returned 0xe388e0 [0140.155] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x1e) returned 0xe32958 [0140.155] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x2c) returned 0xe38720 [0140.155] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x54) returned 0xe34070 [0140.155] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x52) returned 0xe342d0 [0140.155] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x24) returned 0xe340d0 [0140.156] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x42) returned 0xe34330 [0140.156] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x2c) returned 0xe38918 [0140.156] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x44) returned 0xe39fa8 [0140.156] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x24) returned 0xe33948 [0140.156] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe42978 | out: hHeap=0xe30000) returned 1 [0140.156] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x800) returned 0xe41ee0 [0140.156] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0140.156] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0140.157] GetStartupInfoW (in: lpStartupInfo=0x18f8d4 | out: lpStartupInfo=0x18f8d4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0140.157] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setUserData /fn_args=\"0\"" [0140.157] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setUserData /fn_args=\"0\"", pNumArgs=0x18f8c0 | out: pNumArgs=0x18f8c0) returned 0xe42b30*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0140.157] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0140.161] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x0, Size=0x1000) returned 0xe44418 [0140.161] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x0, Size=0x40) returned 0xe3ab28 [0140.161] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_setUserData", cchWideChar=-1, lpMultiByteStr=0xe3ab28, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_setUserData", lpUsedDefaultChar=0x0) returned 32 [0140.161] GetLastError () returned 0x0 [0140.161] SetLastError (dwErrCode=0x0) [0140.161] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_setUserDataW") returned 0x0 [0140.161] GetLastError () returned 0x7f [0140.162] SetLastError (dwErrCode=0x7f) [0140.162] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_setUserDataA") returned 0x0 [0140.162] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_setUserData") returned 0x647c80d5 [0140.162] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x0, Size=0x4) returned 0xe33820 [0140.162] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0xe33820, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0140.162] GetActiveWindow () returned 0x0 [0140.163] GetLastError () returned 0x7f [0140.163] SetLastError (dwErrCode=0x7f) Thread: id = 386 os_tid = 0xd00 Process: id = "192" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x71dea000" os_pid = "0x11dc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "191" os_parent_pid = "0x1374" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setUserData /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "193" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6939a000" os_pid = "0xce4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_sign /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12402 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12403 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12404 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 12405 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 12406 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 12407 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 12408 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 12409 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 12410 start_va = 0x800000 end_va = 0x801fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 12411 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 12412 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 12413 start_va = 0x7ec70000 end_va = 0x7ec92fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ec70000" filename = "" Region: id = 12414 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12415 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 12416 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12417 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 12421 start_va = 0x400000 end_va = 0x45ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 12422 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 12423 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 12424 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 12425 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 12426 start_va = 0x810000 end_va = 0xa1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 12427 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 12428 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 12430 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12431 start_va = 0x7eb70000 end_va = 0x7ec6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eb70000" filename = "" Region: id = 12432 start_va = 0x460000 end_va = 0x51dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12433 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 12434 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 12435 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 12436 start_va = 0x520000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 12437 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 12438 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 12439 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 12440 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 12441 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 12442 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 12443 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 12444 start_va = 0x800000 end_va = 0x803fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 12445 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 12446 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 12447 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 12448 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 12449 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 12450 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 12451 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 12452 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 12453 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 12454 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 12455 start_va = 0x620000 end_va = 0x7a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 12456 start_va = 0x810000 end_va = 0x839fff monitored = 0 entry_point = 0x815680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 12457 start_va = 0x920000 end_va = 0xa1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000920000" filename = "" Region: id = 12458 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 12459 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 12460 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 12461 start_va = 0x450000 end_va = 0x45ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 12462 start_va = 0x810000 end_va = 0x8effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 12463 start_va = 0xa20000 end_va = 0xba0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a20000" filename = "" Region: id = 12464 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 12465 start_va = 0x810000 end_va = 0x8a0fff monitored = 0 entry_point = 0x848cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 12466 start_va = 0x8e0000 end_va = 0x8effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008e0000" filename = "" Region: id = 12469 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 12470 start_va = 0x810000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 12471 start_va = 0x820000 end_va = 0x820fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 12477 start_va = 0x820000 end_va = 0x827fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 12486 start_va = 0x820000 end_va = 0x820fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 12487 start_va = 0x830000 end_va = 0x831fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 12488 start_va = 0x820000 end_va = 0x820fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 12489 start_va = 0x830000 end_va = 0x830fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 12490 start_va = 0x820000 end_va = 0x820fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 12491 start_va = 0x830000 end_va = 0x830fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Thread: id = 387 os_tid = 0xce0 [0140.707] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0140.707] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0140.707] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0140.707] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0140.707] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0140.707] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0140.708] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0140.708] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0140.709] GetProcessHeap () returned 0x920000 [0140.709] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0140.709] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0140.709] GetLastError () returned 0x7e [0140.709] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0140.710] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0140.710] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x364) returned 0x930a68 [0140.710] SetLastError (dwErrCode=0x7e) [0140.710] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0xe00) returned 0x930dd8 [0140.712] GetStartupInfoW (in: lpStartupInfo=0x18fc90 | out: lpStartupInfo=0x18fc90*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0140.712] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0140.712] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0140.712] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0140.712] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_sign /fn_args=\"0\"" [0140.712] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_sign /fn_args=\"0\"" [0140.712] GetACP () returned 0x4e4 [0140.712] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x0, Size=0x220) returned 0x931be0 [0140.712] IsValidCodePage (CodePage=0x4e4) returned 1 [0140.712] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fcb0 | out: lpCPInfo=0x18fcb0) returned 1 [0140.712] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f578 | out: lpCPInfo=0x18f578) returned 1 [0140.712] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb8c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0140.712] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb8c, cbMultiByte=256, lpWideCharStr=0x18f318, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0140.712] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f58c | out: lpCharType=0x18f58c) returned 1 [0140.713] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb8c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0140.713] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb8c, cbMultiByte=256, lpWideCharStr=0x18f2c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0140.713] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0140.713] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0140.713] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0140.713] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f0b8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0140.713] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fa8c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ #'ÙÈü\x18", lpUsedDefaultChar=0x0) returned 256 [0140.713] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb8c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0140.713] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb8c, cbMultiByte=256, lpWideCharStr=0x18f2e8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0140.713] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0140.713] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f0d8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0140.714] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f98c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ #'ÙÈü\x18", lpUsedDefaultChar=0x0) returned 256 [0140.714] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x0, Size=0x80) returned 0x923868 [0140.714] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0140.714] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x184) returned 0x931e08 [0140.714] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0140.714] GetLastError () returned 0x0 [0140.714] SetLastError (dwErrCode=0x0) [0140.714] GetEnvironmentStringsW () returned 0x931f98* [0140.714] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x0, Size=0xa8c) returned 0x932a30 [0140.715] FreeEnvironmentStringsW (penv=0x931f98) returned 1 [0140.715] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x90) returned 0x924558 [0140.715] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x3e) returned 0x92acd0 [0140.715] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x5c) returned 0x928a98 [0140.715] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x6e) returned 0x924850 [0140.715] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x78) returned 0x933670 [0140.715] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x62) returned 0x9249f0 [0140.715] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x28) returned 0x923d88 [0140.715] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x48) returned 0x923fd8 [0140.715] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x1a) returned 0x923db8 [0140.715] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x3a) returned 0x92b078 [0140.715] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x62) returned 0x924620 [0140.715] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x2a) returned 0x9287c0 [0140.715] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x2e) returned 0x928868 [0140.715] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x1c) returned 0x9247c0 [0140.715] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x144) returned 0x929cb0 [0140.716] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x7c) returned 0x924390 [0140.716] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x36) returned 0x92df78 [0140.716] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x3a) returned 0x92aad8 [0140.716] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x90) returned 0x923e00 [0140.716] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x24) returned 0x9247e8 [0140.716] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x30) returned 0x9289b8 [0140.716] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x36) returned 0x92e1b8 [0140.716] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x48) returned 0x923be8 [0140.716] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x52) returned 0x923908 [0140.716] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x3c) returned 0x92ada8 [0140.716] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0xd6) returned 0x929e70 [0140.716] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x2e) returned 0x9289f0 [0140.716] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x1e) returned 0x923c38 [0140.716] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x2c) returned 0x928670 [0140.716] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x54) returned 0x922900 [0140.716] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x52) returned 0x9204b8 [0140.716] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x24) returned 0x924060 [0140.716] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x42) returned 0x924090 [0140.716] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x2c) returned 0x928910 [0140.716] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x44) returned 0x929fa0 [0140.716] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x24) returned 0x9240e0 [0140.717] HeapFree (in: hHeap=0x920000, dwFlags=0x0, lpMem=0x932a30 | out: hHeap=0x920000) returned 1 [0140.717] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x8, Size=0x800) returned 0x931f98 [0140.717] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0140.717] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0140.718] GetStartupInfoW (in: lpStartupInfo=0x18fcf4 | out: lpStartupInfo=0x18fcf4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0140.718] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_sign /fn_args=\"0\"" [0140.718] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_sign /fn_args=\"0\"", pNumArgs=0x18fce0 | out: pNumArgs=0x18fce0) returned 0x932be8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0140.719] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0140.722] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x0, Size=0x1000) returned 0x9344d0 [0140.722] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x0, Size=0x32) returned 0x92e2f8 [0140.722] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_sign", cchWideChar=-1, lpMultiByteStr=0x92e2f8, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_sign", lpUsedDefaultChar=0x0) returned 25 [0140.722] GetLastError () returned 0x0 [0140.722] SetLastError (dwErrCode=0x0) [0140.723] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_signW") returned 0x0 [0140.723] GetLastError () returned 0x7f [0140.723] SetLastError (dwErrCode=0x7f) [0140.723] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_signA") returned 0x0 [0140.723] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_sign") returned 0x647c70c6 [0140.723] RtlAllocateHeap (HeapHandle=0x920000, Flags=0x0, Size=0x4) returned 0x923e98 [0140.723] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x923e98, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0140.723] GetActiveWindow () returned 0x0 [0140.725] GetLastError () returned 0x7f [0140.725] SetLastError (dwErrCode=0x7f) Thread: id = 389 os_tid = 0x12cc Process: id = "194" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x4ffec000" os_pid = "0x358" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "193" os_parent_pid = "0xce4" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_sign /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "195" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x13cb0000" os_pid = "0x12bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signAny /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12504 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12505 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12506 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 12507 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 12508 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 12509 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 12510 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 12511 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 12512 start_va = 0x7d0000 end_va = 0x7d1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 12513 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 12514 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 12515 start_va = 0x7e7d0000 end_va = 0x7e7f2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e7d0000" filename = "" Region: id = 12516 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12517 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 12518 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12519 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 12520 start_va = 0x400000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 12521 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 12522 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 12523 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 12524 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 12525 start_va = 0x7e0000 end_va = 0xa3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 12526 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 12527 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 12528 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12529 start_va = 0x7e6d0000 end_va = 0x7e7cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e6d0000" filename = "" Region: id = 12530 start_va = 0x4c0000 end_va = 0x57dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12531 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 12532 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 12533 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 12534 start_va = 0x580000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 12535 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 12536 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 12537 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 12538 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 12539 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 12540 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 12541 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 12542 start_va = 0x7d0000 end_va = 0x7d3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 12543 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 12544 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 12545 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 12546 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 12547 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 12548 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 12549 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 12550 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 12551 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 12552 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 12553 start_va = 0x7e0000 end_va = 0x809fff monitored = 0 entry_point = 0x7e5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 12554 start_va = 0x940000 end_va = 0xa3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 12555 start_va = 0xa40000 end_va = 0xbc7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a40000" filename = "" Region: id = 12556 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 12557 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 12558 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 12559 start_va = 0x4b0000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 12560 start_va = 0x7e0000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 12561 start_va = 0xbd0000 end_va = 0xd50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bd0000" filename = "" Region: id = 12562 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 12563 start_va = 0x810000 end_va = 0x8a0fff monitored = 0 entry_point = 0x848cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 12564 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 12565 start_va = 0x7e0000 end_va = 0x7e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 12566 start_va = 0x800000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 12567 start_va = 0x7f0000 end_va = 0x7f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 12568 start_va = 0x7f0000 end_va = 0x7f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 12571 start_va = 0x7f0000 end_va = 0x7f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 12572 start_va = 0x810000 end_va = 0x811fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 12573 start_va = 0x7f0000 end_va = 0x7f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 12574 start_va = 0x810000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 12575 start_va = 0x7f0000 end_va = 0x7f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 12576 start_va = 0x810000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Thread: id = 391 os_tid = 0x110c [0142.060] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0142.061] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0142.061] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0142.061] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0142.061] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0142.061] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0142.062] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0142.063] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0142.063] GetProcessHeap () returned 0x940000 [0142.063] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0142.063] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0142.063] GetLastError () returned 0x7e [0142.064] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0142.064] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0142.067] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x364) returned 0x9509a0 [0142.067] SetLastError (dwErrCode=0x7e) [0142.067] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0xe00) returned 0x950d10 [0142.069] GetStartupInfoW (in: lpStartupInfo=0x18fd38 | out: lpStartupInfo=0x18fd38*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0142.069] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0142.069] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0142.069] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0142.069] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signAny /fn_args=\"0\"" [0142.069] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signAny /fn_args=\"0\"" [0142.069] GetACP () returned 0x4e4 [0142.069] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x0, Size=0x220) returned 0x951b18 [0142.070] IsValidCodePage (CodePage=0x4e4) returned 1 [0142.070] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fd58 | out: lpCPInfo=0x18fd58) returned 1 [0142.070] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f620 | out: lpCPInfo=0x18f620) returned 1 [0142.070] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc34, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0142.070] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc34, cbMultiByte=256, lpWideCharStr=0x18f3c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0142.070] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f634 | out: lpCharType=0x18f634) returned 1 [0142.070] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc34, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0142.070] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc34, cbMultiByte=256, lpWideCharStr=0x18f378, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0142.070] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0142.070] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0142.070] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0142.070] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f168, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0142.071] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fb34, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿk\x02T+pý\x18", lpUsedDefaultChar=0x0) returned 256 [0142.071] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc34, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0142.071] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc34, cbMultiByte=256, lpWideCharStr=0x18f398, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0142.071] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0142.071] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f188, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0142.071] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fa34, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿk\x02T+pý\x18", lpUsedDefaultChar=0x0) returned 256 [0142.071] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x0, Size=0x80) returned 0x943870 [0142.071] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0142.071] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x18a) returned 0x951d40 [0142.071] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0142.071] GetLastError () returned 0x0 [0142.071] SetLastError (dwErrCode=0x0) [0142.071] GetEnvironmentStringsW () returned 0x951ed8* [0142.072] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x0, Size=0xa8c) returned 0x952970 [0142.072] FreeEnvironmentStringsW (penv=0x951ed8) returned 1 [0142.072] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x90) returned 0x9447c8 [0142.072] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x3e) returned 0x94adf8 [0142.072] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x5c) returned 0x948aa0 [0142.072] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x6e) returned 0x944890 [0142.072] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x78) returned 0x953fb0 [0142.073] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x62) returned 0x944c60 [0142.073] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x28) returned 0x943d90 [0142.073] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x48) returned 0x944248 [0142.073] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x1a) returned 0x940570 [0142.073] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x3a) returned 0x94b080 [0142.073] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x62) returned 0x943bf0 [0142.073] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x2a) returned 0x9489f8 [0142.073] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x2e) returned 0x948988 [0142.073] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x1c) returned 0x943dc0 [0142.073] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x144) returned 0x949cb8 [0142.073] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x7c) returned 0x948300 [0142.073] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x36) returned 0x94e2b0 [0142.073] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x3a) returned 0x94aa08 [0142.073] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x90) returned 0x944600 [0142.073] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x24) returned 0x943910 [0142.073] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x30) returned 0x9486b0 [0142.073] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x36) returned 0x94e370 [0142.073] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x48) returned 0x942900 [0142.073] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x52) returned 0x9404b8 [0142.073] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x3c) returned 0x94ad68 [0142.073] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0xd6) returned 0x949e78 [0142.073] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x2e) returned 0x9486e8 [0142.073] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x1e) returned 0x942950 [0142.073] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x2c) returned 0x9488a8 [0142.073] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x54) returned 0x943e08 [0142.074] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x52) returned 0x9442d0 [0142.074] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x24) returned 0x943e68 [0142.074] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x42) returned 0x944330 [0142.074] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x2c) returned 0x948720 [0142.074] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x44) returned 0x949fa8 [0142.074] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x24) returned 0x943940 [0142.074] HeapFree (in: hHeap=0x940000, dwFlags=0x0, lpMem=0x952970 | out: hHeap=0x940000) returned 1 [0142.074] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x8, Size=0x800) returned 0x951ed8 [0142.075] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0142.075] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0142.075] GetStartupInfoW (in: lpStartupInfo=0x18fd9c | out: lpStartupInfo=0x18fd9c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0142.075] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signAny /fn_args=\"0\"" [0142.075] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signAny /fn_args=\"0\"", pNumArgs=0x18fd88 | out: pNumArgs=0x18fd88) returned 0x952b28*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0142.076] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0142.084] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x0, Size=0x1000) returned 0x954410 [0142.084] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x0, Size=0x38) returned 0x94df70 [0142.084] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_signAny", cchWideChar=-1, lpMultiByteStr=0x94df70, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_signAny", lpUsedDefaultChar=0x0) returned 28 [0142.084] GetLastError () returned 0x0 [0142.085] SetLastError (dwErrCode=0x0) [0142.085] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_signAnyW") returned 0x0 [0142.085] GetLastError () returned 0x7f [0142.085] SetLastError (dwErrCode=0x7f) [0142.085] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_signAnyA") returned 0x0 [0142.085] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_signAny") returned 0x647c779a [0142.085] RtlAllocateHeap (HeapHandle=0x940000, Flags=0x0, Size=0x4) returned 0x943818 [0142.085] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x943818, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0142.086] GetActiveWindow () returned 0x0 [0142.087] GetLastError () returned 0x7f [0142.087] SetLastError (dwErrCode=0x7f) Thread: id = 393 os_tid = 0x1100 Process: id = "196" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x18633000" os_pid = "0x12b4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "195" os_parent_pid = "0x12bc" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signAny /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "197" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x675c8000" os_pid = "0xd1c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signRecover /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12584 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12585 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12586 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 12587 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 12588 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 12589 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 12590 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 12591 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 12592 start_va = 0xfc0000 end_va = 0xfc1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fc0000" filename = "" Region: id = 12593 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 12594 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 12595 start_va = 0x7f110000 end_va = 0x7f132fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f110000" filename = "" Region: id = 12596 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12597 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 12598 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12599 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 12600 start_va = 0x400000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 12601 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 12602 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 12603 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 12604 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 12605 start_va = 0xfd0000 end_va = 0x117ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fd0000" filename = "" Region: id = 12606 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 12607 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 12610 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12611 start_va = 0x7f010000 end_va = 0x7f10ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f010000" filename = "" Region: id = 12612 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12613 start_va = 0x5d0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 12614 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 12615 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 12616 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 12617 start_va = 0x4c0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 12618 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 12619 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 12620 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 12621 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 12622 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 12623 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 12624 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 12625 start_va = 0xfc0000 end_va = 0xfc3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fc0000" filename = "" Region: id = 12626 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 12627 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 12628 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 12629 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 12630 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 12631 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 12632 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 12633 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 12634 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 12635 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 12636 start_va = 0x5e0000 end_va = 0x767fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 12637 start_va = 0xfd0000 end_va = 0xff9fff monitored = 0 entry_point = 0xfd5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 12638 start_va = 0x1080000 end_va = 0x117ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001080000" filename = "" Region: id = 12639 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 12640 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 12641 start_va = 0x5c0000 end_va = 0x5c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 12642 start_va = 0x770000 end_va = 0x8f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 12643 start_va = 0xfd0000 end_va = 0x105ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fd0000" filename = "" Region: id = 12644 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 12645 start_va = 0x1180000 end_va = 0x1210fff monitored = 0 entry_point = 0x11b8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 12646 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 12648 start_va = 0xfd0000 end_va = 0xfd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fd0000" filename = "" Region: id = 12649 start_va = 0x1050000 end_va = 0x105ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 12650 start_va = 0xfe0000 end_va = 0xfe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fe0000" filename = "" Region: id = 12651 start_va = 0xfe0000 end_va = 0xfe7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fe0000" filename = "" Region: id = 12652 start_va = 0xfe0000 end_va = 0xfe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 12653 start_va = 0xff0000 end_va = 0xff1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ff0000" filename = "" Region: id = 12654 start_va = 0xfe0000 end_va = 0xfe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 12655 start_va = 0xff0000 end_va = 0xff0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ff0000" filename = "" Region: id = 12656 start_va = 0xfe0000 end_va = 0xfe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fe0000" filename = "" Region: id = 12657 start_va = 0xff0000 end_va = 0xff0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ff0000" filename = "" Thread: id = 395 os_tid = 0x1314 [0142.883] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0142.883] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0142.883] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0142.883] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0142.883] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0142.883] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0142.884] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0142.884] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0142.885] GetProcessHeap () returned 0x1080000 [0142.885] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0142.885] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0142.885] GetLastError () returned 0x7e [0142.885] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0142.885] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0142.885] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x364) returned 0x10909a0 [0142.885] SetLastError (dwErrCode=0x7e) [0142.885] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0xe00) returned 0x1090d10 [0142.887] GetStartupInfoW (in: lpStartupInfo=0x18f6f0 | out: lpStartupInfo=0x18f6f0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0142.887] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0142.887] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0142.887] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0142.887] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signRecover /fn_args=\"0\"" [0142.887] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signRecover /fn_args=\"0\"" [0142.887] GetACP () returned 0x4e4 [0142.887] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x0, Size=0x220) returned 0x1091b18 [0142.887] IsValidCodePage (CodePage=0x4e4) returned 1 [0142.887] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f710 | out: lpCPInfo=0x18f710) returned 1 [0142.887] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18efd8 | out: lpCPInfo=0x18efd8) returned 1 [0142.887] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f5ec, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0142.887] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f5ec, cbMultiByte=256, lpWideCharStr=0x18ed78, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0142.887] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18efec | out: lpCharType=0x18efec) returned 1 [0142.888] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f5ec, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0142.888] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f5ec, cbMultiByte=256, lpWideCharStr=0x18ed28, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0142.888] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0142.888] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0142.888] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0142.888] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18eb18, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0142.888] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f4ec, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ$: ¹(÷\x18", lpUsedDefaultChar=0x0) returned 256 [0142.888] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f5ec, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0142.888] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f5ec, cbMultiByte=256, lpWideCharStr=0x18ed48, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0142.888] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0142.888] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18eb38, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0142.888] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f3ec, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ$: ¹(÷\x18", lpUsedDefaultChar=0x0) returned 256 [0142.888] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x0, Size=0x80) returned 0x1083878 [0142.888] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0142.888] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x192) returned 0x1091d40 [0142.888] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0142.888] GetLastError () returned 0x0 [0142.888] SetLastError (dwErrCode=0x0) [0142.888] GetEnvironmentStringsW () returned 0x1091ee0* [0142.889] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x0, Size=0xa8c) returned 0x1092978 [0142.889] FreeEnvironmentStringsW (penv=0x1091ee0) returned 1 [0142.889] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x90) returned 0x1084568 [0142.889] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x3e) returned 0x108acd8 [0142.889] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x5c) returned 0x1088840 [0142.889] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x6e) returned 0x1084630 [0142.889] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x78) returned 0x10935b8 [0142.889] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x62) returned 0x1084a00 [0142.890] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x28) returned 0x1083d98 [0142.890] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x48) returned 0x1083fe8 [0142.890] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x1a) returned 0x1080570 [0142.890] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x3a) returned 0x108adb0 [0142.890] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x62) returned 0x1083bf8 [0142.890] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x2a) returned 0x10885a0 [0142.890] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x2e) returned 0x1088760 [0142.890] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x1c) returned 0x1083dc8 [0142.890] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x144) returned 0x1089cb8 [0142.890] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x7c) returned 0x10880a0 [0142.890] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x36) returned 0x108dfb0 [0142.890] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x3a) returned 0x108af18 [0142.890] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x90) returned 0x10843a0 [0142.890] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x24) returned 0x1083918 [0142.890] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x30) returned 0x1088798 [0142.890] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x36) returned 0x108dff0 [0142.890] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x48) returned 0x1082908 [0142.890] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x52) returned 0x10804b8 [0142.890] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x3c) returned 0x108ae40 [0142.890] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0xd6) returned 0x1089e78 [0142.890] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x2e) returned 0x10885d8 [0142.890] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x1e) returned 0x1082958 [0142.890] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x2c) returned 0x1088568 [0142.890] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x54) returned 0x1083e10 [0142.890] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x52) returned 0x1084070 [0142.890] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x24) returned 0x1083e70 [0142.890] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x42) returned 0x10840d0 [0142.890] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x2c) returned 0x10886f0 [0142.890] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x44) returned 0x1089fa8 [0142.890] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x24) returned 0x1083948 [0142.891] HeapFree (in: hHeap=0x1080000, dwFlags=0x0, lpMem=0x1092978 | out: hHeap=0x1080000) returned 1 [0142.891] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x800) returned 0x1091ee0 [0142.891] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0142.891] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0142.891] GetStartupInfoW (in: lpStartupInfo=0x18f754 | out: lpStartupInfo=0x18f754*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0142.891] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signRecover /fn_args=\"0\"" [0142.892] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signRecover /fn_args=\"0\"", pNumArgs=0x18f740 | out: pNumArgs=0x18f740) returned 0x1092b30*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0142.945] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0142.949] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x0, Size=0x1000) returned 0x1094418 [0142.949] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x0, Size=0x40) returned 0x108ae88 [0142.949] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_signRecover", cchWideChar=-1, lpMultiByteStr=0x108ae88, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_signRecover", lpUsedDefaultChar=0x0) returned 32 [0142.949] GetLastError () returned 0x0 [0142.949] SetLastError (dwErrCode=0x0) [0142.950] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_signRecoverW") returned 0x0 [0142.950] GetLastError () returned 0x7f [0142.950] SetLastError (dwErrCode=0x7f) [0142.950] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_signRecoverA") returned 0x0 [0142.950] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_signRecover") returned 0x647c727b [0142.950] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x0, Size=0x4) returned 0x1083820 [0142.950] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x1083820, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0142.950] GetActiveWindow () returned 0x0 [0142.982] GetLastError () returned 0x7f [0142.982] SetLastError (dwErrCode=0x7f) Thread: id = 397 os_tid = 0x11a8 Process: id = "198" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x2b9e0000" os_pid = "0xbbc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_unwrap /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12658 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12659 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12660 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 12661 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 12662 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 12663 start_va = 0xd40000 end_va = 0xd41fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d40000" filename = "" Region: id = 12664 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 12665 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 12666 start_va = 0x7f8c0000 end_va = 0x7f8e2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f8c0000" filename = "" Region: id = 12667 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12668 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 12669 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12670 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 12671 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 12672 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 12673 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 12695 start_va = 0x400000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 12696 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 12697 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 12698 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 12699 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 12700 start_va = 0xd50000 end_va = 0xf0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d50000" filename = "" Region: id = 12706 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 12707 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 12708 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12709 start_va = 0x7f7c0000 end_va = 0x7f8bffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f7c0000" filename = "" Region: id = 12710 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12711 start_va = 0x4f0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 12712 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 12713 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 12714 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 12715 start_va = 0x500000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 12716 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 12717 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 12731 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 12732 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 12733 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 12734 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 12735 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 12736 start_va = 0xd40000 end_va = 0xd43fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d40000" filename = "" Region: id = 12737 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 12738 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 12739 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 12740 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 12741 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 12742 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 12743 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 12744 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 12745 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 12746 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 12761 start_va = 0x600000 end_va = 0x787fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 12762 start_va = 0xd50000 end_va = 0xd79fff monitored = 0 entry_point = 0xd55680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 12763 start_va = 0xe10000 end_va = 0xf0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Region: id = 12764 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 12770 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 12771 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 12772 start_va = 0x790000 end_va = 0x910fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 12773 start_va = 0xf10000 end_va = 0x107ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f10000" filename = "" Region: id = 12774 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 12775 start_va = 0xd50000 end_va = 0xde0fff monitored = 0 entry_point = 0xd88cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 12779 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 12782 start_va = 0xd50000 end_va = 0xd50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d50000" filename = "" Region: id = 12783 start_va = 0xd60000 end_va = 0xd60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d60000" filename = "" Region: id = 12784 start_va = 0xd60000 end_va = 0xd67fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d60000" filename = "" Region: id = 12790 start_va = 0xd60000 end_va = 0xd60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d60000" filename = "" Region: id = 12791 start_va = 0xd70000 end_va = 0xd71fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 12792 start_va = 0xd60000 end_va = 0xd60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d60000" filename = "" Region: id = 12793 start_va = 0xd70000 end_va = 0xd70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 12794 start_va = 0xd60000 end_va = 0xd60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d60000" filename = "" Region: id = 12795 start_va = 0xd70000 end_va = 0xd70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d70000" filename = "" Thread: id = 398 os_tid = 0x1278 [0143.611] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0143.612] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0143.612] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0143.612] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0143.612] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0143.612] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0143.613] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0143.613] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0143.614] GetProcessHeap () returned 0xe10000 [0143.614] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0143.614] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0143.614] GetLastError () returned 0x7e [0143.614] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0143.614] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0143.614] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x364) returned 0xe20a60 [0143.614] SetLastError (dwErrCode=0x7e) [0143.615] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0xe00) returned 0xe20dd0 [0143.616] GetStartupInfoW (in: lpStartupInfo=0x18fbac | out: lpStartupInfo=0x18fbac*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0143.616] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0143.616] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0143.617] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0143.617] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_unwrap /fn_args=\"0\"" [0143.617] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_unwrap /fn_args=\"0\"" [0143.617] GetACP () returned 0x4e4 [0143.617] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x220) returned 0xe21bd8 [0143.617] IsValidCodePage (CodePage=0x4e4) returned 1 [0143.617] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fbcc | out: lpCPInfo=0x18fbcc) returned 1 [0143.617] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f494 | out: lpCPInfo=0x18f494) returned 1 [0143.617] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18faa8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0143.617] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18faa8, cbMultiByte=256, lpWideCharStr=0x18f238, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0143.617] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f4a8 | out: lpCharType=0x18f4a8) returned 1 [0143.617] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18faa8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0143.617] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18faa8, cbMultiByte=256, lpWideCharStr=0x18f1e8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0143.617] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0143.617] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0143.617] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0143.618] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18efd8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0143.618] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f9a8, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x05ª*\x09äû\x18", lpUsedDefaultChar=0x0) returned 256 [0143.618] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18faa8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0143.618] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18faa8, cbMultiByte=256, lpWideCharStr=0x18f208, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0143.618] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0143.618] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18eff8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0143.618] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f8a8, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x05ª*\x09äû\x18", lpUsedDefaultChar=0x0) returned 256 [0143.618] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x80) returned 0xe13868 [0143.618] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0143.618] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x188) returned 0xe21e00 [0143.618] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0143.618] GetLastError () returned 0x0 [0143.618] SetLastError (dwErrCode=0x0) [0143.618] GetEnvironmentStringsW () returned 0xe21f90* [0143.618] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0xa8c) returned 0xe22a28 [0143.619] FreeEnvironmentStringsW (penv=0xe21f90) returned 1 [0143.619] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x90) returned 0xe147b8 [0143.619] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x3e) returned 0xe1ac80 [0143.619] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x5c) returned 0xe18a90 [0143.619] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x6e) returned 0xe14880 [0143.619] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x78) returned 0xe23de8 [0143.619] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x62) returned 0xe14c50 [0143.619] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x28) returned 0xe13d88 [0143.619] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x48) returned 0xe14238 [0143.619] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x1a) returned 0xe10570 [0143.619] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x3a) returned 0xe1aec0 [0143.619] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x62) returned 0xe13be8 [0143.619] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x2a) returned 0xe18978 [0143.619] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x2e) returned 0xe18828 [0143.619] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x1c) returned 0xe13db8 [0143.619] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x144) returned 0xe19ca8 [0143.619] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x7c) returned 0xe182f0 [0143.619] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x36) returned 0xe1e4b0 [0143.619] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x3a) returned 0xe1b070 [0143.620] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x90) returned 0xe145f0 [0143.620] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x24) returned 0xe13908 [0143.620] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x30) returned 0xe187b8 [0143.620] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x36) returned 0xe1dff0 [0143.620] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x48) returned 0xe12900 [0143.620] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x52) returned 0xe104b8 [0143.620] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x3c) returned 0xe1af08 [0143.620] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0xd6) returned 0xe19e68 [0143.620] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x2e) returned 0xe187f0 [0143.620] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x1e) returned 0xe12950 [0143.620] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x2c) returned 0xe188d0 [0143.620] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x54) returned 0xe13e00 [0143.620] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x52) returned 0xe142c0 [0143.620] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x24) returned 0xe13e60 [0143.620] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x42) returned 0xe14320 [0143.620] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x2c) returned 0xe189e8 [0143.620] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x44) returned 0xe19f98 [0143.620] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x24) returned 0xe13938 [0143.621] HeapFree (in: hHeap=0xe10000, dwFlags=0x0, lpMem=0xe22a28 | out: hHeap=0xe10000) returned 1 [0143.621] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x8, Size=0x800) returned 0xe21f90 [0143.621] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0143.621] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0143.621] GetStartupInfoW (in: lpStartupInfo=0x18fc10 | out: lpStartupInfo=0x18fc10*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0143.622] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_unwrap /fn_args=\"0\"" [0143.622] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_unwrap /fn_args=\"0\"", pNumArgs=0x18fbfc | out: pNumArgs=0x18fbfc) returned 0xe22be0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0143.622] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0143.625] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x1000) returned 0xe244c8 [0143.625] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x36) returned 0xe1e030 [0143.625] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_unwrap", cchWideChar=-1, lpMultiByteStr=0xe1e030, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_unwrap", lpUsedDefaultChar=0x0) returned 27 [0143.625] GetLastError () returned 0x0 [0143.625] SetLastError (dwErrCode=0x0) [0143.625] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_unwrapW") returned 0x0 [0143.625] GetLastError () returned 0x7f [0143.625] SetLastError (dwErrCode=0x7f) [0143.626] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_unwrapA") returned 0x0 [0143.626] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_unwrap") returned 0x647c75e5 [0143.626] RtlAllocateHeap (HeapHandle=0xe10000, Flags=0x0, Size=0x4) returned 0xe13810 [0143.626] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0xe13810, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0143.626] GetActiveWindow () returned 0x0 [0143.634] GetLastError () returned 0x7f [0143.634] SetLastError (dwErrCode=0x7f) Thread: id = 401 os_tid = 0xcd8 Process: id = "199" image_name = "werfault.exe" filename = "c:\\windows\\syswow64\\werfault.exe" page_root = "0x4fa67000" os_pid = "0xc8c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "197" os_parent_pid = "0xd1c" cmd_line = "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 3356 -s 364" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12674 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12675 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12676 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 12677 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 12678 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 12679 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 12680 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 12681 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 12682 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 12683 start_va = 0x10e0000 end_va = 0x1122fff monitored = 0 entry_point = 0x1100f50 region_type = mapped_file name = "werfault.exe" filename = "\\Windows\\SysWOW64\\WerFault.exe" (normalized: "c:\\windows\\syswow64\\werfault.exe") Region: id = 12684 start_va = 0x1130000 end_va = 0x512ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 12685 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 12686 start_va = 0x7e860000 end_va = 0x7e882fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e860000" filename = "" Region: id = 12687 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12688 start_va = 0x7fff0000 end_va = 0x7dfb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 12689 start_va = 0x7dfb201b0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfb201b0000" filename = "" Region: id = 12690 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12691 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 12692 start_va = 0x100000 end_va = 0x12ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 12693 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 12694 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 12701 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 12702 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 12703 start_va = 0x410000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 12704 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 12705 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 12718 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12719 start_va = 0x7e760000 end_va = 0x7e85ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e760000" filename = "" Region: id = 12720 start_va = 0x130000 end_va = 0x1edfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12721 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 12722 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 12723 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 12724 start_va = 0x600000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 12725 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 12726 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 12727 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 12728 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 12729 start_va = 0x480000 end_va = 0x483fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 12730 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 12747 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 12748 start_va = 0x6fb30000 end_va = 0x6fbb6fff monitored = 0 entry_point = 0x6fb9dbc0 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\SysWOW64\\wer.dll" (normalized: "c:\\windows\\syswow64\\wer.dll") Region: id = 12749 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 12750 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 12751 start_va = 0x6fbc0000 end_va = 0x6fcfefff monitored = 0 entry_point = 0x6fbed880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 12752 start_va = 0x6fb00000 end_va = 0x6fb21fff monitored = 0 entry_point = 0x6fb091f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 12753 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 12754 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 12755 start_va = 0x6faa0000 end_va = 0x6faf3fff monitored = 0 entry_point = 0x6fad10d0 region_type = mapped_file name = "faultrep.dll" filename = "\\Windows\\SysWOW64\\Faultrep.dll" (normalized: "c:\\windows\\syswow64\\faultrep.dll") Region: id = 12756 start_va = 0x6fa70000 end_va = 0x6fa90fff monitored = 0 entry_point = 0x6fa8a910 region_type = mapped_file name = "dbgcore.dll" filename = "\\Windows\\SysWOW64\\dbgcore.dll" (normalized: "c:\\windows\\syswow64\\dbgcore.dll") Region: id = 12757 start_va = 0x490000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 12758 start_va = 0x510000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 12759 start_va = 0x490000 end_va = 0x493fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 12760 start_va = 0x500000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 12765 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 12766 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 12767 start_va = 0x4a0000 end_va = 0x4c9fff monitored = 0 entry_point = 0x4a5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 12768 start_va = 0x700000 end_va = 0x887fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 12769 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 12776 start_va = 0x4a0000 end_va = 0x4a3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werfault.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\WerFault.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werfault.exe.mui") Region: id = 12777 start_va = 0x890000 end_va = 0xa10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000890000" filename = "" Region: id = 12778 start_va = 0x5130000 end_va = 0x652ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005130000" filename = "" Region: id = 12785 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 12786 start_va = 0x100000 end_va = 0x100fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 12787 start_va = 0x120000 end_va = 0x12ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 12788 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 12789 start_va = 0xa20000 end_va = 0xc0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Region: id = 12796 start_va = 0x4b0000 end_va = 0x4b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 12797 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 12798 start_va = 0x4d0000 end_va = 0x4d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 12799 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 12800 start_va = 0x4d0000 end_va = 0x4d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 12801 start_va = 0x6530000 end_va = 0x6d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006530000" filename = "" Region: id = 12802 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 12803 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 12804 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 12805 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 12806 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 12807 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 12808 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 12809 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 12810 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 12811 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 12812 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 12813 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 12814 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 12815 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 12816 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 12817 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 12818 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 12819 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 12820 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 12821 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 12822 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 12823 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 12824 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 12825 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 12826 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 12827 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 12828 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 12831 start_va = 0x510000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 12832 start_va = 0x550000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 12833 start_va = 0x5e0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 12834 start_va = 0xa20000 end_va = 0xa9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Region: id = 12835 start_va = 0xc00000 end_va = 0xc0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 12839 start_va = 0x4d0000 end_va = 0x4d1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "faultrep.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\faultrep.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\faultrep.dll.mui") Region: id = 12840 start_va = 0x4e0000 end_va = 0x4e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 12857 start_va = 0x6dd70000 end_va = 0x6e18dfff monitored = 0 entry_point = 0x6de6ee80 region_type = mapped_file name = "dbgeng.dll" filename = "\\Windows\\SysWOW64\\dbgeng.dll" (normalized: "c:\\windows\\syswow64\\dbgeng.dll") Region: id = 12858 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 12859 start_va = 0x6f8d0000 end_va = 0x6f93ffff monitored = 0 entry_point = 0x6f924b90 region_type = mapped_file name = "dbgmodel.dll" filename = "\\Windows\\SysWOW64\\DbgModel.dll" (normalized: "c:\\windows\\syswow64\\dbgmodel.dll") Region: id = 12860 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 12861 start_va = 0xaa0000 end_va = 0xb89fff monitored = 0 entry_point = 0xadd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 12870 start_va = 0x70050000 end_va = 0x70059fff monitored = 0 entry_point = 0x70053200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 12871 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 12872 start_va = 0x6f5d0000 end_va = 0x6f5d7fff monitored = 0 entry_point = 0x6f5d17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 12873 start_va = 0xaa0000 end_va = 0xb9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000aa0000" filename = "" Region: id = 12874 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 12895 start_va = 0xc10000 end_va = 0xf46fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 12896 start_va = 0x4e0000 end_va = 0x4e1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 12906 start_va = 0x4e0000 end_va = 0x4e3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 12907 start_va = 0x4e0000 end_va = 0x4e5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 12908 start_va = 0x4e0000 end_va = 0x4e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 12909 start_va = 0xf50000 end_va = 0x104ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f50000" filename = "" Region: id = 12910 start_va = 0x4e0000 end_va = 0x4e9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 12911 start_va = 0x4e0000 end_va = 0x4ebfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 12912 start_va = 0x4e0000 end_va = 0x4edfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 12913 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 12914 start_va = 0x4e0000 end_va = 0x4f1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 12915 start_va = 0x4e0000 end_va = 0x4f3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 12916 start_va = 0x4e0000 end_va = 0x4f5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 12917 start_va = 0x4e0000 end_va = 0x4f7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 12918 start_va = 0x4e0000 end_va = 0x4f9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 12919 start_va = 0x4e0000 end_va = 0x4fbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 12920 start_va = 0x4e0000 end_va = 0x4fdfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 12921 start_va = 0x4e0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 12936 start_va = 0x6530000 end_va = 0x660ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 12945 start_va = 0x510000 end_va = 0x5d8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 12962 start_va = 0x6610000 end_va = 0x66b9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006610000" filename = "" Region: id = 12969 start_va = 0x66c0000 end_va = 0x6770fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000066c0000" filename = "" Region: id = 13060 start_va = 0x4e0000 end_va = 0x4e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 13061 start_va = 0x4f0000 end_va = 0x4f2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wer.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wer.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wer.dll.mui") Region: id = 13062 start_va = 0x510000 end_va = 0x513fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 13063 start_va = 0x6610000 end_va = 0x6e0ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006610000" filename = "" Region: id = 13064 start_va = 0x520000 end_va = 0x526fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 13065 start_va = 0x520000 end_va = 0x526fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 13066 start_va = 0x520000 end_va = 0x526fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 13067 start_va = 0x520000 end_va = 0x526fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 13068 start_va = 0x520000 end_va = 0x526fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 13079 start_va = 0x520000 end_va = 0x526fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 13080 start_va = 0x520000 end_va = 0x526fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 13081 start_va = 0x520000 end_va = 0x526fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 13082 start_va = 0x520000 end_va = 0x526fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 13083 start_va = 0x520000 end_va = 0x526fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 13084 start_va = 0x520000 end_va = 0x526fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 13085 start_va = 0x520000 end_va = 0x526fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 13086 start_va = 0x520000 end_va = 0x526fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 13087 start_va = 0x520000 end_va = 0x526fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 13088 start_va = 0x520000 end_va = 0x526fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 13089 start_va = 0x520000 end_va = 0x526fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 13090 start_va = 0x520000 end_va = 0x526fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 13091 start_va = 0x520000 end_va = 0x526fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 13092 start_va = 0x520000 end_va = 0x526fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 13093 start_va = 0x520000 end_va = 0x526fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 13094 start_va = 0x520000 end_va = 0x526fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 13095 start_va = 0x520000 end_va = 0x526fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 13096 start_va = 0x6610000 end_va = 0x670ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006610000" filename = "" Region: id = 13097 start_va = 0x520000 end_va = 0x526fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 13098 start_va = 0x520000 end_va = 0x526fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 13109 start_va = 0x520000 end_va = 0x526fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 13110 start_va = 0x520000 end_va = 0x526fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 13111 start_va = 0x520000 end_va = 0x526fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 13112 start_va = 0x6fa00000 end_va = 0x6fa63fff monitored = 0 entry_point = 0x6fa3e270 region_type = mapped_file name = "werui.dll" filename = "\\Windows\\SysWOW64\\werui.dll" (normalized: "c:\\windows\\syswow64\\werui.dll") Region: id = 13113 start_va = 0x110000 end_va = 0x111fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 13114 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 13115 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 13116 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 13117 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 13118 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 13123 start_va = 0x731b0000 end_va = 0x733befff monitored = 0 entry_point = 0x7325b0a0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 13124 start_va = 0x6f460000 end_va = 0x6f5c6fff monitored = 0 entry_point = 0x6f4db9d0 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\SysWOW64\\dui70.dll" (normalized: "c:\\windows\\syswow64\\dui70.dll") Region: id = 13125 start_va = 0x1f0000 end_va = 0x1f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 13126 start_va = 0x6f430000 end_va = 0x6f457fff monitored = 0 entry_point = 0x6f437820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 13127 start_va = 0x520000 end_va = 0x520fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 13128 start_va = 0x530000 end_va = 0x531fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 13129 start_va = 0x520000 end_va = 0x520fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 13130 start_va = 0x759b0000 end_va = 0x75a33fff monitored = 0 entry_point = 0x759d6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 13131 start_va = 0x540000 end_va = 0x540fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 13140 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 13774 start_va = 0x590000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 13775 start_va = 0xba0000 end_va = 0xbdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 13776 start_va = 0x1050000 end_va = 0x108ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 13777 start_va = 0x1090000 end_va = 0x10cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 13778 start_va = 0x6710000 end_va = 0x674ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006710000" filename = "" Region: id = 13779 start_va = 0x6750000 end_va = 0x678ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006750000" filename = "" Region: id = 13780 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 14122 start_va = 0x520000 end_va = 0x520fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 14123 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 14550 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 14985 start_va = 0x520000 end_va = 0x524fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werui.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\werui.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werui.dll.mui") Region: id = 14986 start_va = 0x550000 end_va = 0x550fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 14987 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 15322 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 15723 start_va = 0x6790000 end_va = 0x67cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006790000" filename = "" Region: id = 15724 start_va = 0x67d0000 end_va = 0x680ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000067d0000" filename = "" Region: id = 15725 start_va = 0x550000 end_va = 0x550fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 15726 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 16111 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 16207 start_va = 0x550000 end_va = 0x551fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 16208 start_va = 0x6f840000 end_va = 0x6f8bafff monitored = 0 entry_point = 0x6f864d80 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\SysWOW64\\duser.dll" (normalized: "c:\\windows\\syswow64\\duser.dll") Region: id = 16225 start_va = 0x6810000 end_va = 0x684ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006810000" filename = "" Region: id = 16226 start_va = 0x6850000 end_va = 0x688ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006850000" filename = "" Region: id = 16237 start_va = 0x6f7b0000 end_va = 0x6f830fff monitored = 0 entry_point = 0x6f7b6310 region_type = mapped_file name = "riched20.dll" filename = "\\Windows\\SysWOW64\\riched20.dll" (normalized: "c:\\windows\\syswow64\\riched20.dll") Region: id = 16238 start_va = 0x6f790000 end_va = 0x6f7a5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 16239 start_va = 0x6f750000 end_va = 0x6f780fff monitored = 0 entry_point = 0x6f7622d0 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\SysWOW64\\msls31.dll" (normalized: "c:\\windows\\syswow64\\msls31.dll") Region: id = 16240 start_va = 0x560000 end_va = 0x560fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 16241 start_va = 0x6890000 end_va = 0x694bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006890000" filename = "" Region: id = 16242 start_va = 0x560000 end_va = 0x563fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 16243 start_va = 0x74230000 end_va = 0x7424cfff monitored = 0 entry_point = 0x74233b10 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 16244 start_va = 0x570000 end_va = 0x573fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 16245 start_va = 0x580000 end_va = 0x580fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 16246 start_va = 0x5d0000 end_va = 0x5d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 16247 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 16260 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "duser.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\duser.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\duser.dll.mui") Region: id = 16261 start_va = 0x6f740000 end_va = 0x6f74cfff monitored = 0 entry_point = 0x6f747d80 region_type = mapped_file name = "atlthunk.dll" filename = "\\Windows\\SysWOW64\\atlthunk.dll" (normalized: "c:\\windows\\syswow64\\atlthunk.dll") Region: id = 16262 start_va = 0xbe0000 end_va = 0xbe2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui") Region: id = 16263 start_va = 0x10d0000 end_va = 0x10d2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010d0000" filename = "" Region: id = 16306 start_va = 0x6950000 end_va = 0x6e41fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006950000" filename = "" Region: id = 16307 start_va = 0x6e50000 end_va = 0x7e8ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 16308 start_va = 0x7e90000 end_va = 0x7ed1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007e90000" filename = "" Region: id = 16324 start_va = 0xbf0000 end_va = 0xbf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bf0000" filename = "" Region: id = 16325 start_va = 0x77500000 end_va = 0x7761efff monitored = 0 entry_point = 0x77545980 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Thread: id = 399 os_tid = 0x1390 Thread: id = 402 os_tid = 0x127c Thread: id = 403 os_tid = 0xca8 Thread: id = 427 os_tid = 0xdfc Thread: id = 431 os_tid = 0xc30 Thread: id = 432 os_tid = 0xe18 Thread: id = 475 os_tid = 0xc0c Thread: id = 485 os_tid = 0x10d8 Process: id = "200" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x52d33000" os_pid = "0x1274" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "198" os_parent_pid = "0xbbc" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_unwrap /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "201" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x4f8f8000" os_pid = "0x1328" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_del /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12841 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12842 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12843 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 12844 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 12845 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 12846 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 12847 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 12848 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 12849 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 12850 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 12851 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 12852 start_va = 0x7e700000 end_va = 0x7e722fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e700000" filename = "" Region: id = 12853 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12854 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 12855 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12856 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 12862 start_va = 0x400000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 12863 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 12864 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 12865 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 12866 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 12867 start_va = 0x4a0000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 12868 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 12869 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 12875 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12876 start_va = 0x7e600000 end_va = 0x7e6fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e600000" filename = "" Region: id = 12877 start_va = 0x610000 end_va = 0x6cdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12878 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 12879 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 12880 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 12881 start_va = 0x490000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 12882 start_va = 0x6d0000 end_va = 0x7cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 12883 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 12884 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 12885 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 12886 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 12887 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 12888 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 12889 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 12890 start_va = 0x1b0000 end_va = 0x1b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 12891 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 12892 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 12893 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 12894 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 12897 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 12898 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 12899 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 12900 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 12901 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 12902 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 12903 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 12904 start_va = 0x7d0000 end_va = 0x957fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 12905 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 12922 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 12923 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 12924 start_va = 0x1e0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 12925 start_va = 0x960000 end_va = 0xae0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000960000" filename = "" Region: id = 12926 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 12927 start_va = 0xaf0000 end_va = 0xb80fff monitored = 0 entry_point = 0xb28cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 12930 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 12931 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 12932 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 12933 start_va = 0x440000 end_va = 0x447fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 12939 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 12940 start_va = 0x450000 end_va = 0x451fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 12941 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 12942 start_va = 0x450000 end_va = 0x450fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 12943 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 12944 start_va = 0x450000 end_va = 0x450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Thread: id = 405 os_tid = 0x98c [0144.442] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0144.442] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0144.442] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0144.442] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0144.442] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0144.442] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0144.443] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0144.443] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0144.443] GetProcessHeap () returned 0x510000 [0144.443] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0144.444] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0144.444] GetLastError () returned 0x7e [0144.444] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0144.444] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0144.444] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x364) returned 0x520a48 [0144.444] SetLastError (dwErrCode=0x7e) [0144.444] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0xe00) returned 0x520db8 [0144.446] GetStartupInfoW (in: lpStartupInfo=0x18fe38 | out: lpStartupInfo=0x18fe38*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0144.446] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0144.446] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0144.446] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0144.446] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_del /fn_args=\"0\"" [0144.446] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_del /fn_args=\"0\"" [0144.446] GetACP () returned 0x4e4 [0144.446] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x220) returned 0x521bc0 [0144.446] IsValidCodePage (CodePage=0x4e4) returned 1 [0144.446] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fe58 | out: lpCPInfo=0x18fe58) returned 1 [0144.446] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f720 | out: lpCPInfo=0x18f720) returned 1 [0144.446] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd34, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0144.446] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd34, cbMultiByte=256, lpWideCharStr=0x18f4c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0144.446] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f734 | out: lpCharType=0x18f734) returned 1 [0144.447] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd34, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0144.447] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd34, cbMultiByte=256, lpWideCharStr=0x18f478, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0144.447] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0144.447] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0144.447] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0144.447] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f268, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0144.447] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fc34, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x1aå̬pþ\x18", lpUsedDefaultChar=0x0) returned 256 [0144.447] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd34, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0144.447] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd34, cbMultiByte=256, lpWideCharStr=0x18f498, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0144.447] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0144.447] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f288, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0144.447] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fb34, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x1aå̬pþ\x18", lpUsedDefaultChar=0x0) returned 256 [0144.447] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x80) returned 0x513850 [0144.447] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0144.447] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x174) returned 0x521de8 [0144.447] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0144.447] GetLastError () returned 0x0 [0144.448] SetLastError (dwErrCode=0x0) [0144.448] GetEnvironmentStringsW () returned 0x521f68* [0144.448] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0xa8c) returned 0x522a00 [0144.448] FreeEnvironmentStringsW (penv=0x521f68) returned 1 [0144.448] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x90) returned 0x514540 [0144.448] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x3e) returned 0x51ac68 [0144.448] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x5c) returned 0x518818 [0144.448] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x6e) returned 0x514608 [0144.448] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x78) returned 0x5240c0 [0144.448] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x62) returned 0x5149d8 [0144.448] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x28) returned 0x513d70 [0144.448] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x48) returned 0x513fc0 [0144.448] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x1a) returned 0x510570 [0144.448] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x3a) returned 0x51add0 [0144.449] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x62) returned 0x513bd0 [0144.449] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x2a) returned 0x518540 [0144.449] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x2e) returned 0x5185b0 [0144.449] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x1c) returned 0x513da0 [0144.449] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x144) returned 0x519c90 [0144.449] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x7c) returned 0x518078 [0144.449] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x36) returned 0x51e058 [0144.449] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x3a) returned 0x51b010 [0144.449] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x90) returned 0x514378 [0144.449] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x24) returned 0x5138f0 [0144.449] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x30) returned 0x5184d0 [0144.449] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x36) returned 0x51e098 [0144.449] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x48) returned 0x5128f0 [0144.449] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x52) returned 0x5104b8 [0144.449] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x3c) returned 0x51af80 [0144.449] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0xd6) returned 0x519e50 [0144.449] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x2e) returned 0x518738 [0144.449] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x1e) returned 0x512940 [0144.449] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x2c) returned 0x518690 [0144.449] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x54) returned 0x513de8 [0144.449] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x52) returned 0x514048 [0144.449] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x24) returned 0x513e48 [0144.449] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x42) returned 0x5140a8 [0144.449] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x2c) returned 0x518578 [0144.449] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x44) returned 0x519f80 [0144.449] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x24) returned 0x513920 [0144.450] HeapFree (in: hHeap=0x510000, dwFlags=0x0, lpMem=0x522a00 | out: hHeap=0x510000) returned 1 [0144.450] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x8, Size=0x800) returned 0x521f68 [0144.450] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0144.450] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0144.450] GetStartupInfoW (in: lpStartupInfo=0x18fe9c | out: lpStartupInfo=0x18fe9c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0144.450] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_del /fn_args=\"0\"" [0144.450] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_del /fn_args=\"0\"", pNumArgs=0x18fe88 | out: pNumArgs=0x18fe88) returned 0x522bb8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0144.451] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0144.526] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x1000) returned 0x5244a0 [0144.526] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x22) returned 0x51a6c8 [0144.526] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_data_del", cchWideChar=-1, lpMultiByteStr=0x51a6c8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_data_del", lpUsedDefaultChar=0x0) returned 17 [0144.526] GetLastError () returned 0x0 [0144.527] SetLastError (dwErrCode=0x0) [0144.527] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_delW") returned 0x0 [0144.527] GetLastError () returned 0x7f [0144.527] SetLastError (dwErrCode=0x7f) [0144.527] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_delA") returned 0x0 [0144.527] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_del") returned 0x647cc884 [0144.527] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x4) returned 0x5137f8 [0144.527] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x5137f8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0144.527] GetActiveWindow () returned 0x0 [0144.528] GetLastError () returned 0x7f [0144.528] SetLastError (dwErrCode=0x7f) Thread: id = 407 os_tid = 0xc84 Process: id = "202" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0xea3000" os_pid = "0x11ac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "197" os_parent_pid = "0xd1c" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signRecover /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "203" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x7ca0d000" os_pid = "0x11f8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "201" os_parent_pid = "0x1328" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_del /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "204" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x19e0f000" os_pid = "0x13cc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_enumDataObjects /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 12946 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 12947 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 12948 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 12949 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 12950 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 12951 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 12952 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 12953 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 12954 start_va = 0xd00000 end_va = 0xd01fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 12955 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 12956 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 12957 start_va = 0x7eb80000 end_va = 0x7eba2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eb80000" filename = "" Region: id = 12958 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 12959 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 12960 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 12961 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 12963 start_va = 0x400000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 12964 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 12965 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 12966 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 12967 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 12968 start_va = 0xd10000 end_va = 0xf2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d10000" filename = "" Region: id = 12970 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 12971 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 12972 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 12973 start_va = 0x7ea80000 end_va = 0x7eb7ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ea80000" filename = "" Region: id = 12974 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 12975 start_va = 0x510000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 12976 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 12977 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 12978 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 12979 start_va = 0x520000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 12980 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 12981 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 12982 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 12983 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 12984 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 12985 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 12987 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 12988 start_va = 0xd00000 end_va = 0xd03fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 12989 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 12990 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 12991 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 12992 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 12993 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 12994 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 12995 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 12996 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 12997 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 12998 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 12999 start_va = 0x620000 end_va = 0x7a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 13000 start_va = 0xd10000 end_va = 0xd39fff monitored = 0 entry_point = 0xd15680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 13001 start_va = 0xe30000 end_va = 0xf2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e30000" filename = "" Region: id = 13002 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 13011 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 13012 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 13013 start_va = 0x7b0000 end_va = 0x930fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007b0000" filename = "" Region: id = 13014 start_va = 0xd10000 end_va = 0xd5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d10000" filename = "" Region: id = 13015 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 13016 start_va = 0xd60000 end_va = 0xdf0fff monitored = 0 entry_point = 0xd98cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 13028 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 13029 start_va = 0xd10000 end_va = 0xd10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d10000" filename = "" Region: id = 13030 start_va = 0xd50000 end_va = 0xd5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d50000" filename = "" Region: id = 13031 start_va = 0xd20000 end_va = 0xd20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d20000" filename = "" Region: id = 13032 start_va = 0xd20000 end_va = 0xd27fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d20000" filename = "" Region: id = 13069 start_va = 0xd20000 end_va = 0xd20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 13070 start_va = 0xd30000 end_va = 0xd31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d30000" filename = "" Region: id = 13071 start_va = 0xd20000 end_va = 0xd20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 13072 start_va = 0xd30000 end_va = 0xd30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d30000" filename = "" Region: id = 13099 start_va = 0xd20000 end_va = 0xd20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d20000" filename = "" Region: id = 13100 start_va = 0xd30000 end_va = 0xd30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d30000" filename = "" Thread: id = 409 os_tid = 0x13c4 [0145.535] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0145.535] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0145.535] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0145.535] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0145.535] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0145.535] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0145.536] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0145.536] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0145.537] GetProcessHeap () returned 0xe30000 [0145.537] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0145.537] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0145.537] GetLastError () returned 0x7e [0145.537] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0145.537] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0145.537] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x364) returned 0xe40968 [0145.537] SetLastError (dwErrCode=0x7e) [0145.538] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xe00) returned 0xe40cd8 [0145.539] GetStartupInfoW (in: lpStartupInfo=0x18fe98 | out: lpStartupInfo=0x18fe98*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0145.539] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0145.539] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0145.539] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0145.539] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_enumDataObjects /fn_args=\"0\"" [0145.539] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_enumDataObjects /fn_args=\"0\"" [0145.539] GetACP () returned 0x4e4 [0145.539] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x0, Size=0x220) returned 0xe41ae0 [0145.539] IsValidCodePage (CodePage=0x4e4) returned 1 [0145.539] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18feb8 | out: lpCPInfo=0x18feb8) returned 1 [0145.539] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f780 | out: lpCPInfo=0x18f780) returned 1 [0145.540] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd94, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0145.540] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd94, cbMultiByte=256, lpWideCharStr=0x18f528, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0145.540] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f794 | out: lpCharType=0x18f794) returned 1 [0145.540] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd94, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0145.540] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd94, cbMultiByte=256, lpWideCharStr=0x18f4d8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0145.540] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0145.540] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0145.540] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0145.540] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f2c8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0145.540] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fc94, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÈ®¨¯Ðþ\x18", lpUsedDefaultChar=0x0) returned 256 [0145.540] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd94, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0145.540] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd94, cbMultiByte=256, lpWideCharStr=0x18f4f8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0145.540] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0145.540] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f2e8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0145.540] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fb94, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÈ®¨¯Ðþ\x18", lpUsedDefaultChar=0x0) returned 256 [0145.541] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x0, Size=0x80) returned 0xe33878 [0145.541] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0145.541] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x18c) returned 0xe41d08 [0145.541] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0145.541] GetLastError () returned 0x0 [0145.541] SetLastError (dwErrCode=0x0) [0145.541] GetEnvironmentStringsW () returned 0xe41ea0* [0145.541] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x0, Size=0xa8c) returned 0xe42938 [0145.541] FreeEnvironmentStringsW (penv=0xe41ea0) returned 1 [0145.541] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x90) returned 0xe34568 [0145.541] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x3e) returned 0xe3adc0 [0145.541] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x5c) returned 0xe38a68 [0145.541] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x6e) returned 0xe34860 [0145.541] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x78) returned 0xe43bf8 [0145.542] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x62) returned 0xe33fe8 [0145.542] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x28) returned 0xe39e40 [0145.542] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x48) returned 0xe33d98 [0145.542] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x1a) returned 0xe34630 [0145.542] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x3a) returned 0xe3ad78 [0145.542] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x62) returned 0xe347d0 [0145.542] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x2a) returned 0xe38870 [0145.542] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x2e) returned 0xe38678 [0145.542] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x1c) returned 0xe34658 [0145.542] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x144) returned 0xe39c80 [0145.542] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x7c) returned 0xe382c8 [0145.542] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x36) returned 0xe3e0b8 [0145.542] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x3a) returned 0xe3ae08 [0145.542] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x90) returned 0xe3a290 [0145.542] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x24) returned 0xe33bf8 [0145.542] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x30) returned 0xe389c0 [0145.542] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x36) returned 0xe3e4b8 [0145.542] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x48) returned 0xe33918 [0145.542] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x52) returned 0xe32908 [0145.542] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x3c) returned 0xe3a988 [0145.542] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0xd6) returned 0xe304a0 [0145.542] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x2e) returned 0xe38800 [0145.542] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x1e) returned 0xe30580 [0145.542] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x2c) returned 0xe386e8 [0145.542] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x54) returned 0xe343a0 [0145.542] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x52) returned 0xe33e10 [0145.542] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x24) returned 0xe34400 [0145.542] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x42) returned 0xe34070 [0145.543] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x2c) returned 0xe38790 [0145.543] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x44) returned 0xe340c0 [0145.543] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x24) returned 0xe33e70 [0145.544] HeapFree (in: hHeap=0xe30000, dwFlags=0x0, lpMem=0xe42938 | out: hHeap=0xe30000) returned 1 [0145.544] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x8, Size=0x800) returned 0xe41ea0 [0145.544] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0145.544] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0145.544] GetStartupInfoW (in: lpStartupInfo=0x18fefc | out: lpStartupInfo=0x18fefc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0145.544] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_enumDataObjects /fn_args=\"0\"" [0145.544] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_enumDataObjects /fn_args=\"0\"", pNumArgs=0x18fee8 | out: pNumArgs=0x18fee8) returned 0xe42af0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0145.545] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0145.673] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x0, Size=0x1000) returned 0xe443d8 [0145.673] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x0, Size=0x3a) returned 0xe3ae50 [0145.673] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_data_enumDataObjects", cchWideChar=-1, lpMultiByteStr=0xe3ae50, cbMultiByte=58, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_data_enumDataObjects", lpUsedDefaultChar=0x0) returned 29 [0145.673] GetLastError () returned 0x0 [0145.673] SetLastError (dwErrCode=0x0) [0145.674] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_enumDataObjectsW") returned 0x0 [0145.674] GetLastError () returned 0x7f [0145.674] SetLastError (dwErrCode=0x7f) [0145.674] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_enumDataObjectsA") returned 0x0 [0145.674] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_enumDataObjects") returned 0x647ccc50 [0145.674] RtlAllocateHeap (HeapHandle=0xe30000, Flags=0x0, Size=0x4) returned 0xe34110 [0145.674] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0xe34110, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0145.674] GetActiveWindow () returned 0x0 [0145.731] GetLastError () returned 0x7f [0145.731] SetLastError (dwErrCode=0x7f) Thread: id = 411 os_tid = 0x13d4 Process: id = "205" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x722ac000" os_pid = "0x4ec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "204" os_parent_pid = "0x13cc" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_enumDataObjects /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "206" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x69727000" os_pid = "0x13bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_freeDataIdList /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13155 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13156 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13157 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 13158 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 13159 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 13160 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 13161 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 13162 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 13163 start_va = 0x5f0000 end_va = 0x5f1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 13164 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 13165 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 13166 start_va = 0x7e980000 end_va = 0x7e9a2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e980000" filename = "" Region: id = 13167 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13168 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 13169 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13170 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 13171 start_va = 0x400000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 13172 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 13173 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 13174 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 13175 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 13176 start_va = 0x600000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 13177 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 13178 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 13179 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13180 start_va = 0x7e880000 end_va = 0x7e97ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e880000" filename = "" Region: id = 13181 start_va = 0x470000 end_va = 0x52dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13182 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 13183 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 13184 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 13185 start_va = 0x530000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 13186 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 13187 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 13188 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 13189 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 13190 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 13191 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 13192 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 13193 start_va = 0x630000 end_va = 0x633fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 13194 start_va = 0x6a0000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 13195 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 13196 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 13197 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 13198 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 13199 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 13200 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 13201 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 13202 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 13203 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 13204 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 13205 start_va = 0x640000 end_va = 0x669fff monitored = 0 entry_point = 0x645680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 13206 start_va = 0x7a0000 end_va = 0x927fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 13207 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 13212 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 13213 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 13214 start_va = 0x460000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 13215 start_va = 0x930000 end_va = 0xab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 13216 start_va = 0xac0000 end_va = 0xb9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 13217 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 13218 start_va = 0xac0000 end_va = 0xb50fff monitored = 0 entry_point = 0xaf8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 13219 start_va = 0xb90000 end_va = 0xb9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 13221 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 13224 start_va = 0x640000 end_va = 0x640fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 13225 start_va = 0x650000 end_va = 0x650fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 13226 start_va = 0x650000 end_va = 0x657fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 13228 start_va = 0x650000 end_va = 0x650fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 13229 start_va = 0x660000 end_va = 0x661fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 13230 start_va = 0x650000 end_va = 0x650fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 13231 start_va = 0x660000 end_va = 0x660fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 13232 start_va = 0x650000 end_va = 0x650fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 13233 start_va = 0x660000 end_va = 0x660fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Thread: id = 414 os_tid = 0x824 [0147.544] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0147.544] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0147.545] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0147.545] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0147.545] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0147.545] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0147.546] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0147.546] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0147.547] GetProcessHeap () returned 0x6a0000 [0147.547] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0147.547] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0147.547] GetLastError () returned 0x7e [0147.547] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0147.547] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0147.547] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x364) returned 0x6b09a0 [0147.548] SetLastError (dwErrCode=0x7e) [0147.548] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0xe00) returned 0x6b0d10 [0147.550] GetStartupInfoW (in: lpStartupInfo=0x18f8f8 | out: lpStartupInfo=0x18f8f8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0147.550] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0147.550] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0147.550] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0147.550] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_freeDataIdList /fn_args=\"0\"" [0147.550] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_freeDataIdList /fn_args=\"0\"" [0147.550] GetACP () returned 0x4e4 [0147.550] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x220) returned 0x6b1b18 [0147.550] IsValidCodePage (CodePage=0x4e4) returned 1 [0147.550] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f918 | out: lpCPInfo=0x18f918) returned 1 [0147.550] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f1e0 | out: lpCPInfo=0x18f1e0) returned 1 [0147.550] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7f4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0147.550] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7f4, cbMultiByte=256, lpWideCharStr=0x18ef88, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0147.550] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f1f4 | out: lpCharType=0x18f1f4) returned 1 [0147.551] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7f4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0147.551] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7f4, cbMultiByte=256, lpWideCharStr=0x18ef38, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0147.551] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0147.551] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0147.551] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0147.551] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ed28, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0147.551] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f6f4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿvëýs0ù\x18", lpUsedDefaultChar=0x0) returned 256 [0147.551] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7f4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0147.551] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7f4, cbMultiByte=256, lpWideCharStr=0x18ef58, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0147.551] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0147.551] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ed48, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0147.551] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f5f4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿvëýs0ù\x18", lpUsedDefaultChar=0x0) returned 256 [0147.552] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x80) returned 0x6a3870 [0147.552] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0147.552] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x18a) returned 0x6b1d40 [0147.552] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0147.552] GetLastError () returned 0x0 [0147.552] SetLastError (dwErrCode=0x0) [0147.552] GetEnvironmentStringsW () returned 0x6b1ed8* [0147.552] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa8c) returned 0x6b2970 [0147.552] FreeEnvironmentStringsW (penv=0x6b1ed8) returned 1 [0147.552] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x90) returned 0x6a47c8 [0147.553] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x3e) returned 0x6aaed0 [0147.553] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x5c) returned 0x6a8aa0 [0147.553] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x6e) returned 0x6a4890 [0147.553] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x78) returned 0x6b34b0 [0147.553] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x62) returned 0x6a4c60 [0147.553] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x28) returned 0x6a3d90 [0147.553] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x48) returned 0x6a3fe8 [0147.553] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x1a) returned 0x6a0570 [0147.553] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x3a) returned 0x6aabb8 [0147.553] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x62) returned 0x6a3bf0 [0147.553] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x2a) returned 0x6a8838 [0147.553] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x2e) returned 0x6a8678 [0147.553] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x1c) returned 0x6a3dc0 [0147.553] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x144) returned 0x6a9cb8 [0147.553] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x7c) returned 0x6a8300 [0147.553] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x36) returned 0x6ae1f0 [0147.553] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x3a) returned 0x6aac48 [0147.554] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x90) returned 0x6a43a0 [0147.554] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x24) returned 0x6a3910 [0147.554] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x30) returned 0x6a88a8 [0147.554] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x36) returned 0x6ae530 [0147.554] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x48) returned 0x6a2900 [0147.554] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x52) returned 0x6a04b8 [0147.554] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x3c) returned 0x6aab70 [0147.554] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0xd6) returned 0x6a9e78 [0147.554] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x2e) returned 0x6a88e0 [0147.554] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x1e) returned 0x6a2950 [0147.554] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x2c) returned 0x6a89c0 [0147.554] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x54) returned 0x6a3e08 [0147.554] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x52) returned 0x6a4070 [0147.554] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x24) returned 0x6a3e68 [0147.554] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x42) returned 0x6a40d0 [0147.554] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x2c) returned 0x6a8870 [0147.554] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x44) returned 0x6a9fa8 [0147.554] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x24) returned 0x6a3940 [0147.555] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6b2970 | out: hHeap=0x6a0000) returned 1 [0147.555] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x800) returned 0x6b1ed8 [0147.567] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0147.567] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0147.567] GetStartupInfoW (in: lpStartupInfo=0x18f95c | out: lpStartupInfo=0x18f95c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0147.567] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_freeDataIdList /fn_args=\"0\"" [0147.567] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_freeDataIdList /fn_args=\"0\"", pNumArgs=0x18f948 | out: pNumArgs=0x18f948) returned 0x6b2b28*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0147.568] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0147.571] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1000) returned 0x6b4410 [0147.571] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x38) returned 0x6ae430 [0147.572] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_data_freeDataIdList", cchWideChar=-1, lpMultiByteStr=0x6ae430, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_data_freeDataIdList", lpUsedDefaultChar=0x0) returned 28 [0147.572] GetLastError () returned 0x0 [0147.572] SetLastError (dwErrCode=0x0) [0147.572] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_freeDataIdListW") returned 0x0 [0147.572] GetLastError () returned 0x7f [0147.572] SetLastError (dwErrCode=0x7f) [0147.572] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_freeDataIdListA") returned 0x0 [0147.573] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_freeDataIdList") returned 0x647ccb5d [0147.573] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x4) returned 0x6a3818 [0147.573] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x6a3818, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0147.573] GetActiveWindow () returned 0x0 [0147.659] GetLastError () returned 0x7f [0147.659] SetLastError (dwErrCode=0x7f) Thread: id = 416 os_tid = 0x450 Process: id = "207" image_name = "werfault.exe" filename = "c:\\windows\\syswow64\\werfault.exe" page_root = "0x3bd20000" os_pid = "0x1344" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "206" os_parent_pid = "0x13bc" cmd_line = "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 5052 -s 364" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13238 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13239 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13240 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 13241 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 13242 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 13243 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 13244 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 13245 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 13246 start_va = 0xec0000 end_va = 0xec0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ec0000" filename = "" Region: id = 13247 start_va = 0x10e0000 end_va = 0x1122fff monitored = 0 entry_point = 0x1100f50 region_type = mapped_file name = "werfault.exe" filename = "\\Windows\\SysWOW64\\WerFault.exe" (normalized: "c:\\windows\\syswow64\\werfault.exe") Region: id = 13248 start_va = 0x1130000 end_va = 0x512ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 13249 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 13250 start_va = 0x7ed10000 end_va = 0x7ed32fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed10000" filename = "" Region: id = 13251 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13252 start_va = 0x7fff0000 end_va = 0x7dfb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 13253 start_va = 0x7dfb201b0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfb201b0000" filename = "" Region: id = 13254 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13255 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 13256 start_va = 0x400000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 13257 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 13258 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 13264 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 13265 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 13266 start_va = 0xed0000 end_va = 0x104ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ed0000" filename = "" Region: id = 13267 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 13282 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 13283 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13284 start_va = 0x7ec10000 end_va = 0x7ed0ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ec10000" filename = "" Region: id = 13285 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13286 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 13287 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 13288 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 13289 start_va = 0x580000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 13290 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 13291 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 13296 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 13297 start_va = 0x6fb30000 end_va = 0x6fbb6fff monitored = 0 entry_point = 0x6fb9dbc0 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\SysWOW64\\wer.dll" (normalized: "c:\\windows\\syswow64\\wer.dll") Region: id = 13298 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 13299 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 13300 start_va = 0xec0000 end_va = 0xec3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ec0000" filename = "" Region: id = 13301 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 13302 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 13303 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 13304 start_va = 0x6fbc0000 end_va = 0x6fcfefff monitored = 0 entry_point = 0x6fbed880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 13305 start_va = 0x6fb00000 end_va = 0x6fb21fff monitored = 0 entry_point = 0x6fb091f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 13306 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 13307 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 13308 start_va = 0x6faa0000 end_va = 0x6faf3fff monitored = 0 entry_point = 0x6fad10d0 region_type = mapped_file name = "faultrep.dll" filename = "\\Windows\\SysWOW64\\Faultrep.dll" (normalized: "c:\\windows\\syswow64\\faultrep.dll") Region: id = 13311 start_va = 0x6fa70000 end_va = 0x6fa90fff monitored = 0 entry_point = 0x6fa8a910 region_type = mapped_file name = "dbgcore.dll" filename = "\\Windows\\SysWOW64\\dbgcore.dll" (normalized: "c:\\windows\\syswow64\\dbgcore.dll") Region: id = 13312 start_va = 0xed0000 end_va = 0xf0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ed0000" filename = "" Region: id = 13313 start_va = 0xf50000 end_va = 0x104ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f50000" filename = "" Region: id = 13314 start_va = 0x1050000 end_va = 0x10dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 13315 start_va = 0xed0000 end_va = 0xed3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ed0000" filename = "" Region: id = 13316 start_va = 0xf00000 end_va = 0xf0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 13317 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 13318 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 13319 start_va = 0x590000 end_va = 0x717fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 13320 start_va = 0xf10000 end_va = 0xf39fff monitored = 0 entry_point = 0xf15680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 13321 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 13322 start_va = 0x720000 end_va = 0x8a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 13323 start_va = 0x5130000 end_va = 0x652ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005130000" filename = "" Region: id = 13324 start_va = 0xee0000 end_va = 0xee3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werfault.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\WerFault.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werfault.exe.mui") Region: id = 13343 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 13344 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 13345 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 13346 start_va = 0x6530000 end_va = 0x664ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006530000" filename = "" Region: id = 13358 start_va = 0xef0000 end_va = 0xef0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ef0000" filename = "" Region: id = 13359 start_va = 0xf10000 end_va = 0xf10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f10000" filename = "" Region: id = 13360 start_va = 0xf20000 end_va = 0xf20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f20000" filename = "" Region: id = 13361 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 13362 start_va = 0xf20000 end_va = 0xf20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f20000" filename = "" Region: id = 13363 start_va = 0x6650000 end_va = 0x6e4ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006650000" filename = "" Region: id = 13364 start_va = 0xf20000 end_va = 0xf26fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 13365 start_va = 0xf20000 end_va = 0xf26fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 13366 start_va = 0xf20000 end_va = 0xf26fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 13367 start_va = 0xf20000 end_va = 0xf26fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 13368 start_va = 0xf20000 end_va = 0xf26fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 13369 start_va = 0xf20000 end_va = 0xf26fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 13370 start_va = 0xf20000 end_va = 0xf26fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 13371 start_va = 0xf20000 end_va = 0xf26fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 13372 start_va = 0xf20000 end_va = 0xf26fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 13373 start_va = 0xf20000 end_va = 0xf26fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 13374 start_va = 0xf20000 end_va = 0xf26fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 13375 start_va = 0xf20000 end_va = 0xf26fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 13376 start_va = 0xf20000 end_va = 0xf26fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 13377 start_va = 0xf20000 end_va = 0xf26fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 13378 start_va = 0xf20000 end_va = 0xf26fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 13379 start_va = 0xf20000 end_va = 0xf26fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 13380 start_va = 0xf20000 end_va = 0xf26fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 13400 start_va = 0xf20000 end_va = 0xf26fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 13401 start_va = 0xf20000 end_va = 0xf26fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 13402 start_va = 0xf20000 end_va = 0xf26fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 13403 start_va = 0xf20000 end_va = 0xf26fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 13404 start_va = 0xf20000 end_va = 0xf26fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 13405 start_va = 0xf20000 end_va = 0xf26fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 13406 start_va = 0xf20000 end_va = 0xf26fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 13407 start_va = 0xf20000 end_va = 0xf26fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 13408 start_va = 0xf20000 end_va = 0xf26fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 13409 start_va = 0xf20000 end_va = 0xf26fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 13411 start_va = 0x450000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 13412 start_va = 0x490000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 13413 start_va = 0x1050000 end_va = 0x10cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 13414 start_va = 0x10d0000 end_va = 0x10dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010d0000" filename = "" Region: id = 13415 start_va = 0xf20000 end_va = 0xf21fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "faultrep.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\faultrep.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\faultrep.dll.mui") Region: id = 13416 start_va = 0xf30000 end_va = 0xf30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 13419 start_va = 0x6dd70000 end_va = 0x6e18dfff monitored = 0 entry_point = 0x6de6ee80 region_type = mapped_file name = "dbgeng.dll" filename = "\\Windows\\SysWOW64\\dbgeng.dll" (normalized: "c:\\windows\\syswow64\\dbgeng.dll") Region: id = 13420 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 13429 start_va = 0x6f6d0000 end_va = 0x6f73ffff monitored = 0 entry_point = 0x6f724b90 region_type = mapped_file name = "dbgmodel.dll" filename = "\\Windows\\SysWOW64\\DbgModel.dll" (normalized: "c:\\windows\\syswow64\\dbgmodel.dll") Region: id = 13430 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 13431 start_va = 0x6530000 end_va = 0x6619fff monitored = 0 entry_point = 0x656d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 13432 start_va = 0x6640000 end_va = 0x664ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006640000" filename = "" Region: id = 13433 start_va = 0x70050000 end_va = 0x70059fff monitored = 0 entry_point = 0x70053200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 13434 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 13435 start_va = 0x6f5d0000 end_va = 0x6f5d7fff monitored = 0 entry_point = 0x6f5d17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 13436 start_va = 0x6530000 end_va = 0x662ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006530000" filename = "" Region: id = 13437 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 13457 start_va = 0x6650000 end_va = 0x6986fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 13458 start_va = 0xf30000 end_va = 0xf31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 13459 start_va = 0xf30000 end_va = 0xf33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 13460 start_va = 0xf30000 end_va = 0xf35fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 13461 start_va = 0xf30000 end_va = 0xf37fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 13462 start_va = 0x450000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 13463 start_va = 0xf30000 end_va = 0xf39fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 13464 start_va = 0xf30000 end_va = 0xf3bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 13465 start_va = 0xf30000 end_va = 0xf3dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 13466 start_va = 0xf30000 end_va = 0xf3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 13467 start_va = 0xf30000 end_va = 0xf41fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 13468 start_va = 0xf30000 end_va = 0xf43fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 13469 start_va = 0xf30000 end_va = 0xf45fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 13470 start_va = 0xf30000 end_va = 0xf47fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 13471 start_va = 0xf30000 end_va = 0xf49fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 13483 start_va = 0xf30000 end_va = 0xf4bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 13484 start_va = 0xf30000 end_va = 0xf4dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 13485 start_va = 0xf30000 end_va = 0xf4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 13493 start_va = 0x6990000 end_va = 0x6a6ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 13552 start_va = 0x6a70000 end_va = 0x6b35fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006a70000" filename = "" Region: id = 13553 start_va = 0x6b40000 end_va = 0x6bf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006b40000" filename = "" Region: id = 13585 start_va = 0x6c00000 end_va = 0x6ca3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006c00000" filename = "" Region: id = 13643 start_va = 0xf30000 end_va = 0xf30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 13644 start_va = 0xf40000 end_va = 0xf42fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wer.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wer.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wer.dll.mui") Region: id = 13645 start_va = 0x6630000 end_va = 0x6633fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006630000" filename = "" Region: id = 13646 start_va = 0x6a70000 end_va = 0x726ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a70000" filename = "" Region: id = 13647 start_va = 0x7270000 end_va = 0x7276fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007270000" filename = "" Region: id = 13648 start_va = 0x6a70000 end_va = 0x6a76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a70000" filename = "" Region: id = 13649 start_va = 0x6a70000 end_va = 0x6a76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a70000" filename = "" Region: id = 13650 start_va = 0x6a70000 end_va = 0x6a76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a70000" filename = "" Region: id = 13651 start_va = 0x6a70000 end_va = 0x6a76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a70000" filename = "" Region: id = 13652 start_va = 0x6a70000 end_va = 0x6a76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a70000" filename = "" Region: id = 13653 start_va = 0x6a70000 end_va = 0x6a76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a70000" filename = "" Region: id = 13654 start_va = 0x6a70000 end_va = 0x6a76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a70000" filename = "" Region: id = 13655 start_va = 0x6a70000 end_va = 0x6a76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a70000" filename = "" Region: id = 13656 start_va = 0x6a70000 end_va = 0x6a76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a70000" filename = "" Region: id = 13691 start_va = 0x6a70000 end_va = 0x6a76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a70000" filename = "" Region: id = 13692 start_va = 0x6a70000 end_va = 0x6a76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a70000" filename = "" Region: id = 13693 start_va = 0x6a70000 end_va = 0x6a76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a70000" filename = "" Region: id = 13694 start_va = 0x6a70000 end_va = 0x6a76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a70000" filename = "" Region: id = 13695 start_va = 0x6a70000 end_va = 0x6a76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a70000" filename = "" Region: id = 13696 start_va = 0x6a70000 end_va = 0x6a76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a70000" filename = "" Region: id = 13697 start_va = 0x6a70000 end_va = 0x6a76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a70000" filename = "" Region: id = 13698 start_va = 0x6a70000 end_va = 0x6a76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a70000" filename = "" Region: id = 13699 start_va = 0x6a70000 end_va = 0x6a76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a70000" filename = "" Region: id = 13700 start_va = 0x6a70000 end_va = 0x6a76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a70000" filename = "" Region: id = 13706 start_va = 0x6a70000 end_va = 0x6a76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a70000" filename = "" Region: id = 13707 start_va = 0x6a70000 end_va = 0x6a76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a70000" filename = "" Region: id = 13708 start_va = 0x6a70000 end_va = 0x6b6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006a70000" filename = "" Region: id = 13709 start_va = 0x6b70000 end_va = 0x6b76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006b70000" filename = "" Region: id = 13710 start_va = 0x6b70000 end_va = 0x6b76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006b70000" filename = "" Region: id = 13711 start_va = 0x6b70000 end_va = 0x6b76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006b70000" filename = "" Region: id = 13712 start_va = 0x6b70000 end_va = 0x6b76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006b70000" filename = "" Region: id = 13713 start_va = 0x6b70000 end_va = 0x6b76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006b70000" filename = "" Region: id = 13714 start_va = 0x6fa00000 end_va = 0x6fa63fff monitored = 0 entry_point = 0x6fa3e270 region_type = mapped_file name = "werui.dll" filename = "\\Windows\\SysWOW64\\werui.dll" (normalized: "c:\\windows\\syswow64\\werui.dll") Region: id = 13715 start_va = 0x550000 end_va = 0x551fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 13716 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 13717 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 13718 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 13719 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 13720 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 13725 start_va = 0x731b0000 end_va = 0x733befff monitored = 0 entry_point = 0x7325b0a0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 13726 start_va = 0x6f460000 end_va = 0x6f5c6fff monitored = 0 entry_point = 0x6f4db9d0 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\SysWOW64\\dui70.dll" (normalized: "c:\\windows\\syswow64\\dui70.dll") Region: id = 13727 start_va = 0x560000 end_va = 0x561fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 13728 start_va = 0x6f430000 end_va = 0x6f457fff monitored = 0 entry_point = 0x6f437820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 13729 start_va = 0x6b70000 end_va = 0x6b70fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 13730 start_va = 0x570000 end_va = 0x571fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 13731 start_va = 0x6b70000 end_va = 0x6b70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006b70000" filename = "" Region: id = 13732 start_va = 0x759b0000 end_va = 0x75a33fff monitored = 0 entry_point = 0x759d6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 13733 start_va = 0x6b80000 end_va = 0x6b80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006b80000" filename = "" Region: id = 13734 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 14612 start_va = 0x8b0000 end_va = 0x8effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 14613 start_va = 0x8f0000 end_va = 0x92ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 14614 start_va = 0x930000 end_va = 0x96ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 14615 start_va = 0x970000 end_va = 0x9affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Region: id = 14616 start_va = 0x9b0000 end_va = 0x9effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 14617 start_va = 0x9f0000 end_va = 0xa2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 14963 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 15320 start_va = 0x6b70000 end_va = 0x6b70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006b70000" filename = "" Region: id = 15321 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 15708 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 16053 start_va = 0x6b70000 end_va = 0x6b74fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werui.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\werui.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werui.dll.mui") Region: id = 16054 start_va = 0x6b90000 end_va = 0x6b90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006b90000" filename = "" Region: id = 16055 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 16175 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 16326 start_va = 0xa30000 end_va = 0xa6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 16327 start_va = 0xa70000 end_va = 0xaaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 16328 start_va = 0x6b90000 end_va = 0x6b90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006b90000" filename = "" Region: id = 16329 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 16494 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 16699 start_va = 0xab0000 end_va = 0xab1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 16700 start_va = 0x6f6c0000 end_va = 0x6f73afff monitored = 0 entry_point = 0x6f6e4d80 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\SysWOW64\\duser.dll" (normalized: "c:\\windows\\syswow64\\duser.dll") Region: id = 16714 start_va = 0xac0000 end_va = 0xafffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 16715 start_va = 0xb00000 end_va = 0xb3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 16716 start_va = 0x6f630000 end_va = 0x6f6b0fff monitored = 0 entry_point = 0x6f636310 region_type = mapped_file name = "riched20.dll" filename = "\\Windows\\SysWOW64\\riched20.dll" (normalized: "c:\\windows\\syswow64\\riched20.dll") Region: id = 16717 start_va = 0x6f790000 end_va = 0x6f7a5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 16718 start_va = 0x6f750000 end_va = 0x6f780fff monitored = 0 entry_point = 0x6f7622d0 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\SysWOW64\\msls31.dll" (normalized: "c:\\windows\\syswow64\\msls31.dll") Region: id = 16719 start_va = 0x6b90000 end_va = 0x6b90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006b90000" filename = "" Region: id = 16720 start_va = 0x6b90000 end_va = 0x6c4bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006b90000" filename = "" Region: id = 16721 start_va = 0x6c50000 end_va = 0x6c53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006c50000" filename = "" Region: id = 16722 start_va = 0x74230000 end_va = 0x7424cfff monitored = 0 entry_point = 0x74233b10 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 16723 start_va = 0x6c60000 end_va = 0x6c63fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006c60000" filename = "" Region: id = 16724 start_va = 0x6c70000 end_va = 0x6c70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006c70000" filename = "" Region: id = 16725 start_va = 0x6c80000 end_va = 0x6c80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006c80000" filename = "" Region: id = 16758 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 16759 start_va = 0x6c90000 end_va = 0x6c90fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "duser.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\duser.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\duser.dll.mui") Region: id = 16760 start_va = 0x6f9f0000 end_va = 0x6f9fcfff monitored = 0 entry_point = 0x6f9f7d80 region_type = mapped_file name = "atlthunk.dll" filename = "\\Windows\\SysWOW64\\atlthunk.dll" (normalized: "c:\\windows\\syswow64\\atlthunk.dll") Region: id = 16761 start_va = 0x6ca0000 end_va = 0x6ca2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui") Region: id = 16762 start_va = 0xb50000 end_va = 0xb52fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b50000" filename = "" Region: id = 16831 start_va = 0x6cb0000 end_va = 0x71a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006cb0000" filename = "" Region: id = 16832 start_va = 0x71b0000 end_va = 0x81effff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 16858 start_va = 0xb60000 end_va = 0xba1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b60000" filename = "" Thread: id = 418 os_tid = 0x7b4 Thread: id = 420 os_tid = 0xc08 Thread: id = 423 os_tid = 0x464 Thread: id = 453 os_tid = 0xc60 Thread: id = 455 os_tid = 0xf9c Thread: id = 456 os_tid = 0xf98 Thread: id = 489 os_tid = 0xca0 Thread: id = 504 os_tid = 0x135c Process: id = "208" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x5f03e000" os_pid = "0x11c4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_get /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13325 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13326 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13327 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 13328 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 13329 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 13330 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 13331 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 13332 start_va = 0x8f0000 end_va = 0x8f1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 13333 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 13334 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 13335 start_va = 0x7f990000 end_va = 0x7f9b2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f990000" filename = "" Region: id = 13336 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13337 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 13338 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13339 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 13350 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 13421 start_va = 0x400000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 13422 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 13423 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 13424 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 13425 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 13426 start_va = 0x900000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 13427 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 13428 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 13438 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13439 start_va = 0x7f890000 end_va = 0x7f98ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f890000" filename = "" Region: id = 13440 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13441 start_va = 0x5a0000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 13442 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 13443 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 13444 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 13445 start_va = 0x5b0000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 13446 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 13447 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 13448 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 13449 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 13450 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 13451 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 13452 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 13453 start_va = 0x8f0000 end_va = 0x8f3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 13454 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 13455 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 13456 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 13472 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 13473 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 13474 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 13475 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 13476 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 13477 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 13478 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 13479 start_va = 0x6b0000 end_va = 0x837fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006b0000" filename = "" Region: id = 13480 start_va = 0x900000 end_va = 0x929fff monitored = 0 entry_point = 0x905680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 13481 start_va = 0x9f0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 13482 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 13486 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 13487 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 13488 start_va = 0x900000 end_va = 0x9effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 13489 start_va = 0xaf0000 end_va = 0xc70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000af0000" filename = "" Region: id = 13490 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 13491 start_va = 0x900000 end_va = 0x990fff monitored = 0 entry_point = 0x938cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 13492 start_va = 0x9e0000 end_va = 0x9effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 13494 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 13495 start_va = 0x900000 end_va = 0x900fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 13496 start_va = 0x910000 end_va = 0x910fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000910000" filename = "" Region: id = 13497 start_va = 0x910000 end_va = 0x917fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000910000" filename = "" Region: id = 13500 start_va = 0x910000 end_va = 0x910fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000910000" filename = "" Region: id = 13501 start_va = 0x920000 end_va = 0x921fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000920000" filename = "" Region: id = 13502 start_va = 0x910000 end_va = 0x910fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000910000" filename = "" Region: id = 13503 start_va = 0x920000 end_va = 0x920fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000920000" filename = "" Region: id = 13504 start_va = 0x910000 end_va = 0x910fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000910000" filename = "" Region: id = 13505 start_va = 0x920000 end_va = 0x920fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000920000" filename = "" Thread: id = 421 os_tid = 0x12c0 [0150.264] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0150.264] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0150.264] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0150.264] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0150.264] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0150.264] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0150.265] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0150.265] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0150.265] GetProcessHeap () returned 0x9f0000 [0150.265] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0150.265] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0150.266] GetLastError () returned 0x7e [0150.266] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0150.266] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0150.266] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x364) returned 0xa00a48 [0150.266] SetLastError (dwErrCode=0x7e) [0150.266] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0xe00) returned 0xa00db8 [0150.268] GetStartupInfoW (in: lpStartupInfo=0x18fcac | out: lpStartupInfo=0x18fcac*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0150.268] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0150.268] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0150.268] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0150.268] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_get /fn_args=\"0\"" [0150.268] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_get /fn_args=\"0\"" [0150.268] GetACP () returned 0x4e4 [0150.268] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x0, Size=0x220) returned 0xa01bc0 [0150.268] IsValidCodePage (CodePage=0x4e4) returned 1 [0150.268] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fccc | out: lpCPInfo=0x18fccc) returned 1 [0150.268] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f594 | out: lpCPInfo=0x18f594) returned 1 [0150.268] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fba8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0150.268] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fba8, cbMultiByte=256, lpWideCharStr=0x18f338, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0150.268] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f5a8 | out: lpCharType=0x18f5a8) returned 1 [0150.268] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fba8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0150.268] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fba8, cbMultiByte=256, lpWideCharStr=0x18f2e8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0150.268] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0150.269] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0150.269] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0150.269] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f0d8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0150.269] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18faa8, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ@zmQäü\x18", lpUsedDefaultChar=0x0) returned 256 [0150.269] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fba8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0150.269] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fba8, cbMultiByte=256, lpWideCharStr=0x18f308, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0150.269] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0150.269] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f0f8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0150.269] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f9a8, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ@zmQäü\x18", lpUsedDefaultChar=0x0) returned 256 [0150.269] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x0, Size=0x80) returned 0x9f3850 [0150.269] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0150.269] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x174) returned 0xa01de8 [0150.269] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0150.269] GetLastError () returned 0x0 [0150.269] SetLastError (dwErrCode=0x0) [0150.269] GetEnvironmentStringsW () returned 0xa01f68* [0150.270] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x0, Size=0xa8c) returned 0xa02a00 [0150.270] FreeEnvironmentStringsW (penv=0xa01f68) returned 1 [0150.270] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x90) returned 0x9f4540 [0150.270] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x3e) returned 0x9fb0a0 [0150.270] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x5c) returned 0x9f8818 [0150.270] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x6e) returned 0x9f4608 [0150.270] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x78) returned 0xa036c0 [0150.270] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x62) returned 0x9f49d8 [0150.270] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x28) returned 0x9f3d70 [0150.270] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x48) returned 0x9f3fc0 [0150.270] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x1a) returned 0x9f0570 [0150.270] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x3a) returned 0x9fad40 [0150.270] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x62) returned 0x9f3bd0 [0150.270] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x2a) returned 0x9f85e8 [0150.270] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x2e) returned 0x9f8498 [0150.270] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x1c) returned 0x9f3da0 [0150.270] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x144) returned 0x9f9c90 [0150.270] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x7c) returned 0x9f8078 [0150.270] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x36) returned 0x9fe5d8 [0150.270] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x3a) returned 0x9fab48 [0150.270] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x90) returned 0x9f4378 [0150.271] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x24) returned 0x9f38f0 [0150.271] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x30) returned 0x9f8508 [0150.271] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x36) returned 0x9fe418 [0150.271] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x48) returned 0x9f28f0 [0150.271] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x52) returned 0x9f04b8 [0150.271] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x3c) returned 0x9faab8 [0150.271] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0xd6) returned 0x9f9e50 [0150.271] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x2e) returned 0x9f8770 [0150.271] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x1e) returned 0x9f2940 [0150.271] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x2c) returned 0x9f83f0 [0150.271] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x54) returned 0x9f3de8 [0150.271] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x52) returned 0x9f4048 [0150.271] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x24) returned 0x9f3e48 [0150.271] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x42) returned 0x9f40a8 [0150.271] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x2c) returned 0x9f8620 [0150.271] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x44) returned 0x9f9f80 [0150.271] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x24) returned 0x9f3920 [0150.272] HeapFree (in: hHeap=0x9f0000, dwFlags=0x0, lpMem=0xa02a00 | out: hHeap=0x9f0000) returned 1 [0150.272] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x8, Size=0x800) returned 0xa01f68 [0150.272] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0150.272] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0150.272] GetStartupInfoW (in: lpStartupInfo=0x18fd10 | out: lpStartupInfo=0x18fd10*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0150.272] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_get /fn_args=\"0\"" [0150.272] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_get /fn_args=\"0\"", pNumArgs=0x18fcfc | out: pNumArgs=0x18fcfc) returned 0xa02bb8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0150.273] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0150.364] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x0, Size=0x1000) returned 0xa044a0 [0150.364] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x0, Size=0x22) returned 0x9fa6c8 [0150.364] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_data_get", cchWideChar=-1, lpMultiByteStr=0x9fa6c8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_data_get", lpUsedDefaultChar=0x0) returned 17 [0150.364] GetLastError () returned 0x0 [0150.364] SetLastError (dwErrCode=0x0) [0150.365] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_getW") returned 0x0 [0150.365] GetLastError () returned 0x7f [0150.365] SetLastError (dwErrCode=0x7f) [0150.365] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_getA") returned 0x0 [0150.365] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_get") returned 0x647cc130 [0150.365] RtlAllocateHeap (HeapHandle=0x9f0000, Flags=0x0, Size=0x4) returned 0x9f37f8 [0150.365] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x9f37f8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0150.365] GetActiveWindow () returned 0x0 [0150.387] GetLastError () returned 0x7f [0150.387] SetLastError (dwErrCode=0x7f) Thread: id = 425 os_tid = 0xae4 Process: id = "209" image_name = "werfault.exe" filename = "c:\\windows\\syswow64\\werfault.exe" page_root = "0x5b226000" os_pid = "0xc28" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "208" os_parent_pid = "0x11c4" cmd_line = "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 4548 -s 364" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13506 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13507 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13508 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 13509 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 13510 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 13511 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 13512 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 13513 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 13514 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 13515 start_va = 0x10e0000 end_va = 0x1122fff monitored = 0 entry_point = 0x1100f50 region_type = mapped_file name = "werfault.exe" filename = "\\Windows\\SysWOW64\\WerFault.exe" (normalized: "c:\\windows\\syswow64\\werfault.exe") Region: id = 13516 start_va = 0x1130000 end_va = 0x512ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 13517 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 13518 start_va = 0x7f580000 end_va = 0x7f5a2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f580000" filename = "" Region: id = 13519 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13520 start_va = 0x7fff0000 end_va = 0x7dfb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 13521 start_va = 0x7dfb201b0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfb201b0000" filename = "" Region: id = 13522 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13523 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 13524 start_va = 0x410000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 13525 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 13526 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 13527 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 13528 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 13529 start_va = 0x570000 end_va = 0x83ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 13530 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 13531 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 13532 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13533 start_va = 0x7f480000 end_va = 0x7f57ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f480000" filename = "" Region: id = 13534 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13535 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 13554 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 13555 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 13556 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 13557 start_va = 0x6fb30000 end_va = 0x6fbb6fff monitored = 0 entry_point = 0x6fb9dbc0 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\SysWOW64\\wer.dll" (normalized: "c:\\windows\\syswow64\\wer.dll") Region: id = 13558 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 13559 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 13560 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 13561 start_va = 0x440000 end_va = 0x443fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 13562 start_va = 0x560000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 13563 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 13564 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 13565 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 13566 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 13567 start_va = 0x6fbc0000 end_va = 0x6fcfefff monitored = 0 entry_point = 0x6fbed880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 13568 start_va = 0x6fb00000 end_va = 0x6fb21fff monitored = 0 entry_point = 0x6fb091f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 13569 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 13570 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 13571 start_va = 0x6faa0000 end_va = 0x6faf3fff monitored = 0 entry_point = 0x6fad10d0 region_type = mapped_file name = "faultrep.dll" filename = "\\Windows\\SysWOW64\\Faultrep.dll" (normalized: "c:\\windows\\syswow64\\faultrep.dll") Region: id = 13572 start_va = 0x6fa70000 end_va = 0x6fa90fff monitored = 0 entry_point = 0x6fa8a910 region_type = mapped_file name = "dbgcore.dll" filename = "\\Windows\\SysWOW64\\dbgcore.dll" (normalized: "c:\\windows\\syswow64\\dbgcore.dll") Region: id = 13573 start_va = 0x450000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 13574 start_va = 0x450000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 13575 start_va = 0x500000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 13576 start_va = 0x450000 end_va = 0x453fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 13577 start_va = 0x490000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 13586 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 13587 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 13588 start_va = 0x460000 end_va = 0x489fff monitored = 0 entry_point = 0x465680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 13589 start_va = 0x570000 end_va = 0x6f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 13590 start_va = 0x740000 end_va = 0x83ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 13591 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 13592 start_va = 0x840000 end_va = 0x9c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 13593 start_va = 0x5130000 end_va = 0x652ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005130000" filename = "" Region: id = 13594 start_va = 0x460000 end_va = 0x463fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werfault.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\WerFault.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werfault.exe.mui") Region: id = 13626 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 13627 start_va = 0x470000 end_va = 0x470fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 13628 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 13629 start_va = 0x9d0000 end_va = 0xa8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 13657 start_va = 0x480000 end_va = 0x480fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 13658 start_va = 0x4a0000 end_va = 0x4a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 13659 start_va = 0x4b0000 end_va = 0x4b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 13660 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 13661 start_va = 0x4b0000 end_va = 0x4b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 13662 start_va = 0x6530000 end_va = 0x6d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006530000" filename = "" Region: id = 13663 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 13664 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 13665 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 13666 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 13667 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 13668 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 13669 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 13670 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 13671 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 13672 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 13673 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 13674 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 13675 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 13676 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 13677 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 13678 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 13679 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 13680 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 13681 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 13682 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 13683 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 13684 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 13685 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 13686 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 13701 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 13702 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 13703 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 13721 start_va = 0x4b0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 13722 start_va = 0x510000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 13723 start_va = 0x9d0000 end_va = 0xa4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 13724 start_va = 0xa80000 end_va = 0xa8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 13789 start_va = 0x4b0000 end_va = 0x4b1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "faultrep.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\faultrep.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\faultrep.dll.mui") Region: id = 13790 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 13831 start_va = 0x6ef60000 end_va = 0x6f37dfff monitored = 0 entry_point = 0x6f05ee80 region_type = mapped_file name = "dbgeng.dll" filename = "\\Windows\\SysWOW64\\dbgeng.dll" (normalized: "c:\\windows\\syswow64\\dbgeng.dll") Region: id = 13832 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 13833 start_va = 0x6f850000 end_va = 0x6f8bffff monitored = 0 entry_point = 0x6f8a4b90 region_type = mapped_file name = "dbgmodel.dll" filename = "\\Windows\\SysWOW64\\DbgModel.dll" (normalized: "c:\\windows\\syswow64\\dbgmodel.dll") Region: id = 13834 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 13835 start_va = 0xa90000 end_va = 0xb79fff monitored = 0 entry_point = 0xacd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 13836 start_va = 0x70050000 end_va = 0x70059fff monitored = 0 entry_point = 0x70053200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 13861 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 13862 start_va = 0x6f5d0000 end_va = 0x6f5d7fff monitored = 0 entry_point = 0x6f5d17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 13863 start_va = 0xa90000 end_va = 0xb8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a90000" filename = "" Region: id = 13864 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 13884 start_va = 0xb90000 end_va = 0xec6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 13885 start_va = 0x4c0000 end_va = 0x4c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 13886 start_va = 0x4c0000 end_va = 0x4c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 13887 start_va = 0x4c0000 end_va = 0x4c5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 13888 start_va = 0x4c0000 end_va = 0x4c7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 13889 start_va = 0xed0000 end_va = 0xfcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ed0000" filename = "" Region: id = 13890 start_va = 0x4c0000 end_va = 0x4c9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 13891 start_va = 0x4c0000 end_va = 0x4cbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 13892 start_va = 0x4c0000 end_va = 0x4cdfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 13893 start_va = 0x4c0000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 13894 start_va = 0x4c0000 end_va = 0x4d1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 13895 start_va = 0x4c0000 end_va = 0x4d3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 13896 start_va = 0x4c0000 end_va = 0x4d5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 13897 start_va = 0x4c0000 end_va = 0x4d7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 13898 start_va = 0x4c0000 end_va = 0x4d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 13899 start_va = 0x4c0000 end_va = 0x4dbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 13900 start_va = 0x4c0000 end_va = 0x4ddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 13901 start_va = 0x4c0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 13912 start_va = 0xfd0000 end_va = 0x10affff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 13974 start_va = 0x6530000 end_va = 0x65fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006530000" filename = "" Region: id = 14000 start_va = 0x6600000 end_va = 0x66acfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006600000" filename = "" Region: id = 14011 start_va = 0x66b0000 end_va = 0x6756fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000066b0000" filename = "" Region: id = 14091 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 14092 start_va = 0x4d0000 end_va = 0x4d2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wer.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wer.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wer.dll.mui") Region: id = 14093 start_va = 0x4e0000 end_va = 0x4e3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 14094 start_va = 0x6530000 end_va = 0x6d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006530000" filename = "" Region: id = 14101 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 14102 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 14103 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 14104 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 14105 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 14106 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 14107 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 14108 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 14109 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 14110 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 14111 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 14112 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 14113 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 14114 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 14115 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 14116 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 14117 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 14118 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 14119 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 14120 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 14121 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 14124 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 14125 start_va = 0x6530000 end_va = 0x662ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006530000" filename = "" Region: id = 14126 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 14127 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 14128 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 14129 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 14130 start_va = 0x4f0000 end_va = 0x4f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 14131 start_va = 0x6fa00000 end_va = 0x6fa63fff monitored = 0 entry_point = 0x6fa3e270 region_type = mapped_file name = "werui.dll" filename = "\\Windows\\SysWOW64\\werui.dll" (normalized: "c:\\windows\\syswow64\\werui.dll") Region: id = 14132 start_va = 0x4f0000 end_va = 0x4f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 14133 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 14134 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 14141 start_va = 0x731b0000 end_va = 0x733befff monitored = 0 entry_point = 0x7325b0a0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 14142 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 14143 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 14144 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 14145 start_va = 0x6f460000 end_va = 0x6f5c6fff monitored = 0 entry_point = 0x6f4db9d0 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\SysWOW64\\dui70.dll" (normalized: "c:\\windows\\syswow64\\dui70.dll") Region: id = 14146 start_va = 0x510000 end_va = 0x511fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 14147 start_va = 0x6f430000 end_va = 0x6f457fff monitored = 0 entry_point = 0x6f437820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 14148 start_va = 0x520000 end_va = 0x520fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 14149 start_va = 0x530000 end_va = 0x531fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 14150 start_va = 0x520000 end_va = 0x520fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 14152 start_va = 0x759b0000 end_va = 0x75a33fff monitored = 0 entry_point = 0x759d6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 14153 start_va = 0x540000 end_va = 0x540fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 14154 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 15020 start_va = 0x700000 end_va = 0x73ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 15021 start_va = 0x6630000 end_va = 0x666ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006630000" filename = "" Region: id = 15022 start_va = 0x6670000 end_va = 0x66affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006670000" filename = "" Region: id = 15023 start_va = 0x66b0000 end_va = 0x66effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000066b0000" filename = "" Region: id = 15024 start_va = 0x66f0000 end_va = 0x672ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000066f0000" filename = "" Region: id = 15025 start_va = 0x6730000 end_va = 0x676ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006730000" filename = "" Region: id = 15347 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 15721 start_va = 0x520000 end_va = 0x520fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 15722 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 16072 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 16204 start_va = 0x520000 end_va = 0x524fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werui.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\werui.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werui.dll.mui") Region: id = 16205 start_va = 0x550000 end_va = 0x550fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 16206 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 16352 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 16587 start_va = 0x6770000 end_va = 0x67affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006770000" filename = "" Region: id = 16588 start_va = 0x67b0000 end_va = 0x67effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000067b0000" filename = "" Region: id = 16590 start_va = 0x550000 end_va = 0x550fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 16591 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 16805 start_va = 0x6f740000 end_va = 0x6f748fff monitored = 0 entry_point = 0x6f743830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 16952 start_va = 0x550000 end_va = 0x551fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 16953 start_va = 0x6f6c0000 end_va = 0x6f73afff monitored = 0 entry_point = 0x6f6e4d80 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\SysWOW64\\duser.dll" (normalized: "c:\\windows\\syswow64\\duser.dll") Region: id = 16956 start_va = 0x67f0000 end_va = 0x682ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000067f0000" filename = "" Region: id = 16957 start_va = 0x6830000 end_va = 0x686ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006830000" filename = "" Region: id = 16958 start_va = 0x6f630000 end_va = 0x6f6b0fff monitored = 0 entry_point = 0x6f636310 region_type = mapped_file name = "riched20.dll" filename = "\\Windows\\SysWOW64\\riched20.dll" (normalized: "c:\\windows\\syswow64\\riched20.dll") Region: id = 16959 start_va = 0x6f790000 end_va = 0x6f7a5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 16960 start_va = 0x6f750000 end_va = 0x6f780fff monitored = 0 entry_point = 0x6f7622d0 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\SysWOW64\\msls31.dll" (normalized: "c:\\windows\\syswow64\\msls31.dll") Region: id = 16961 start_va = 0xa50000 end_va = 0xa50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a50000" filename = "" Region: id = 16962 start_va = 0x6870000 end_va = 0x692bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006870000" filename = "" Region: id = 16963 start_va = 0xa50000 end_va = 0xa53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a50000" filename = "" Region: id = 16964 start_va = 0x74230000 end_va = 0x7424cfff monitored = 0 entry_point = 0x74233b10 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 16965 start_va = 0xa60000 end_va = 0xa63fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 16966 start_va = 0xa70000 end_va = 0xa70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a70000" filename = "" Region: id = 16968 start_va = 0x10b0000 end_va = 0x10b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010b0000" filename = "" Region: id = 16969 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 16970 start_va = 0x10c0000 end_va = 0x10c0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "duser.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\duser.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\duser.dll.mui") Region: id = 16988 start_va = 0x6f9f0000 end_va = 0x6f9fcfff monitored = 0 entry_point = 0x6f9f7d80 region_type = mapped_file name = "atlthunk.dll" filename = "\\Windows\\SysWOW64\\atlthunk.dll" (normalized: "c:\\windows\\syswow64\\atlthunk.dll") Region: id = 16989 start_va = 0x10d0000 end_va = 0x10d2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui") Region: id = 16990 start_va = 0x6940000 end_va = 0x6942fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006940000" filename = "" Region: id = 16991 start_va = 0x6950000 end_va = 0x6e41fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006950000" filename = "" Region: id = 17000 start_va = 0x6e50000 end_va = 0x7e8ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 17001 start_va = 0x7e90000 end_va = 0x7ed1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007e90000" filename = "" Region: id = 17031 start_va = 0x6930000 end_va = 0x6930fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006930000" filename = "" Region: id = 17032 start_va = 0x77500000 end_va = 0x7761efff monitored = 0 entry_point = 0x77545980 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Thread: id = 426 os_tid = 0xe00 Thread: id = 428 os_tid = 0xdf0 Thread: id = 434 os_tid = 0xe80 Thread: id = 460 os_tid = 0x654 Thread: id = 463 os_tid = 0x1024 Thread: id = 464 os_tid = 0x101c Thread: id = 499 os_tid = 0x310 Thread: id = 511 os_tid = 0xb5c Process: id = "210" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x5f156000" os_pid = "0xc14" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_put /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13536 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13537 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13538 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 13539 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 13540 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 13541 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 13542 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 13543 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 13544 start_va = 0xf50000 end_va = 0xf51fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f50000" filename = "" Region: id = 13545 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 13546 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 13547 start_va = 0x7ea60000 end_va = 0x7ea82fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ea60000" filename = "" Region: id = 13548 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13549 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 13550 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13551 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 13578 start_va = 0x400000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 13579 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 13580 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 13581 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 13582 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 13583 start_va = 0xf60000 end_va = 0x10effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f60000" filename = "" Region: id = 13584 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 13595 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 13596 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13597 start_va = 0x7e960000 end_va = 0x7ea5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e960000" filename = "" Region: id = 13598 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13599 start_va = 0x560000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 13600 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 13601 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 13602 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 13603 start_va = 0x570000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 13604 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 13605 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 13606 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 13607 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 13608 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 13609 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 13610 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 13611 start_va = 0xf50000 end_va = 0xf53fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f50000" filename = "" Region: id = 13612 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 13613 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 13614 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 13615 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 13616 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 13617 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 13618 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 13619 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 13620 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 13621 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 13622 start_va = 0x670000 end_va = 0x7f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 13623 start_va = 0xf60000 end_va = 0xf89fff monitored = 0 entry_point = 0xf65680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 13624 start_va = 0xff0000 end_va = 0x10effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ff0000" filename = "" Region: id = 13625 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 13632 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 13633 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 13634 start_va = 0x800000 end_va = 0x980fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 13635 start_va = 0x10f0000 end_va = 0x124ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010f0000" filename = "" Region: id = 13636 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 13637 start_va = 0x10f0000 end_va = 0x1180fff monitored = 0 entry_point = 0x1128cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 13638 start_va = 0x1240000 end_va = 0x124ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001240000" filename = "" Region: id = 13639 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 13640 start_va = 0xf60000 end_va = 0xf60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f60000" filename = "" Region: id = 13641 start_va = 0xf70000 end_va = 0xf70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 13642 start_va = 0xf70000 end_va = 0xf77fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 13687 start_va = 0xf70000 end_va = 0xf70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f70000" filename = "" Region: id = 13688 start_va = 0xf80000 end_va = 0xf81fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f80000" filename = "" Region: id = 13689 start_va = 0xf70000 end_va = 0xf70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f70000" filename = "" Region: id = 13690 start_va = 0xf80000 end_va = 0xf80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f80000" filename = "" Region: id = 13704 start_va = 0xf70000 end_va = 0xf70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 13705 start_va = 0xf80000 end_va = 0xf80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f80000" filename = "" Thread: id = 429 os_tid = 0xc38 [0151.094] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0151.095] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0151.095] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0151.095] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0151.095] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0151.095] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0151.096] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0151.096] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0151.097] GetProcessHeap () returned 0xff0000 [0151.097] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0151.097] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0151.097] GetLastError () returned 0x7e [0151.098] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0151.098] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0151.098] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x364) returned 0x1000a10 [0151.098] SetLastError (dwErrCode=0x7e) [0151.098] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0xe00) returned 0x1000d80 [0151.100] GetStartupInfoW (in: lpStartupInfo=0x18fde4 | out: lpStartupInfo=0x18fde4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0151.100] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0151.100] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0151.101] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0151.101] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_put /fn_args=\"0\"" [0151.101] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_put /fn_args=\"0\"" [0151.101] GetACP () returned 0x4e4 [0151.101] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x0, Size=0x220) returned 0x1001b88 [0151.101] IsValidCodePage (CodePage=0x4e4) returned 1 [0151.101] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fe04 | out: lpCPInfo=0x18fe04) returned 1 [0151.101] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f6cc | out: lpCPInfo=0x18f6cc) returned 1 [0151.101] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fce0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0151.101] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fce0, cbMultiByte=256, lpWideCharStr=0x18f468, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0151.101] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f6e0 | out: lpCharType=0x18f6e0) returned 1 [0151.101] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fce0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0151.101] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fce0, cbMultiByte=256, lpWideCharStr=0x18f428, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0151.101] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0151.102] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0151.102] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0151.102] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f218, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0151.155] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fbe0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÛý¡\x82\x1cþ\x18", lpUsedDefaultChar=0x0) returned 256 [0151.156] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fce0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0151.156] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fce0, cbMultiByte=256, lpWideCharStr=0x18f438, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0151.156] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0151.156] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f228, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0151.156] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fae0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÛý¡\x82\x1cþ\x18", lpUsedDefaultChar=0x0) returned 256 [0151.156] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x0, Size=0x80) returned 0xff3850 [0151.156] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0151.156] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x174) returned 0x1001db0 [0151.156] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0151.156] GetLastError () returned 0x0 [0151.156] SetLastError (dwErrCode=0x0) [0151.156] GetEnvironmentStringsW () returned 0x1001f30* [0151.156] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x0, Size=0xa8c) returned 0x10029c8 [0151.157] FreeEnvironmentStringsW (penv=0x1001f30) returned 1 [0151.157] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x90) returned 0xff4540 [0151.157] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x3e) returned 0xffa9f0 [0151.157] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x5c) returned 0xff8a40 [0151.157] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x6e) returned 0xff4838 [0151.157] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x78) returned 0x1003a88 [0151.157] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x62) returned 0xff3fc0 [0151.157] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x28) returned 0xff9e18 [0151.157] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x48) returned 0xff3d70 [0151.157] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x1a) returned 0xff4608 [0151.157] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x3a) returned 0xffacc0 [0151.157] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x62) returned 0xff47a8 [0151.157] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x2a) returned 0xff8810 [0151.157] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x2e) returned 0xff86f8 [0151.157] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x1c) returned 0xff4630 [0151.157] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x144) returned 0xff9c58 [0151.157] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x7c) returned 0xff82a0 [0151.157] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x36) returned 0xffe3a0 [0151.157] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x3a) returned 0xffaf90 [0151.157] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x90) returned 0xffa268 [0151.157] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x24) returned 0xff3bd0 [0151.157] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x30) returned 0xff8650 [0151.157] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x36) returned 0xffe2e0 [0151.157] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x48) returned 0xff38f0 [0151.157] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x52) returned 0xff28f0 [0151.157] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x3c) returned 0xffac30 [0151.158] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0xd6) returned 0xff04a0 [0151.158] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x2e) returned 0xff8848 [0151.158] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x1e) returned 0xff0580 [0151.158] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x2c) returned 0xff8880 [0151.158] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x54) returned 0xff4378 [0151.158] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x52) returned 0xff3de8 [0151.158] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x24) returned 0xff43d8 [0151.158] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x42) returned 0xff4048 [0151.158] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x2c) returned 0xff8768 [0151.158] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x44) returned 0xff4098 [0151.158] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x24) returned 0xff3e48 [0151.159] HeapFree (in: hHeap=0xff0000, dwFlags=0x0, lpMem=0x10029c8 | out: hHeap=0xff0000) returned 1 [0151.159] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x8, Size=0x800) returned 0x1001f30 [0151.159] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0151.159] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0151.160] GetStartupInfoW (in: lpStartupInfo=0x18fe48 | out: lpStartupInfo=0x18fe48*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0151.160] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_put /fn_args=\"0\"" [0151.160] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_put /fn_args=\"0\"", pNumArgs=0x18fe34 | out: pNumArgs=0x18fe34) returned 0x1002b80*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0151.160] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0151.163] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x0, Size=0x1000) returned 0x1004468 [0151.163] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x0, Size=0x22) returned 0xffa380 [0151.163] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_data_put", cchWideChar=-1, lpMultiByteStr=0xffa380, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_data_put", lpUsedDefaultChar=0x0) returned 17 [0151.163] GetLastError () returned 0x0 [0151.163] SetLastError (dwErrCode=0x0) [0151.163] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_putW") returned 0x0 [0151.163] GetLastError () returned 0x7f [0151.163] SetLastError (dwErrCode=0x7f) [0151.163] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_putA") returned 0x0 [0151.164] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_put") returned 0x647cc4df [0151.164] RtlAllocateHeap (HeapHandle=0xff0000, Flags=0x0, Size=0x4) returned 0xff40e8 [0151.164] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0xff40e8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0151.164] GetActiveWindow () returned 0x0 [0151.165] GetLastError () returned 0x7f [0151.165] SetLastError (dwErrCode=0x7f) Thread: id = 433 os_tid = 0xe1c Process: id = "211" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x519a7000" os_pid = "0x13c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "206" os_parent_pid = "0x13bc" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_freeDataIdList /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "212" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x5af6d000" os_pid = "0xe7c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setCrypto /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13735 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13736 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13737 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 13738 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 13739 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 13740 start_va = 0xef0000 end_va = 0xef1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Region: id = 13741 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 13742 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 13743 start_va = 0x7ef60000 end_va = 0x7ef82fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ef60000" filename = "" Region: id = 13744 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13745 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 13746 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13747 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 13748 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 13749 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 13750 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 13781 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 13782 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 13783 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 13784 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 13785 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 13786 start_va = 0xf00000 end_va = 0x100ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 13787 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 13788 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 13807 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13808 start_va = 0x7ee60000 end_va = 0x7ef5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ee60000" filename = "" Region: id = 13809 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13810 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 13811 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 13812 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 13813 start_va = 0x500000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 13814 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 13815 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 13816 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 13817 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 13818 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 13819 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 13820 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 13821 start_va = 0xef0000 end_va = 0xef3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Region: id = 13822 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 13823 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 13824 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 13825 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 13826 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 13827 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 13828 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 13829 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 13830 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 13853 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 13854 start_va = 0x600000 end_va = 0x787fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 13855 start_va = 0x1010000 end_va = 0x1039fff monitored = 0 entry_point = 0x1015680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 13856 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 13876 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 13877 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 13878 start_va = 0x1f0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 13879 start_va = 0x790000 end_va = 0x910fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 13880 start_va = 0x1010000 end_va = 0x120ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001010000" filename = "" Region: id = 13881 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 13882 start_va = 0x1010000 end_va = 0x10a0fff monitored = 0 entry_point = 0x1048cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 13883 start_va = 0x1200000 end_va = 0x120ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 13911 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 13914 start_va = 0xf00000 end_va = 0xf00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 13915 start_va = 0xf10000 end_va = 0x100ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f10000" filename = "" Region: id = 13916 start_va = 0x1010000 end_va = 0x1010fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001010000" filename = "" Region: id = 13917 start_va = 0x1010000 end_va = 0x1017fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001010000" filename = "" Region: id = 13922 start_va = 0x1010000 end_va = 0x1010fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001010000" filename = "" Region: id = 13923 start_va = 0x1020000 end_va = 0x1021fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001020000" filename = "" Region: id = 13924 start_va = 0x1010000 end_va = 0x1010fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001010000" filename = "" Region: id = 13925 start_va = 0x1020000 end_va = 0x1020fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001020000" filename = "" Region: id = 13926 start_va = 0x1010000 end_va = 0x1010fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001010000" filename = "" Region: id = 13927 start_va = 0x1020000 end_va = 0x1020fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Thread: id = 435 os_tid = 0xe68 [0152.704] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0152.704] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0152.705] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0152.705] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0152.705] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0152.705] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0152.706] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0152.706] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0152.706] GetProcessHeap () returned 0xf10000 [0152.706] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0152.707] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0152.707] GetLastError () returned 0x7e [0152.707] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0152.707] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0152.707] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x364) returned 0xf20a60 [0152.707] SetLastError (dwErrCode=0x7e) [0152.707] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0xe00) returned 0xf20dd0 [0152.709] GetStartupInfoW (in: lpStartupInfo=0x18fbf8 | out: lpStartupInfo=0x18fbf8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0152.709] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0152.709] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0152.709] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0152.710] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setCrypto /fn_args=\"0\"" [0152.710] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setCrypto /fn_args=\"0\"" [0152.710] GetACP () returned 0x4e4 [0152.710] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x0, Size=0x220) returned 0xf21bd8 [0152.710] IsValidCodePage (CodePage=0x4e4) returned 1 [0152.710] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fc18 | out: lpCPInfo=0x18fc18) returned 1 [0152.710] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f4e0 | out: lpCPInfo=0x18f4e0) returned 1 [0152.710] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18faf4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0152.710] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18faf4, cbMultiByte=256, lpWideCharStr=0x18f288, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0152.710] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f4f4 | out: lpCharType=0x18f4f4) returned 1 [0152.710] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18faf4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0152.710] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18faf4, cbMultiByte=256, lpWideCharStr=0x18f238, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0152.710] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0152.710] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0152.710] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0152.710] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f028, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0152.710] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f9f4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÀ]rx0ü\x18", lpUsedDefaultChar=0x0) returned 256 [0152.711] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18faf4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0152.711] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18faf4, cbMultiByte=256, lpWideCharStr=0x18f258, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0152.711] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0152.711] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f048, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0152.711] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f8f4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÀ]rx0ü\x18", lpUsedDefaultChar=0x0) returned 256 [0152.711] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x0, Size=0x80) returned 0xf13868 [0152.711] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0152.711] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x184) returned 0xf21e00 [0152.711] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0152.711] GetLastError () returned 0x0 [0152.967] SetLastError (dwErrCode=0x0) [0152.968] GetEnvironmentStringsW () returned 0xf21f90* [0152.968] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x0, Size=0xa8c) returned 0xf22a28 [0152.968] FreeEnvironmentStringsW (penv=0xf21f90) returned 1 [0152.968] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x90) returned 0xf14558 [0152.968] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x3e) returned 0xf1aec0 [0152.968] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x5c) returned 0xf18830 [0152.968] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x6e) returned 0xf14620 [0152.968] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x78) returned 0xf23b68 [0152.969] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x62) returned 0xf149f0 [0152.969] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x28) returned 0xf13d88 [0152.969] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x48) returned 0xf13fd8 [0152.969] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x1a) returned 0xf10570 [0152.969] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x3a) returned 0xf1ae78 [0152.969] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x62) returned 0xf13be8 [0152.969] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x2a) returned 0xf18600 [0152.969] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x2e) returned 0xf18408 [0152.969] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x1c) returned 0xf13db8 [0152.969] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x144) returned 0xf19a48 [0152.969] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x7c) returned 0xf18090 [0152.969] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x36) returned 0xf1e030 [0152.969] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x3a) returned 0xf1acc8 [0152.969] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x90) returned 0xf14390 [0152.969] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x24) returned 0xf13908 [0152.969] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x30) returned 0xf18558 [0152.969] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x36) returned 0xf1e670 [0152.969] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x48) returned 0xf12900 [0152.969] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x52) returned 0xf104b8 [0152.969] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x3c) returned 0xf1b100 [0152.969] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0xd6) returned 0xf19c08 [0152.969] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x2e) returned 0xf18638 [0152.969] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x1e) returned 0xf12950 [0152.969] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x2c) returned 0xf18718 [0152.969] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x54) returned 0xf13e00 [0152.969] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x52) returned 0xf14060 [0152.969] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x24) returned 0xf13e60 [0152.970] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x42) returned 0xf140c0 [0152.970] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x2c) returned 0xf18670 [0152.970] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x44) returned 0xf19d38 [0152.970] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x24) returned 0xf13938 [0152.970] HeapFree (in: hHeap=0xf10000, dwFlags=0x0, lpMem=0xf22a28 | out: hHeap=0xf10000) returned 1 [0152.970] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x800) returned 0xf21f90 [0152.970] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0152.970] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0152.971] GetStartupInfoW (in: lpStartupInfo=0x18fc5c | out: lpStartupInfo=0x18fc5c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0152.971] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setCrypto /fn_args=\"0\"" [0152.971] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setCrypto /fn_args=\"0\"", pNumArgs=0x18fc48 | out: pNumArgs=0x18fc48) returned 0xf22be0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0152.971] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0152.974] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x0, Size=0x1000) returned 0xf244c8 [0152.974] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x0, Size=0x32) returned 0xf1e2f0 [0152.974] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_engine_setCrypto", cchWideChar=-1, lpMultiByteStr=0xf1e2f0, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_engine_setCrypto", lpUsedDefaultChar=0x0) returned 25 [0152.974] GetLastError () returned 0x0 [0152.975] SetLastError (dwErrCode=0x0) [0152.975] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_engine_setCryptoW") returned 0x0 [0152.975] GetLastError () returned 0x7f [0152.975] SetLastError (dwErrCode=0x7f) [0152.975] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_engine_setCryptoA") returned 0x0 [0152.975] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_engine_setCrypto") returned 0x647c16e4 [0152.975] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x0, Size=0x4) returned 0xf13810 [0152.975] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0xf13810, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0152.975] GetActiveWindow () returned 0x0 [0153.173] GetLastError () returned 0x7f [0153.173] SetLastError (dwErrCode=0x7f) Thread: id = 439 os_tid = 0xe98 Process: id = "213" image_name = "werfault.exe" filename = "c:\\windows\\syswow64\\werfault.exe" page_root = "0x5af2b000" os_pid = "0xc48" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "210" os_parent_pid = "0xc14" cmd_line = "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 3092 -s 364" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13751 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13752 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13753 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 13754 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 13755 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 13756 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 13757 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 13758 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 13759 start_va = 0x890000 end_va = 0x890fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 13760 start_va = 0x10e0000 end_va = 0x1122fff monitored = 0 entry_point = 0x1100f50 region_type = mapped_file name = "werfault.exe" filename = "\\Windows\\SysWOW64\\WerFault.exe" (normalized: "c:\\windows\\syswow64\\werfault.exe") Region: id = 13761 start_va = 0x1130000 end_va = 0x512ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 13762 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 13763 start_va = 0x7e540000 end_va = 0x7e562fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e540000" filename = "" Region: id = 13764 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13765 start_va = 0x7fff0000 end_va = 0x7dfb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 13766 start_va = 0x7dfb201b0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfb201b0000" filename = "" Region: id = 13767 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13768 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 13769 start_va = 0x100000 end_va = 0x14ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 13770 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 13771 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 13772 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 13773 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 13791 start_va = 0x8a0000 end_va = 0xa5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 13792 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 13793 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 13794 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 13795 start_va = 0x7e440000 end_va = 0x7e53ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e440000" filename = "" Region: id = 13796 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 13797 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 13798 start_va = 0x100000 end_va = 0x13ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 13799 start_va = 0x140000 end_va = 0x14ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 13800 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 13801 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 13802 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 13803 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 13804 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 13805 start_va = 0x890000 end_va = 0x893fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 13806 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 13837 start_va = 0x6fb30000 end_va = 0x6fbb6fff monitored = 0 entry_point = 0x6fb9dbc0 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\SysWOW64\\wer.dll" (normalized: "c:\\windows\\syswow64\\wer.dll") Region: id = 13838 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 13839 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 13840 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 13841 start_va = 0x6fbc0000 end_va = 0x6fcfefff monitored = 0 entry_point = 0x6fbed880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 13842 start_va = 0x6fb00000 end_va = 0x6fb21fff monitored = 0 entry_point = 0x6fb091f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 13843 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 13844 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 13845 start_va = 0x6faa0000 end_va = 0x6faf3fff monitored = 0 entry_point = 0x6fad10d0 region_type = mapped_file name = "faultrep.dll" filename = "\\Windows\\SysWOW64\\Faultrep.dll" (normalized: "c:\\windows\\syswow64\\faultrep.dll") Region: id = 13846 start_va = 0x6fa70000 end_va = 0x6fa90fff monitored = 0 entry_point = 0x6fa8a910 region_type = mapped_file name = "dbgcore.dll" filename = "\\Windows\\SysWOW64\\dbgcore.dll" (normalized: "c:\\windows\\syswow64\\dbgcore.dll") Region: id = 13847 start_va = 0xa60000 end_va = 0xb2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 13848 start_va = 0x8a0000 end_va = 0x8dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 13849 start_va = 0x960000 end_va = 0xa5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Region: id = 13850 start_va = 0x8a0000 end_va = 0x8a3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 13851 start_va = 0x8d0000 end_va = 0x8dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008d0000" filename = "" Region: id = 13852 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 13865 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 13870 start_va = 0x4c0000 end_va = 0x647fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 13871 start_va = 0x8e0000 end_va = 0x909fff monitored = 0 entry_point = 0x8e5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 13872 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 13873 start_va = 0x650000 end_va = 0x7d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 13874 start_va = 0x8b0000 end_va = 0x8b3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werfault.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\WerFault.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werfault.exe.mui") Region: id = 13875 start_va = 0x5130000 end_va = 0x652ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005130000" filename = "" Region: id = 13918 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 13919 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 13920 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 13921 start_va = 0xb30000 end_va = 0xd1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 13928 start_va = 0x8c0000 end_va = 0x8c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 13929 start_va = 0x8e0000 end_va = 0x8e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008e0000" filename = "" Region: id = 13930 start_va = 0x8f0000 end_va = 0x8f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 13931 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 13932 start_va = 0x8f0000 end_va = 0x8f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 13933 start_va = 0x6530000 end_va = 0x6d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006530000" filename = "" Region: id = 13934 start_va = 0x8f0000 end_va = 0x8f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 13935 start_va = 0x8f0000 end_va = 0x8f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 13936 start_va = 0x8f0000 end_va = 0x8f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 13937 start_va = 0x8f0000 end_va = 0x8f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 13942 start_va = 0x8f0000 end_va = 0x8f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 13943 start_va = 0x8f0000 end_va = 0x8f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 13944 start_va = 0x8f0000 end_va = 0x8f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 13945 start_va = 0x8f0000 end_va = 0x8f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 13946 start_va = 0x8f0000 end_va = 0x8f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 13947 start_va = 0x8f0000 end_va = 0x8f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 13948 start_va = 0x8f0000 end_va = 0x8f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 13949 start_va = 0x8f0000 end_va = 0x8f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 13950 start_va = 0x8f0000 end_va = 0x8f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 13951 start_va = 0x8f0000 end_va = 0x8f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 13952 start_va = 0x8f0000 end_va = 0x8f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 13953 start_va = 0x8f0000 end_va = 0x8f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 13954 start_va = 0x8f0000 end_va = 0x8f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 13955 start_va = 0x8f0000 end_va = 0x8f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 13956 start_va = 0x8f0000 end_va = 0x8f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 13957 start_va = 0x8f0000 end_va = 0x8f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 13958 start_va = 0x8f0000 end_va = 0x8f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 13959 start_va = 0x8f0000 end_va = 0x8f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 13960 start_va = 0x8f0000 end_va = 0x8f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 13961 start_va = 0x8f0000 end_va = 0x8f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 13962 start_va = 0x8f0000 end_va = 0x8f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 13963 start_va = 0x8f0000 end_va = 0x8f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 13964 start_va = 0x8f0000 end_va = 0x8f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 13966 start_va = 0x1a0000 end_va = 0x1dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 13967 start_va = 0x7e0000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 13968 start_va = 0xa60000 end_va = 0xadffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 13969 start_va = 0xb20000 end_va = 0xb2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 13991 start_va = 0x8f0000 end_va = 0x8f1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "faultrep.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\faultrep.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\faultrep.dll.mui") Region: id = 13992 start_va = 0x900000 end_va = 0x900fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 13993 start_va = 0x6ef60000 end_va = 0x6f37dfff monitored = 0 entry_point = 0x6f05ee80 region_type = mapped_file name = "dbgeng.dll" filename = "\\Windows\\SysWOW64\\dbgeng.dll" (normalized: "c:\\windows\\syswow64\\dbgeng.dll") Region: id = 13994 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 13995 start_va = 0x6f850000 end_va = 0x6f8bffff monitored = 0 entry_point = 0x6f8a4b90 region_type = mapped_file name = "dbgmodel.dll" filename = "\\Windows\\SysWOW64\\DbgModel.dll" (normalized: "c:\\windows\\syswow64\\dbgmodel.dll") Region: id = 13996 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 13997 start_va = 0xb30000 end_va = 0xc19fff monitored = 0 entry_point = 0xb6d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 13998 start_va = 0xd10000 end_va = 0xd1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d10000" filename = "" Region: id = 13999 start_va = 0x70050000 end_va = 0x70059fff monitored = 0 entry_point = 0x70053200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 14007 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 14008 start_va = 0x6f5d0000 end_va = 0x6f5d7fff monitored = 0 entry_point = 0x6f5d17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 14009 start_va = 0xb30000 end_va = 0xc2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 14010 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 14040 start_va = 0xd20000 end_va = 0x1056fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 14041 start_va = 0x900000 end_va = 0x901fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 14042 start_va = 0x900000 end_va = 0x903fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 14043 start_va = 0x900000 end_va = 0x905fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 14044 start_va = 0x900000 end_va = 0x907fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 14045 start_va = 0x6530000 end_va = 0x662ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006530000" filename = "" Region: id = 14046 start_va = 0x900000 end_va = 0x909fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 14047 start_va = 0x900000 end_va = 0x90bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 14048 start_va = 0x900000 end_va = 0x90dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 14049 start_va = 0x900000 end_va = 0x90ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 14050 start_va = 0x900000 end_va = 0x911fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 14051 start_va = 0x900000 end_va = 0x913fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 14052 start_va = 0x900000 end_va = 0x915fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 14053 start_va = 0x900000 end_va = 0x917fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 14054 start_va = 0x900000 end_va = 0x919fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 14055 start_va = 0x900000 end_va = 0x91bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 14056 start_va = 0x900000 end_va = 0x91dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 14057 start_va = 0x900000 end_va = 0x91ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 14083 start_va = 0xc30000 end_va = 0xd0ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 14151 start_va = 0x6630000 end_va = 0x66fafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006630000" filename = "" Region: id = 14157 start_va = 0x6700000 end_va = 0x67b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006700000" filename = "" Region: id = 14160 start_va = 0x67c0000 end_va = 0x6870fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000067c0000" filename = "" Region: id = 14214 start_va = 0x900000 end_va = 0x900fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 14215 start_va = 0x910000 end_va = 0x912fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wer.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wer.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wer.dll.mui") Region: id = 14216 start_va = 0x920000 end_va = 0x923fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000920000" filename = "" Region: id = 14217 start_va = 0x6630000 end_va = 0x6e2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006630000" filename = "" Region: id = 14218 start_va = 0x930000 end_va = 0x936fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 14219 start_va = 0x930000 end_va = 0x936fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 14220 start_va = 0x930000 end_va = 0x936fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 14221 start_va = 0x930000 end_va = 0x936fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 14222 start_va = 0x930000 end_va = 0x936fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 14223 start_va = 0x930000 end_va = 0x936fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 14224 start_va = 0x930000 end_va = 0x936fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 14225 start_va = 0x930000 end_va = 0x936fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 14226 start_va = 0x930000 end_va = 0x936fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 14227 start_va = 0x930000 end_va = 0x936fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 14228 start_va = 0x930000 end_va = 0x936fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 14229 start_va = 0x930000 end_va = 0x936fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 14240 start_va = 0x930000 end_va = 0x936fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 14241 start_va = 0x930000 end_va = 0x936fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 14242 start_va = 0x930000 end_va = 0x936fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 14243 start_va = 0x930000 end_va = 0x936fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 14244 start_va = 0x930000 end_va = 0x936fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 14245 start_va = 0x930000 end_va = 0x936fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 14246 start_va = 0x930000 end_va = 0x936fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 14247 start_va = 0x930000 end_va = 0x936fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 14248 start_va = 0x930000 end_va = 0x936fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 14249 start_va = 0x930000 end_va = 0x936fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 14250 start_va = 0x6630000 end_va = 0x672ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006630000" filename = "" Region: id = 14251 start_va = 0x930000 end_va = 0x936fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 14252 start_va = 0x930000 end_va = 0x936fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 14253 start_va = 0x930000 end_va = 0x936fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 14262 start_va = 0x930000 end_va = 0x936fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 14263 start_va = 0x930000 end_va = 0x936fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 14264 start_va = 0x6fa00000 end_va = 0x6fa63fff monitored = 0 entry_point = 0x6fa3e270 region_type = mapped_file name = "werui.dll" filename = "\\Windows\\SysWOW64\\werui.dll" (normalized: "c:\\windows\\syswow64\\werui.dll") Region: id = 14265 start_va = 0x1a0000 end_va = 0x1a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 14266 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 14267 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 14268 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 14269 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 14270 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 14271 start_va = 0x731b0000 end_va = 0x733befff monitored = 0 entry_point = 0x7325b0a0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 14272 start_va = 0x6f460000 end_va = 0x6f5c6fff monitored = 0 entry_point = 0x6f4db9d0 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\SysWOW64\\dui70.dll" (normalized: "c:\\windows\\syswow64\\dui70.dll") Region: id = 14309 start_va = 0x6f430000 end_va = 0x6f457fff monitored = 0 entry_point = 0x6f437820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 14310 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 14311 start_va = 0x930000 end_va = 0x930fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 14312 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 14313 start_va = 0x930000 end_va = 0x930fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 14314 start_va = 0x759b0000 end_va = 0x75a33fff monitored = 0 entry_point = 0x759d6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 14372 start_va = 0x940000 end_va = 0x940fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14373 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 15640 start_va = 0x820000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 15641 start_va = 0xae0000 end_va = 0xb1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 15642 start_va = 0x1060000 end_va = 0x109ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001060000" filename = "" Region: id = 15643 start_va = 0x10a0000 end_va = 0x10dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010a0000" filename = "" Region: id = 15644 start_va = 0x6730000 end_va = 0x676ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006730000" filename = "" Region: id = 15645 start_va = 0x6770000 end_va = 0x67affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006770000" filename = "" Region: id = 15646 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 15944 start_va = 0x930000 end_va = 0x930fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 15945 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 16130 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 16321 start_va = 0x930000 end_va = 0x934fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werui.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\werui.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werui.dll.mui") Region: id = 16322 start_va = 0x950000 end_va = 0x950fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 16323 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 16483 start_va = 0x6f9f0000 end_va = 0x6f9f8fff monitored = 0 entry_point = 0x6f9f3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 16697 start_va = 0x67b0000 end_va = 0x67effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000067b0000" filename = "" Region: id = 16698 start_va = 0x67f0000 end_va = 0x682ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000067f0000" filename = "" Region: id = 16701 start_va = 0x950000 end_va = 0x950fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 16702 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 16887 start_va = 0x6f740000 end_va = 0x6f748fff monitored = 0 entry_point = 0x6f743830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 17119 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 17120 start_va = 0x6f6c0000 end_va = 0x6f73afff monitored = 0 entry_point = 0x6f6e4d80 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\SysWOW64\\duser.dll" (normalized: "c:\\windows\\syswow64\\duser.dll") Region: id = 17121 start_va = 0x6830000 end_va = 0x686ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006830000" filename = "" Region: id = 17122 start_va = 0x6870000 end_va = 0x68affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006870000" filename = "" Region: id = 17170 start_va = 0x6f630000 end_va = 0x6f6b0fff monitored = 0 entry_point = 0x6f636310 region_type = mapped_file name = "riched20.dll" filename = "\\Windows\\SysWOW64\\riched20.dll" (normalized: "c:\\windows\\syswow64\\riched20.dll") Region: id = 17171 start_va = 0x6f790000 end_va = 0x6f7a5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 17172 start_va = 0x6f750000 end_va = 0x6f780fff monitored = 0 entry_point = 0x6f7622d0 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\SysWOW64\\msls31.dll" (normalized: "c:\\windows\\syswow64\\msls31.dll") Region: id = 17173 start_va = 0x950000 end_va = 0x950fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 17174 start_va = 0x68b0000 end_va = 0x696bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000068b0000" filename = "" Region: id = 17175 start_va = 0x950000 end_va = 0x953fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 17176 start_va = 0x74230000 end_va = 0x7424cfff monitored = 0 entry_point = 0x74233b10 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 17177 start_va = 0x6970000 end_va = 0x6973fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006970000" filename = "" Region: id = 17178 start_va = 0x6980000 end_va = 0x6980fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006980000" filename = "" Region: id = 17179 start_va = 0x6990000 end_va = 0x6990fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006990000" filename = "" Region: id = 17180 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 17181 start_va = 0x69a0000 end_va = 0x69a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "duser.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\duser.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\duser.dll.mui") Region: id = 17182 start_va = 0x6f9f0000 end_va = 0x6f9fcfff monitored = 0 entry_point = 0x6f9f7d80 region_type = mapped_file name = "atlthunk.dll" filename = "\\Windows\\SysWOW64\\atlthunk.dll" (normalized: "c:\\windows\\syswow64\\atlthunk.dll") Region: id = 17183 start_va = 0x69b0000 end_va = 0x69b2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui") Region: id = 17184 start_va = 0x1f0000 end_va = 0x1f2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 17185 start_va = 0x69c0000 end_va = 0x6eb1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000069c0000" filename = "" Region: id = 17186 start_va = 0x6ec0000 end_va = 0x7efffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 17269 start_va = 0x7f00000 end_va = 0x7f41fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007f00000" filename = "" Region: id = 17348 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 17349 start_va = 0x77500000 end_va = 0x7761efff monitored = 0 entry_point = 0x77545980 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Thread: id = 436 os_tid = 0xea8 Thread: id = 438 os_tid = 0xc50 Thread: id = 440 os_tid = 0xf00 Thread: id = 466 os_tid = 0xffc Thread: id = 467 os_tid = 0x1008 Thread: id = 468 os_tid = 0x1068 Thread: id = 503 os_tid = 0x430 Thread: id = 515 os_tid = 0x114c Process: id = "214" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x5b3ff000" os_pid = "0xc40" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "208" os_parent_pid = "0x11c4" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_get /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "215" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x7be22000" os_pid = "0xc58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "210" os_parent_pid = "0xc14" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_put /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "216" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x4cb78000" os_pid = "0xc44" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "212" os_parent_pid = "0xe7c" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setCrypto /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "217" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x4cb84000" os_pid = "0xee4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setSystem /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 13975 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 13976 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 13977 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 13978 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 13979 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 13980 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 13981 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 13982 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 13983 start_va = 0x430000 end_va = 0x431fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 13984 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 13985 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 13986 start_va = 0x7f100000 end_va = 0x7f122fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f100000" filename = "" Region: id = 13987 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 13988 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 13989 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 13990 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 14001 start_va = 0x440000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 14002 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 14003 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 14004 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 14005 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 14006 start_va = 0x600000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 14028 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 14029 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 14030 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 14031 start_va = 0x7f000000 end_va = 0x7f0fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f000000" filename = "" Region: id = 14032 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 14033 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 14034 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 14035 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 14036 start_va = 0x4c0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 14037 start_va = 0x5f0000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 14038 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 14039 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 14059 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 14060 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 14061 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 14062 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 14063 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 14064 start_va = 0x5c0000 end_va = 0x5c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 14065 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 14066 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 14067 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 14068 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 14069 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 14070 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 14071 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 14072 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 14073 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 14074 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 14075 start_va = 0x600000 end_va = 0x629fff monitored = 0 entry_point = 0x605680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 14076 start_va = 0x780000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 14077 start_va = 0x880000 end_va = 0xa07fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 14078 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 14084 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 14085 start_va = 0x5d0000 end_va = 0x5d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 14086 start_va = 0x600000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 14087 start_va = 0xa10000 end_va = 0xb90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a10000" filename = "" Region: id = 14088 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 14089 start_va = 0x600000 end_va = 0x690fff monitored = 0 entry_point = 0x638cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 14090 start_va = 0x6b0000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 14097 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 14098 start_va = 0x5e0000 end_va = 0x5e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 14099 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 14100 start_va = 0x600000 end_va = 0x607fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 14135 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 14136 start_va = 0x610000 end_va = 0x611fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 14137 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 14138 start_va = 0x610000 end_va = 0x610fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 14139 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 14140 start_va = 0x610000 end_va = 0x610fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Thread: id = 445 os_tid = 0xeb8 [0156.552] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0156.552] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0156.553] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0156.553] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0156.553] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0156.553] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0156.554] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0156.554] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0156.554] GetProcessHeap () returned 0x780000 [0156.554] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0156.554] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0156.554] GetLastError () returned 0x7e [0156.555] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0156.555] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0156.556] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x364) returned 0x790a60 [0156.556] SetLastError (dwErrCode=0x7e) [0156.556] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0xe00) returned 0x790dd0 [0156.558] GetStartupInfoW (in: lpStartupInfo=0x18fcf4 | out: lpStartupInfo=0x18fcf4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0156.558] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0156.558] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0156.558] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0156.558] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setSystem /fn_args=\"0\"" [0156.558] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setSystem /fn_args=\"0\"" [0156.558] GetACP () returned 0x4e4 [0156.559] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x0, Size=0x220) returned 0x791bd8 [0156.559] IsValidCodePage (CodePage=0x4e4) returned 1 [0156.559] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fd14 | out: lpCPInfo=0x18fd14) returned 1 [0156.559] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f5dc | out: lpCPInfo=0x18f5dc) returned 1 [0156.559] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fbf0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0156.559] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fbf0, cbMultiByte=256, lpWideCharStr=0x18f378, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0156.559] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f5f0 | out: lpCharType=0x18f5f0) returned 1 [0156.559] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fbf0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0156.559] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fbf0, cbMultiByte=256, lpWideCharStr=0x18f338, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0156.559] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0156.559] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0156.559] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0156.559] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f128, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0156.559] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18faf0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x9c qÞ,ý\x18", lpUsedDefaultChar=0x0) returned 256 [0156.559] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fbf0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0156.559] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fbf0, cbMultiByte=256, lpWideCharStr=0x18f348, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0156.559] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0156.560] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f138, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0156.560] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f9f0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x9c qÞ,ý\x18", lpUsedDefaultChar=0x0) returned 256 [0156.560] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x0, Size=0x80) returned 0x783868 [0156.560] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0156.560] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x184) returned 0x791e00 [0156.560] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0156.560] GetLastError () returned 0x0 [0156.560] SetLastError (dwErrCode=0x0) [0156.560] GetEnvironmentStringsW () returned 0x791f90* [0156.560] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x0, Size=0xa8c) returned 0x792a28 [0156.560] FreeEnvironmentStringsW (penv=0x791f90) returned 1 [0156.560] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x90) returned 0x7847b8 [0156.560] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x3e) returned 0x78af08 [0156.561] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x5c) returned 0x788a90 [0156.561] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x6e) returned 0x784880 [0156.561] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x78) returned 0x793b68 [0156.561] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x62) returned 0x784c50 [0156.561] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x28) returned 0x783fe8 [0156.561] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x48) returned 0x784238 [0156.561] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x1a) returned 0x780570 [0156.561] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x3a) returned 0x78ada0 [0156.561] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x62) returned 0x783be8 [0156.561] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x2a) returned 0x788908 [0156.561] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x2e) returned 0x788898 [0156.561] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x1c) returned 0x784018 [0156.561] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x144) returned 0x789ca8 [0156.561] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x7c) returned 0x7882f0 [0156.561] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x36) returned 0x78dff0 [0156.561] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x3a) returned 0x78b148 [0156.561] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x90) returned 0x7845f0 [0156.561] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x24) returned 0x783908 [0156.561] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x30) returned 0x7886d8 [0156.561] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x36) returned 0x78e5b0 [0156.561] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x48) returned 0x782900 [0156.561] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x52) returned 0x7804b8 [0156.561] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x3c) returned 0x78ac80 [0156.561] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0xd6) returned 0x789e68 [0156.561] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x2e) returned 0x788780 [0156.562] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x1e) returned 0x782950 [0156.562] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x2c) returned 0x7887f0 [0156.562] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x54) returned 0x784060 [0156.562] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x52) returned 0x7842c0 [0156.562] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x24) returned 0x7840c0 [0156.562] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x42) returned 0x784320 [0156.562] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x2c) returned 0x788710 [0156.562] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x44) returned 0x789f98 [0156.562] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x24) returned 0x783938 [0156.562] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x792a28 | out: hHeap=0x780000) returned 1 [0156.562] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x800) returned 0x791f90 [0156.563] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0156.563] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0156.563] GetStartupInfoW (in: lpStartupInfo=0x18fd58 | out: lpStartupInfo=0x18fd58*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0156.563] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setSystem /fn_args=\"0\"" [0156.563] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setSystem /fn_args=\"0\"", pNumArgs=0x18fd44 | out: pNumArgs=0x18fd44) returned 0x792be0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0156.564] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0156.566] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x0, Size=0x1000) returned 0x7944c8 [0156.566] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x0, Size=0x32) returned 0x78df70 [0156.566] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_engine_setSystem", cchWideChar=-1, lpMultiByteStr=0x78df70, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_engine_setSystem", lpUsedDefaultChar=0x0) returned 25 [0156.566] GetLastError () returned 0x0 [0156.566] SetLastError (dwErrCode=0x0) [0156.566] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_engine_setSystemW") returned 0x0 [0156.567] GetLastError () returned 0x7f [0156.567] SetLastError (dwErrCode=0x7f) [0156.567] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_engine_setSystemA") returned 0x0 [0156.567] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_engine_setSystem") returned 0x647c1699 [0156.567] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x0, Size=0x4) returned 0x783810 [0156.567] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x783810, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0156.567] GetActiveWindow () returned 0x0 [0156.576] GetLastError () returned 0x7f [0156.576] SetLastError (dwErrCode=0x7f) Thread: id = 447 os_tid = 0xed8 Process: id = "218" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x73c85000" os_pid = "0xf3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "217" os_parent_pid = "0xee4" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setSystem /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "219" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x4c29b000" os_pid = "0xc4c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_forkFixup /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14165 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14166 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14167 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 14168 start_va = 0x90000 end_va = 0x93fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 14169 start_va = 0xa0000 end_va = 0xa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 14170 start_va = 0xb0000 end_va = 0xb1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 14171 start_va = 0xd0000 end_va = 0xd1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 14172 start_va = 0xe0000 end_va = 0x1dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 14173 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 14174 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 14175 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 14176 start_va = 0x7ede0000 end_va = 0x7ee02fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ede0000" filename = "" Region: id = 14177 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 14178 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 14179 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14180 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 14182 start_va = 0x400000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 14183 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 14184 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 14185 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 14186 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 14187 start_va = 0x5e0000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 14188 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 14189 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 14192 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 14193 start_va = 0x7ece0000 end_va = 0x7eddffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ece0000" filename = "" Region: id = 14194 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 14195 start_va = 0x5d0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 14196 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 14197 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 14198 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 14199 start_va = 0x5e0000 end_va = 0x6dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 14200 start_va = 0x780000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 14201 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 14202 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 14203 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 14204 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 14205 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 14206 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 14207 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 14208 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 14209 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 14210 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 14211 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 14212 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 14213 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 14232 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 14233 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 14234 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 14235 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 14236 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 14237 start_va = 0x500000 end_va = 0x529fff monitored = 0 entry_point = 0x505680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 14238 start_va = 0x880000 end_va = 0xa07fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 14239 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 14256 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 14257 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 14258 start_va = 0xa10000 end_va = 0xb90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a10000" filename = "" Region: id = 14259 start_va = 0xba0000 end_va = 0xc8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 14260 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 14261 start_va = 0x500000 end_va = 0x590fff monitored = 0 entry_point = 0x538cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 14275 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 14276 start_va = 0x1e0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 14277 start_va = 0xc90000 end_va = 0xd8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c90000" filename = "" Region: id = 14278 start_va = 0x1e0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 14279 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 14280 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14281 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14282 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14283 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14284 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14285 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14286 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14287 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14288 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14289 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14290 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14291 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14292 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14293 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14294 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14295 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14296 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14297 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14298 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14299 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14300 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14301 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14302 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14303 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14304 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14305 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14306 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14307 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14308 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14316 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14317 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14318 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14319 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14320 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14321 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14322 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14323 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14324 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14325 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14326 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14327 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14328 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14329 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14330 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14331 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14332 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14333 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14334 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14335 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14336 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14337 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14338 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14339 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14340 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14341 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14342 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14343 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14344 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14345 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14346 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14347 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14348 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14349 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14350 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14351 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14352 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14353 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14354 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14355 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14356 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14357 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14358 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14359 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14360 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14361 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14362 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14363 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14364 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14365 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14366 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14367 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14368 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14369 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14370 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14371 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14377 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14378 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14379 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14380 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14381 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14382 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14383 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14384 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14385 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14386 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14387 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14388 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14389 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14390 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14391 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14392 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14393 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14394 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14395 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14396 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14397 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14398 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14399 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14400 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14401 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14402 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14403 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14404 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14405 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14406 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14407 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14408 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14409 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14410 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14411 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14412 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14413 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14414 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14415 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14416 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14417 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14418 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14419 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14420 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14421 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14422 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14423 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14425 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14426 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14427 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14428 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14429 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14430 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14431 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14432 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14433 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14434 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14435 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14436 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14437 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14438 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14439 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14440 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14441 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14442 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14443 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14444 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14445 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14446 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14447 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14448 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14449 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14450 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14451 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14452 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14453 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14454 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14455 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14456 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14457 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14458 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14459 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14460 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14461 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14462 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14463 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14464 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14465 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14466 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14467 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14468 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14469 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14470 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14471 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14472 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14473 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14474 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14475 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14476 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14477 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14478 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14479 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14480 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14481 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14482 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14483 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14484 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14487 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14488 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14489 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14490 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14491 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14492 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14493 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14494 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14495 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14496 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14497 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14498 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14499 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14500 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14501 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14502 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14503 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14504 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14505 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14506 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14507 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14508 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14509 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14510 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14511 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14512 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14513 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14514 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14515 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14516 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14517 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14518 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14519 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14520 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14521 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14522 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14523 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14524 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14525 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14526 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14527 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14528 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14529 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14530 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14531 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14532 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14533 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14534 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14535 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14536 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14537 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14538 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14539 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14540 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14541 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14542 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14543 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 14544 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 22560 start_va = 0x1e0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 22561 start_va = 0x1e0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 22562 start_va = 0x4c0000 end_va = 0x4c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 22563 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Thread: id = 448 os_tid = 0xf24 [0158.668] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0158.668] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0158.669] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0158.669] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0158.669] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0158.669] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0158.670] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0158.670] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0158.670] GetProcessHeap () returned 0x780000 [0158.670] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0158.670] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0158.670] GetLastError () returned 0x7e [0158.670] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0158.671] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0158.671] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x364) returned 0x790a48 [0158.671] SetLastError (dwErrCode=0x7e) [0158.671] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0xe00) returned 0x790db8 [0158.673] GetStartupInfoW (in: lpStartupInfo=0x1df8c4 | out: lpStartupInfo=0x1df8c4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0158.673] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0158.673] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0158.673] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0158.673] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_forkFixup /fn_args=\"0\"" [0158.673] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_forkFixup /fn_args=\"0\"" [0158.673] GetACP () returned 0x4e4 [0158.673] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x0, Size=0x220) returned 0x791bc0 [0158.673] IsValidCodePage (CodePage=0x4e4) returned 1 [0158.673] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1df8e4 | out: lpCPInfo=0x1df8e4) returned 1 [0158.673] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1df1ac | out: lpCPInfo=0x1df1ac) returned 1 [0158.673] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1df7c0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0158.673] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1df7c0, cbMultiByte=256, lpWideCharStr=0x1def48, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0158.673] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x1df1c0 | out: lpCharType=0x1df1c0) returned 1 [0158.673] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1df7c0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0158.673] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1df7c0, cbMultiByte=256, lpWideCharStr=0x1def08, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0158.674] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0158.674] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0158.674] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0158.674] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x1decf8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0158.674] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x1df6c0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x0f\x15;\x0büø\x1d", lpUsedDefaultChar=0x0) returned 256 [0158.674] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1df7c0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0158.674] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1df7c0, cbMultiByte=256, lpWideCharStr=0x1def18, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0158.674] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0158.674] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x1ded08, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0158.674] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x1df5c0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x0f\x15;\x0büø\x1d", lpUsedDefaultChar=0x0) returned 256 [0158.674] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x0, Size=0x80) returned 0x783850 [0158.674] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0158.674] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x176) returned 0x791de8 [0158.674] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0158.674] GetLastError () returned 0x0 [0158.674] SetLastError (dwErrCode=0x0) [0158.675] GetEnvironmentStringsW () returned 0x791f68* [0158.675] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x0, Size=0xa8c) returned 0x792a00 [0158.675] FreeEnvironmentStringsW (penv=0x791f68) returned 1 [0158.675] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x90) returned 0x784540 [0158.675] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x3e) returned 0x78a9e0 [0158.675] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x5c) returned 0x788818 [0158.675] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x6e) returned 0x784608 [0158.675] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x78) returned 0x793940 [0158.675] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x62) returned 0x7849d8 [0158.675] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x28) returned 0x783d70 [0158.675] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x48) returned 0x783fc0 [0158.675] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x1a) returned 0x780570 [0158.676] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x3a) returned 0x78ad88 [0158.676] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x62) returned 0x783bd0 [0158.676] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x2a) returned 0x7884d0 [0158.676] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x2e) returned 0x788690 [0158.676] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x1c) returned 0x783da0 [0158.676] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x144) returned 0x789a30 [0158.676] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x7c) returned 0x788078 [0158.676] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x36) returned 0x78df98 [0158.676] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x3a) returned 0x78af38 [0158.676] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x90) returned 0x784378 [0158.676] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x24) returned 0x7838f0 [0158.676] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x30) returned 0x788508 [0158.676] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x36) returned 0x78e558 [0158.676] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x48) returned 0x7828f0 [0158.676] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x52) returned 0x7804b8 [0158.676] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x3c) returned 0x78acf8 [0158.676] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0xd6) returned 0x789e50 [0158.676] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x2e) returned 0x788620 [0158.676] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x1e) returned 0x782940 [0158.676] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x2c) returned 0x788428 [0158.676] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x54) returned 0x783de8 [0158.676] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x52) returned 0x784048 [0158.676] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x24) returned 0x783e48 [0158.676] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x42) returned 0x7840a8 [0158.676] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x2c) returned 0x7886c8 [0158.676] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x44) returned 0x789f80 [0158.676] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x24) returned 0x783920 [0158.677] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x792a00 | out: hHeap=0x780000) returned 1 [0158.677] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x800) returned 0x791f68 [0158.677] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0158.677] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0158.677] GetStartupInfoW (in: lpStartupInfo=0x1df928 | out: lpStartupInfo=0x1df928*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0158.677] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_forkFixup /fn_args=\"0\"" [0158.677] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_forkFixup /fn_args=\"0\"", pNumArgs=0x1df914 | out: pNumArgs=0x1df914) returned 0x792bb8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0158.678] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0158.681] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x0, Size=0x1000) returned 0x7944a0 [0158.681] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x0, Size=0x24) returned 0x78a6c8 [0158.681] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_forkFixup", cchWideChar=-1, lpMultiByteStr=0x78a6c8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_forkFixup", lpUsedDefaultChar=0x0) returned 18 [0158.681] GetLastError () returned 0x0 [0158.682] SetLastError (dwErrCode=0x0) [0158.682] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_forkFixupW") returned 0x0 [0158.682] GetLastError () returned 0x7f [0158.682] SetLastError (dwErrCode=0x7f) [0158.682] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_forkFixupA") returned 0x0 [0158.682] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_forkFixup") returned 0x647cbbb3 [0158.682] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x0, Size=0x4) returned 0x7837f8 [0158.682] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x7837f8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0158.682] GetActiveWindow () returned 0x0 [0158.683] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7944a0 | out: hHeap=0x780000) returned 1 [0158.683] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x78a6c8 | out: hHeap=0x780000) returned 1 [0158.683] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7837f8 | out: hHeap=0x780000) returned 1 [0158.683] GetCurrentProcessId () returned 0xc4c [0158.683] GetCurrentThreadId () returned 0xf24 [0158.684] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0158.694] Thread32First (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.694] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.695] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.695] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.696] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.697] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.697] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.698] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.699] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.699] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.700] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.700] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.701] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.702] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.702] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.703] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.703] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.704] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.705] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.705] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.706] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.706] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.707] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.708] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.708] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.709] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.710] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.710] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.711] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.785] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.786] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.787] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.787] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.788] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.789] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.789] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.790] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.791] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.791] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.792] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.793] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.793] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.794] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.795] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.795] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.796] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.797] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.797] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.798] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.799] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.799] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.800] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.801] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.801] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.802] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.802] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.803] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.804] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.804] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.805] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.806] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.806] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.807] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.808] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.808] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.809] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.809] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.810] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.811] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.811] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.812] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.812] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.813] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.814] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.814] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.815] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.815] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.816] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.817] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.817] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.818] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.818] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.819] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.820] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.820] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.913] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.914] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.915] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.915] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.916] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.917] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.917] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.918] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.919] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.919] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.920] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.921] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.922] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.922] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.923] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.924] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.924] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.925] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.926] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.926] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.927] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.928] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.928] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.929] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.930] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.930] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.931] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.932] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.933] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.934] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.934] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.935] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.937] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.937] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.938] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.938] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.939] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.940] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.940] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.941] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.941] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.942] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.943] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.943] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.944] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.944] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.945] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.980] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.980] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.981] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.982] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.983] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.983] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.984] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.985] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.986] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.987] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.987] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.988] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.989] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.990] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.991] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.991] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.997] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.997] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.998] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.999] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0158.999] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.000] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.000] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.001] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.002] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.002] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.003] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.003] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.004] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.005] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.005] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.006] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.007] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.007] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.008] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.009] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.009] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.010] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.011] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.011] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.012] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.012] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.013] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.014] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.014] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.015] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.015] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.016] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.017] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.017] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.018] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.018] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.019] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.020] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.020] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.021] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.021] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.022] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.023] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.023] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.072] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.073] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.074] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.074] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.075] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.075] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.076] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.077] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.077] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.078] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.079] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.079] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.080] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.080] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.081] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.082] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.082] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.083] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.083] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.084] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.085] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.085] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.086] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.087] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.088] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.089] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.089] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.090] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.091] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.091] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.092] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.092] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.093] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.094] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.094] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.095] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.095] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.096] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.097] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.097] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.098] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.099] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.099] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.100] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.100] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.101] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.102] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.103] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.103] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.104] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.104] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.105] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.106] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.106] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.107] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.107] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.108] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.109] Thread32Next (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0159.772] CloseHandle (hObject=0x150) returned 1 [0159.772] OpenThread (dwDesiredAccess=0x100000, bInheritHandle=0, dwThreadId=0xd94) returned 0x150 [0159.772] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xffffffff) returned 0x0 [0218.467] CloseHandle (hObject=0x150) returned 1 [0218.468] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0218.487] Thread32First (hSnapshot=0x150, lpte=0x1df8f8) returned 1 [0219.623] CloseHandle (hObject=0x150) returned 1 [0219.623] FreeLibrary (hLibModule=0x647c0000) returned 1 [0219.625] LocalFree (hMem=0x792bb8) returned 0x0 [0219.625] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0219.625] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0219.625] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x783850 | out: hHeap=0x780000) returned 1 [0219.626] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x791f68 | out: hHeap=0x780000) returned 1 [0219.626] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-2", hFile=0x0, dwFlags=0x800) returned 0x772e0000 [0219.626] GetProcAddress (hModule=0x772e0000, lpProcName="AppPolicyGetProcessTerminationMethod") returned 0x0 [0219.627] GetModuleHandleExW (in: dwFlags=0x0, lpModuleName="mscoree.dll", phModule=0x1df920 | out: phModule=0x1df920) returned 0 [0219.627] ExitProcess (uExitCode=0x0) [0219.627] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x790a48 | out: hHeap=0x780000) returned 1 Thread: id = 450 os_tid = 0xd94 Process: id = "220" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x4bdb4000" os_pid = "0xf58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getFeatures /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14554 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14555 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14556 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 14557 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 14558 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 14559 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 14560 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 14561 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 14562 start_va = 0x930000 end_va = 0x931fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 14563 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 14564 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 14565 start_va = 0x7fc60000 end_va = 0x7fc82fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fc60000" filename = "" Region: id = 14566 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 14567 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 14568 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14569 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 14571 start_va = 0x400000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 14572 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 14573 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 14574 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 14575 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 14576 start_va = 0x940000 end_va = 0xb7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 14577 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 14578 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 14580 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 14581 start_va = 0x7fb60000 end_va = 0x7fc5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fb60000" filename = "" Region: id = 14582 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 14583 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 14584 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 14585 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 14586 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 14587 start_va = 0x4e0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 14588 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 14589 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 14590 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 14591 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 14592 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 14593 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 14594 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 14595 start_va = 0x930000 end_va = 0x933fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 14596 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 14597 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 14598 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 14599 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 14601 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 14602 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 14603 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 14604 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 14605 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 14606 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 14607 start_va = 0x5e0000 end_va = 0x767fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 14608 start_va = 0x940000 end_va = 0x969fff monitored = 0 entry_point = 0x945680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 14609 start_va = 0xa80000 end_va = 0xb7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 14610 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 14618 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 14619 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 14620 start_va = 0x770000 end_va = 0x8f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 14621 start_va = 0xb80000 end_va = 0xd4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 14622 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 14624 start_va = 0x940000 end_va = 0x9d0fff monitored = 0 entry_point = 0x978cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 14625 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 14626 start_va = 0x940000 end_va = 0x94ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 14627 start_va = 0x950000 end_va = 0xa4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 14628 start_va = 0xa50000 end_va = 0xa6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 14629 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14630 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14631 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14632 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14633 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14634 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14635 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14636 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14637 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14638 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14640 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14641 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14642 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14643 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14644 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14645 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14646 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14647 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14648 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14649 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14650 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14651 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14652 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14653 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14654 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14655 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14656 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14657 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14658 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14659 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14660 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14661 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14662 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14663 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14664 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14665 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14666 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14667 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14668 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14669 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14670 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14671 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14672 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14673 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14674 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14675 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14676 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14677 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14678 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14679 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14680 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14681 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14682 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14683 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14684 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14685 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14686 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14687 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14688 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14689 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14690 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14691 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14692 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14693 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14694 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14695 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14696 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14697 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14698 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14699 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14700 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14701 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14702 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14703 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14704 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14705 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14706 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14709 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14710 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14711 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14712 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14713 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14714 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14715 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14716 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14717 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14718 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14719 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14720 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14721 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14722 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14723 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14724 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14725 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14726 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14727 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14728 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14729 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14730 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14731 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14732 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14733 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14734 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14735 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14736 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14737 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14738 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14739 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14740 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14741 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14742 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14743 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14744 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14745 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14746 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14747 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14748 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14749 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14750 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14751 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14752 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14753 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14754 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14755 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14756 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14757 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14758 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14759 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14760 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14761 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14762 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14763 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14764 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14765 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14766 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14767 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14768 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14769 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14770 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14771 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14772 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14773 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14774 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14776 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14777 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14778 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14779 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14780 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14781 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14782 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14783 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14784 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14785 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14786 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14787 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14788 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14789 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14790 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14791 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14792 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14793 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14794 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14795 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14796 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14797 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14798 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14799 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14800 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14801 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14802 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14803 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14804 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14805 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14806 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14807 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14808 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14809 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14810 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14811 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14812 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14813 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14814 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14815 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14816 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14817 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14818 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14819 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14820 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14821 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14822 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14823 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14824 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14825 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14826 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14827 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14828 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14829 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14830 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14831 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14832 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14833 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14834 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14835 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14836 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14837 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14838 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14839 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14840 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14841 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14842 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14843 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14844 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14845 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14846 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14848 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14849 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14850 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14851 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14852 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14853 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14854 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14855 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14856 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14857 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14858 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14859 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14860 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14861 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14862 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14863 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14864 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14865 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14866 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14867 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14868 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14869 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14870 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14871 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14872 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14873 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14874 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14875 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14876 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14877 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14878 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14879 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14880 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14881 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14882 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14883 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 14884 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 22742 start_va = 0x940000 end_va = 0x94ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 22743 start_va = 0xa50000 end_va = 0xa6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 22744 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 22745 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Thread: id = 451 os_tid = 0xc6c [0160.223] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0160.223] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0160.223] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0160.223] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0160.224] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0160.224] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0160.224] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0160.224] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0160.225] GetProcessHeap () returned 0xa80000 [0160.225] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0160.225] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0160.225] GetLastError () returned 0x7e [0160.225] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0160.225] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0160.225] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x364) returned 0xa90a50 [0160.226] SetLastError (dwErrCode=0x7e) [0160.226] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0xe00) returned 0xa90dc0 [0160.228] GetStartupInfoW (in: lpStartupInfo=0x18f844 | out: lpStartupInfo=0x18f844*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0160.228] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0160.228] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0160.228] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0160.228] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getFeatures /fn_args=\"0\"" [0160.228] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getFeatures /fn_args=\"0\"" [0160.228] GetACP () returned 0x4e4 [0160.228] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x0, Size=0x220) returned 0xa91bc8 [0160.228] IsValidCodePage (CodePage=0x4e4) returned 1 [0160.228] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f864 | out: lpCPInfo=0x18f864) returned 1 [0160.228] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f12c | out: lpCPInfo=0x18f12c) returned 1 [0160.228] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f740, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0160.228] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f740, cbMultiByte=256, lpWideCharStr=0x18eec8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0160.228] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f140 | out: lpCharType=0x18f140) returned 1 [0160.228] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f740, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0160.228] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f740, cbMultiByte=256, lpWideCharStr=0x18ee88, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0160.228] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0160.229] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0160.229] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0160.229] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ec78, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0160.229] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f640, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ<)BO|ø\x18", lpUsedDefaultChar=0x0) returned 256 [0160.229] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f740, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0160.229] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f740, cbMultiByte=256, lpWideCharStr=0x18ee98, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0160.229] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0160.229] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ec88, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0160.229] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f540, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ<)BO|ø\x18", lpUsedDefaultChar=0x0) returned 256 [0160.229] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x0, Size=0x80) returned 0xa83858 [0160.229] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0160.229] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x17a) returned 0xa91df0 [0160.229] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0160.229] GetLastError () returned 0x0 [0160.229] SetLastError (dwErrCode=0x0) [0160.229] GetEnvironmentStringsW () returned 0xa91f78* [0160.230] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x0, Size=0xa8c) returned 0xa92a10 [0160.230] FreeEnvironmentStringsW (penv=0xa91f78) returned 1 [0160.230] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x90) returned 0xa84548 [0160.230] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x3e) returned 0xa8ad00 [0160.230] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x5c) returned 0xa88820 [0160.230] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x6e) returned 0xa84610 [0160.230] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x78) returned 0xa93d50 [0160.230] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x62) returned 0xa849e0 [0160.230] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x28) returned 0xa83d78 [0160.230] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x48) returned 0xa83fc8 [0160.230] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x1a) returned 0xa80570 [0160.230] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x3a) returned 0xa8ad48 [0160.230] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x62) returned 0xa83bd8 [0160.230] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x2a) returned 0xa886d0 [0160.230] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x2e) returned 0xa88468 [0160.230] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x1c) returned 0xa83da8 [0160.230] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x144) returned 0xa89c98 [0160.230] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x7c) returned 0xa88080 [0160.231] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x36) returned 0xa8dfa0 [0160.231] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x3a) returned 0xa8afd0 [0160.231] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x90) returned 0xa84380 [0160.231] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x24) returned 0xa838f8 [0160.231] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x30) returned 0xa88740 [0160.231] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x36) returned 0xa8e2a0 [0160.231] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x48) returned 0xa828f0 [0160.231] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x52) returned 0xa804b8 [0160.231] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x3c) returned 0xa8ab50 [0160.231] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0xd6) returned 0xa89e58 [0160.231] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x2e) returned 0xa884d8 [0160.231] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x1e) returned 0xa82940 [0160.231] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x2c) returned 0xa88580 [0160.231] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x54) returned 0xa83df0 [0160.231] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x52) returned 0xa84050 [0160.231] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x24) returned 0xa83e50 [0160.231] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x42) returned 0xa840b0 [0160.231] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x2c) returned 0xa88778 [0160.231] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x44) returned 0xa89f88 [0160.231] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x24) returned 0xa83928 [0160.232] HeapFree (in: hHeap=0xa80000, dwFlags=0x0, lpMem=0xa92a10 | out: hHeap=0xa80000) returned 1 [0160.232] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x800) returned 0xa91f78 [0160.232] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0160.232] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0160.232] GetStartupInfoW (in: lpStartupInfo=0x18f8a8 | out: lpStartupInfo=0x18f8a8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0160.232] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getFeatures /fn_args=\"0\"" [0160.232] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getFeatures /fn_args=\"0\"", pNumArgs=0x18f894 | out: pNumArgs=0x18f894) returned 0xa92bc8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0160.233] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0160.235] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x0, Size=0x1000) returned 0xa944b0 [0160.235] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x0, Size=0x28) returned 0xa8a6d0 [0160.235] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_getFeatures", cchWideChar=-1, lpMultiByteStr=0xa8a6d0, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_getFeatures", lpUsedDefaultChar=0x0) returned 20 [0160.235] GetLastError () returned 0x0 [0160.236] SetLastError (dwErrCode=0x0) [0160.236] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_getFeaturesW") returned 0x0 [0160.236] GetLastError () returned 0x7f [0160.236] SetLastError (dwErrCode=0x7f) [0160.236] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_getFeaturesA") returned 0x0 [0160.236] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_getFeatures") returned 0x647caac0 [0160.236] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x0, Size=0x4) returned 0xa83800 [0160.236] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0xa83800, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0160.236] GetActiveWindow () returned 0x0 [0160.237] HeapFree (in: hHeap=0xa80000, dwFlags=0x0, lpMem=0xa944b0 | out: hHeap=0xa80000) returned 1 [0160.237] HeapFree (in: hHeap=0xa80000, dwFlags=0x0, lpMem=0xa8a6d0 | out: hHeap=0xa80000) returned 1 [0160.237] HeapFree (in: hHeap=0xa80000, dwFlags=0x0, lpMem=0xa83800 | out: hHeap=0xa80000) returned 1 [0160.237] GetCurrentProcessId () returned 0xf58 [0160.237] GetCurrentThreadId () returned 0xc6c [0160.237] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0160.252] Thread32First (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.253] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.254] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.254] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.255] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.255] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.256] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.257] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.257] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.306] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.307] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.307] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.308] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.309] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.310] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.311] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.311] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.312] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.313] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.313] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.314] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.315] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.315] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.316] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.317] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.317] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.318] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.319] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.319] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.320] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.322] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.323] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.324] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.324] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.325] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.326] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.326] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.327] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.328] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.328] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.329] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.330] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.330] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.331] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.332] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.332] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.333] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.334] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.334] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.335] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.336] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.337] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.337] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.338] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.339] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.339] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.340] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.341] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.341] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.342] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.343] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.343] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.344] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.344] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.345] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.346] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.346] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.347] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.347] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.348] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.348] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.349] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.350] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.350] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.351] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.351] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.405] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.406] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.406] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.407] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.408] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.408] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.409] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.409] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.410] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.411] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.411] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.412] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.412] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.413] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.413] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.414] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.415] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.415] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.416] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.416] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.417] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.418] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.418] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.419] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.419] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.420] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.421] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.421] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.422] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.422] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.423] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.424] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.424] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.425] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.425] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.426] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.426] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.427] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.428] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.428] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.429] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.429] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.431] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.432] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.433] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.433] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.434] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.434] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.435] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.436] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.436] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.437] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.437] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.438] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.438] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.439] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.440] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.440] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.441] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.441] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.442] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.443] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.443] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.444] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.444] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.445] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.494] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.494] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.495] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.495] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.496] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.497] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.497] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.498] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.498] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.499] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.500] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.500] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.501] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.502] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.502] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.503] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.503] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.504] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.505] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.505] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.506] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.506] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.507] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.508] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.511] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.511] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.512] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.513] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.513] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.514] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.515] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.515] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.516] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.516] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.517] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.518] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.518] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.519] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.519] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.520] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.521] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.521] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.522] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.522] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.523] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.523] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.524] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.525] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.526] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.526] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.527] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.527] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.528] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.529] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.529] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.530] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.530] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.531] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.531] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.532] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.533] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.534] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.534] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.535] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.535] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.536] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.537] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.537] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.538] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.538] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.539] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.634] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.635] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.636] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.636] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.637] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.637] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.638] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.639] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.639] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.640] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.640] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.641] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.641] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.642] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.643] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.643] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.644] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.644] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.645] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.646] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.646] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.647] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.647] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.648] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.648] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.651] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.651] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.652] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.652] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.653] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.653] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.654] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.655] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.655] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.656] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.656] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0160.657] Thread32Next (hSnapshot=0x150, lpte=0x18f878) returned 1 [0161.265] CloseHandle (hObject=0x150) returned 1 [0161.266] OpenThread (dwDesiredAccess=0x100000, bInheritHandle=0, dwThreadId=0xf54) returned 0x150 [0161.266] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xffffffff) returned 0x0 [0220.336] CloseHandle (hObject=0x150) returned 1 [0220.337] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0220.351] Thread32First (hSnapshot=0x150, lpte=0x18f878) returned 1 [0222.051] CloseHandle (hObject=0x150) returned 1 [0222.051] FreeLibrary (hLibModule=0x647c0000) returned 1 [0222.053] LocalFree (hMem=0xa92bc8) returned 0x0 [0222.053] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0222.053] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0222.054] HeapFree (in: hHeap=0xa80000, dwFlags=0x0, lpMem=0xa83858 | out: hHeap=0xa80000) returned 1 [0222.055] HeapFree (in: hHeap=0xa80000, dwFlags=0x0, lpMem=0xa91f78 | out: hHeap=0xa80000) returned 1 [0222.055] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-2", hFile=0x0, dwFlags=0x800) returned 0x772e0000 [0222.056] GetProcAddress (hModule=0x772e0000, lpProcName="AppPolicyGetProcessTerminationMethod") returned 0x0 [0222.056] GetModuleHandleExW (in: dwFlags=0x0, lpModuleName="mscoree.dll", phModule=0x18f8a0 | out: phModule=0x18f8a0) returned 0 [0222.056] ExitProcess (uExitCode=0x0) [0222.057] HeapFree (in: hHeap=0xa80000, dwFlags=0x0, lpMem=0xa90a50 | out: hHeap=0xa80000) returned 1 Thread: id = 454 os_tid = 0xf54 Process: id = "221" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x4b7cc000" os_pid = "0xf70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getLogLevel /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14920 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14921 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14922 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 14923 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 14924 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 14925 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 14926 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 14927 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 14928 start_va = 0x830000 end_va = 0x831fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 14929 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 14930 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 14931 start_va = 0x7e980000 end_va = 0x7e9a2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e980000" filename = "" Region: id = 14932 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 14933 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 14934 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 14935 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 14936 start_va = 0x400000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 14937 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 14938 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 14939 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 14940 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 14941 start_va = 0x840000 end_va = 0x9fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 14942 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 14943 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 14944 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 14945 start_va = 0x7e880000 end_va = 0x7e97ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e880000" filename = "" Region: id = 14946 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 14947 start_va = 0x5b0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 14948 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 14949 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 14950 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 14951 start_va = 0x5c0000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 14952 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 14953 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 14954 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 14955 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 14956 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 14957 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 14958 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 14959 start_va = 0x830000 end_va = 0x833fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 14960 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 14961 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 14962 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 14964 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 14965 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 14966 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 14967 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 14968 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 14969 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 14970 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 14971 start_va = 0x840000 end_va = 0x869fff monitored = 0 entry_point = 0x845680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 14972 start_va = 0x900000 end_va = 0x9fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 14973 start_va = 0xa00000 end_va = 0xb87fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a00000" filename = "" Region: id = 14974 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 14975 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 14976 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 14977 start_va = 0xb90000 end_va = 0xd10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b90000" filename = "" Region: id = 14978 start_va = 0xd20000 end_va = 0xe5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 14979 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 14980 start_va = 0x840000 end_va = 0x8d0fff monitored = 0 entry_point = 0x878cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 14981 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 14982 start_va = 0x840000 end_va = 0x840fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 14983 start_va = 0x850000 end_va = 0x850fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 14984 start_va = 0x850000 end_va = 0x857fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 14988 start_va = 0x850000 end_va = 0x850fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 14989 start_va = 0x860000 end_va = 0x861fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000860000" filename = "" Region: id = 14990 start_va = 0x850000 end_va = 0x850fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 14991 start_va = 0x860000 end_va = 0x860fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000860000" filename = "" Region: id = 14992 start_va = 0x850000 end_va = 0x850fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 14993 start_va = 0x860000 end_va = 0x860fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Thread: id = 457 os_tid = 0xf6c [0161.592] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0161.592] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0161.593] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0161.593] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0161.593] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0161.593] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0161.593] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0161.594] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0161.594] GetProcessHeap () returned 0x900000 [0161.594] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0161.594] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0161.594] GetLastError () returned 0x7e [0161.594] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0161.594] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0161.594] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x364) returned 0x910a50 [0161.595] SetLastError (dwErrCode=0x7e) [0161.595] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0xe00) returned 0x910dc0 [0161.596] GetStartupInfoW (in: lpStartupInfo=0x18f748 | out: lpStartupInfo=0x18f748*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0161.596] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0161.596] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0161.596] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0161.596] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getLogLevel /fn_args=\"0\"" [0161.596] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getLogLevel /fn_args=\"0\"" [0161.597] GetACP () returned 0x4e4 [0161.597] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x0, Size=0x220) returned 0x911bc8 [0161.597] IsValidCodePage (CodePage=0x4e4) returned 1 [0161.597] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f768 | out: lpCPInfo=0x18f768) returned 1 [0161.597] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f030 | out: lpCPInfo=0x18f030) returned 1 [0161.597] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f644, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0161.597] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f644, cbMultiByte=256, lpWideCharStr=0x18edd8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0161.597] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f044 | out: lpCharType=0x18f044) returned 1 [0161.597] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f644, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0161.597] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f644, cbMultiByte=256, lpWideCharStr=0x18ed88, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0161.597] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0161.597] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0161.597] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0161.597] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18eb78, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0161.597] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f544, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿQé\x8d÷\x80÷\x18", lpUsedDefaultChar=0x0) returned 256 [0161.597] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f644, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0161.597] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f644, cbMultiByte=256, lpWideCharStr=0x18eda8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0161.598] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0161.598] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18eb98, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0161.598] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f444, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿQé\x8d÷\x80÷\x18", lpUsedDefaultChar=0x0) returned 256 [0161.598] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x0, Size=0x80) returned 0x903858 [0161.598] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0161.598] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x17a) returned 0x911df0 [0161.598] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0161.598] GetLastError () returned 0x0 [0161.598] SetLastError (dwErrCode=0x0) [0161.598] GetEnvironmentStringsW () returned 0x911f78* [0161.598] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x0, Size=0xa8c) returned 0x912a10 [0161.599] FreeEnvironmentStringsW (penv=0x911f78) returned 1 [0161.599] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x90) returned 0x904548 [0161.599] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x3e) returned 0x90ab98 [0161.599] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x5c) returned 0x908820 [0161.599] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x6e) returned 0x904610 [0161.599] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x78) returned 0x914250 [0161.599] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x62) returned 0x9049e0 [0161.599] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x28) returned 0x903d78 [0161.599] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x48) returned 0x903fc8 [0161.599] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x1a) returned 0x900570 [0161.599] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x3a) returned 0x90ac70 [0161.599] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x62) returned 0x903bd8 [0161.599] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x2a) returned 0x9085b8 [0161.599] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x2e) returned 0x908660 [0161.599] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x1c) returned 0x903da8 [0161.599] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x144) returned 0x909c98 [0161.599] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x7c) returned 0x908080 [0161.599] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x36) returned 0x90e1e0 [0161.599] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x3a) returned 0x90aac0 [0161.599] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x90) returned 0x904380 [0161.600] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x24) returned 0x9038f8 [0161.600] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x30) returned 0x9085f0 [0161.600] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x36) returned 0x90e6e0 [0161.600] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x48) returned 0x9028f0 [0161.600] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x52) returned 0x9004b8 [0161.600] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x3c) returned 0x90aa30 [0161.600] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0xd6) returned 0x909e58 [0161.600] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x2e) returned 0x9084a0 [0161.600] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x1e) returned 0x902940 [0161.600] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x2c) returned 0x908708 [0161.600] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x54) returned 0x903df0 [0161.600] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x52) returned 0x904050 [0161.600] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x24) returned 0x903e50 [0161.600] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x42) returned 0x9040b0 [0161.600] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x2c) returned 0x908698 [0161.600] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x44) returned 0x909f88 [0161.600] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x24) returned 0x903928 [0161.601] HeapFree (in: hHeap=0x900000, dwFlags=0x0, lpMem=0x912a10 | out: hHeap=0x900000) returned 1 [0161.601] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x800) returned 0x911f78 [0161.601] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0161.601] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0161.601] GetStartupInfoW (in: lpStartupInfo=0x18f7ac | out: lpStartupInfo=0x18f7ac*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0161.601] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getLogLevel /fn_args=\"0\"" [0161.601] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getLogLevel /fn_args=\"0\"", pNumArgs=0x18f798 | out: pNumArgs=0x18f798) returned 0x912bc8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0161.602] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0161.607] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x0, Size=0x1000) returned 0x9144b0 [0161.607] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x0, Size=0x28) returned 0x90a6d0 [0161.607] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_getLogLevel", cchWideChar=-1, lpMultiByteStr=0x90a6d0, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_getLogLevel", lpUsedDefaultChar=0x0) returned 20 [0161.607] GetLastError () returned 0x0 [0161.607] SetLastError (dwErrCode=0x0) [0161.607] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_getLogLevelW") returned 0x0 [0161.607] GetLastError () returned 0x7f [0161.607] SetLastError (dwErrCode=0x7f) [0161.607] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_getLogLevelA") returned 0x0 [0161.608] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_getLogLevel") returned 0x647cb01c [0161.608] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x0, Size=0x4) returned 0x903800 [0161.608] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x903800, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0161.608] GetActiveWindow () returned 0x0 [0161.609] GetLastError () returned 0x7f [0161.609] SetLastError (dwErrCode=0x7f) Thread: id = 459 os_tid = 0xfc8 Process: id = "222" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x59134000" os_pid = "0xfb4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "221" os_parent_pid = "0xf70" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getLogLevel /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "223" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x4bae5000" os_pid = "0xc5c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getMessage /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 14996 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 14997 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 14998 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 14999 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 15000 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 15001 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 15002 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 15003 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 15004 start_va = 0x7b0000 end_va = 0x7b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 15005 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 15006 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 15007 start_va = 0x7ee40000 end_va = 0x7ee62fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ee40000" filename = "" Region: id = 15008 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 15009 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 15010 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 15011 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 15012 start_va = 0x1c0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 15013 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 15014 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 15015 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 15016 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 15017 start_va = 0x7c0000 end_va = 0x9affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 15018 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 15019 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 15026 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 15027 start_va = 0x7ed40000 end_va = 0x7ee3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed40000" filename = "" Region: id = 15028 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 15029 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 15030 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 15031 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 15032 start_va = 0x500000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 15033 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 15034 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 15035 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 15036 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 15037 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 15038 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 15039 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 15040 start_va = 0x7b0000 end_va = 0x7b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 15041 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 15042 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 15043 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 15044 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 15045 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 15046 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 15047 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 15048 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 15049 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 15050 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 15051 start_va = 0x600000 end_va = 0x787fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 15052 start_va = 0x7c0000 end_va = 0x7e9fff monitored = 0 entry_point = 0x7c5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 15053 start_va = 0x8b0000 end_va = 0x9affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 15054 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 15055 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 15056 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 15057 start_va = 0x1e0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 15058 start_va = 0x9b0000 end_va = 0xb30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009b0000" filename = "" Region: id = 15059 start_va = 0xb40000 end_va = 0xc4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b40000" filename = "" Region: id = 15060 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 15061 start_va = 0x7c0000 end_va = 0x850fff monitored = 0 entry_point = 0x7f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 15062 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 15063 start_va = 0x7c0000 end_va = 0x7cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 15064 start_va = 0xb40000 end_va = 0xc3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b40000" filename = "" Region: id = 15065 start_va = 0xc40000 end_va = 0xc4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 15066 start_va = 0x7c0000 end_va = 0x7dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 15067 start_va = 0x7e0000 end_va = 0x7e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 15068 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15069 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15070 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15071 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15072 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15073 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15074 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15075 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15076 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15077 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15078 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15079 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15080 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15081 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15082 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15083 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15084 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15085 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15086 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15087 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15088 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15089 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15090 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15091 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15092 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15093 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15094 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15095 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15096 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15097 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15098 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15099 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15100 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15101 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15102 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15103 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15104 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15105 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15106 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15107 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15108 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15109 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15110 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15111 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15112 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15113 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15114 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15115 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15116 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15117 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15118 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15119 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15120 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15121 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15122 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15123 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15124 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15125 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15126 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15127 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15128 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15129 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15130 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15131 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15132 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15133 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15134 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15135 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15136 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15137 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15138 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15139 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15140 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15141 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15142 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15143 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15144 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15145 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15146 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15147 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15148 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15149 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15150 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15151 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15152 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15153 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15154 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15155 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15156 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15157 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15158 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15159 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15160 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15161 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15162 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15163 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15164 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15165 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15166 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15167 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15168 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15169 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15170 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15171 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15172 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15173 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15174 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15175 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15176 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15177 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15178 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15179 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15180 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15181 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15182 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15183 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15184 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15185 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15186 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15187 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15188 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15189 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15190 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15191 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15192 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15193 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15194 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15195 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15196 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15197 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15198 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15199 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15200 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15201 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15202 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15203 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15204 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15205 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15206 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15207 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15208 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15209 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15210 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15213 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15214 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15215 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15216 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15217 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15218 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15219 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15220 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15221 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15222 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15223 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15224 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15225 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15226 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15227 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15228 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15229 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15230 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15231 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15232 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15233 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15234 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15235 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15236 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15237 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15238 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15239 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15240 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15241 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15242 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15243 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15244 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15245 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15246 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15247 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15248 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15249 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15250 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15251 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15252 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15253 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15254 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15255 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15256 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15257 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15258 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15259 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15260 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15261 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15262 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15263 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15264 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15265 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15266 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15267 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15268 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15269 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15270 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15271 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15272 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15273 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15274 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15275 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15276 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15277 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15278 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15279 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15280 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15281 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15282 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15283 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15284 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15285 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15286 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15287 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15288 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15289 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15290 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15291 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15292 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15293 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15294 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15295 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15296 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15297 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15298 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15299 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15300 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15301 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15302 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15303 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15304 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15305 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15306 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15307 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15308 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15309 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15310 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15311 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15312 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15313 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15314 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15315 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15316 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15317 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15318 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 15319 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 22878 start_va = 0x7c0000 end_va = 0x7cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 22879 start_va = 0x7c0000 end_va = 0x7dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 22880 start_va = 0x7e0000 end_va = 0x7e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 22881 start_va = 0x7c0000 end_va = 0x7c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Thread: id = 461 os_tid = 0xfb0 [0162.145] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0162.146] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0162.146] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0162.146] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0162.146] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0162.146] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0162.147] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0162.147] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0162.147] GetProcessHeap () returned 0x8b0000 [0162.147] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0162.147] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0162.148] GetLastError () returned 0x7e [0162.148] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0162.148] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0162.148] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x364) returned 0x8c0a48 [0162.148] SetLastError (dwErrCode=0x7e) [0162.148] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0xe00) returned 0x8c0db8 [0162.152] GetStartupInfoW (in: lpStartupInfo=0x18f8c4 | out: lpStartupInfo=0x18f8c4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0162.152] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0162.152] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0162.152] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0162.152] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getMessage /fn_args=\"0\"" [0162.152] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getMessage /fn_args=\"0\"" [0162.152] GetACP () returned 0x4e4 [0162.152] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x0, Size=0x220) returned 0x8c1bc0 [0162.152] IsValidCodePage (CodePage=0x4e4) returned 1 [0162.152] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f8e4 | out: lpCPInfo=0x18f8e4) returned 1 [0162.152] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f1ac | out: lpCPInfo=0x18f1ac) returned 1 [0162.152] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7c0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0162.152] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7c0, cbMultiByte=256, lpWideCharStr=0x18ef48, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0162.152] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f1c0 | out: lpCharType=0x18f1c0) returned 1 [0162.153] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7c0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0162.153] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7c0, cbMultiByte=256, lpWideCharStr=0x18ef08, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0162.153] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0162.153] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0162.153] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0162.153] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ecf8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0162.153] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f6c0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x13 Ô6üø\x18", lpUsedDefaultChar=0x0) returned 256 [0162.153] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7c0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0162.153] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7c0, cbMultiByte=256, lpWideCharStr=0x18ef18, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0162.153] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0162.153] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ed08, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0162.153] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f5c0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x13 Ô6üø\x18", lpUsedDefaultChar=0x0) returned 256 [0162.153] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x0, Size=0x80) returned 0x8b3850 [0162.153] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0162.153] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x178) returned 0x8c1de8 [0162.153] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0162.153] GetLastError () returned 0x0 [0162.153] SetLastError (dwErrCode=0x0) [0162.154] GetEnvironmentStringsW () returned 0x8c1f68* [0162.154] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x0, Size=0xa8c) returned 0x8c2a00 [0162.154] FreeEnvironmentStringsW (penv=0x8c1f68) returned 1 [0162.154] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x90) returned 0x8b4540 [0162.154] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x3e) returned 0x8bb0a0 [0162.154] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x5c) returned 0x8b8a78 [0162.154] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x6e) returned 0x8b4608 [0162.154] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x78) returned 0x8c3ac0 [0162.154] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x62) returned 0x8b49d8 [0162.154] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x28) returned 0x8b3d70 [0162.154] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x48) returned 0x8b3fc0 [0162.155] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x1a) returned 0x8b0570 [0162.155] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x3a) returned 0x8baef0 [0162.155] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x62) returned 0x8b3bd0 [0162.155] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x2a) returned 0x8b87d8 [0162.155] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x2e) returned 0x8b89d0 [0162.155] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x1c) returned 0x8b3da0 [0162.155] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x144) returned 0x8b9c90 [0162.155] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x7c) returned 0x8b8078 [0162.155] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x36) returned 0x8be418 [0162.155] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x3a) returned 0x8bab00 [0162.155] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x90) returned 0x8b4378 [0162.155] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x24) returned 0x8b38f0 [0162.155] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x30) returned 0x8b8880 [0162.155] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x36) returned 0x8be598 [0162.155] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x48) returned 0x8b28f0 [0162.155] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x52) returned 0x8b04b8 [0162.155] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x3c) returned 0x8bafc8 [0162.155] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0xd6) returned 0x8b9e50 [0162.155] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x2e) returned 0x8b87a0 [0162.155] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x1e) returned 0x8b2940 [0162.155] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x2c) returned 0x8b86c0 [0162.155] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x54) returned 0x8b3de8 [0162.155] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x52) returned 0x8b4048 [0162.155] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x24) returned 0x8b3e48 [0162.155] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x42) returned 0x8b40a8 [0162.155] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x2c) returned 0x8b8730 [0162.155] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x44) returned 0x8b9f80 [0162.155] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x24) returned 0x8b3920 [0162.156] HeapFree (in: hHeap=0x8b0000, dwFlags=0x0, lpMem=0x8c2a00 | out: hHeap=0x8b0000) returned 1 [0162.156] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x800) returned 0x8c1f68 [0162.156] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0162.156] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0162.157] GetStartupInfoW (in: lpStartupInfo=0x18f928 | out: lpStartupInfo=0x18f928*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0162.157] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getMessage /fn_args=\"0\"" [0162.157] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getMessage /fn_args=\"0\"", pNumArgs=0x18f914 | out: pNumArgs=0x18f914) returned 0x8c2bb8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0162.157] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0162.160] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x0, Size=0x1000) returned 0x8c44a0 [0162.160] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x0, Size=0x26) returned 0x8ba6c8 [0162.160] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_getMessage", cchWideChar=-1, lpMultiByteStr=0x8ba6c8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_getMessage", lpUsedDefaultChar=0x0) returned 19 [0162.160] GetLastError () returned 0x0 [0162.160] SetLastError (dwErrCode=0x0) [0162.160] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_getMessageW") returned 0x0 [0162.160] GetLastError () returned 0x7f [0162.161] SetLastError (dwErrCode=0x7f) [0162.161] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_getMessageA") returned 0x0 [0162.161] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_getMessage") returned 0x647ca2d0 [0162.161] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x0, Size=0x4) returned 0x8b37f8 [0162.161] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x8b37f8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0162.161] GetActiveWindow () returned 0x0 [0162.166] HeapFree (in: hHeap=0x8b0000, dwFlags=0x0, lpMem=0x8c44a0 | out: hHeap=0x8b0000) returned 1 [0162.166] HeapFree (in: hHeap=0x8b0000, dwFlags=0x0, lpMem=0x8ba6c8 | out: hHeap=0x8b0000) returned 1 [0162.166] HeapFree (in: hHeap=0x8b0000, dwFlags=0x0, lpMem=0x8b37f8 | out: hHeap=0x8b0000) returned 1 [0162.166] GetCurrentProcessId () returned 0xc5c [0162.166] GetCurrentThreadId () returned 0xfb0 [0162.167] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0162.185] Thread32First (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.186] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.186] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.187] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.188] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.188] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.189] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.189] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.190] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.190] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.191] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.192] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.192] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.193] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.193] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.194] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.195] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.195] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.199] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.199] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.200] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.201] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.201] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.202] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.202] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.203] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.204] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.204] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.205] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.205] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.206] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.207] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.207] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.208] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.208] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.209] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.209] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.210] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.211] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.211] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.212] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.215] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.215] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.216] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.216] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.217] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.218] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.218] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.219] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.219] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.220] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.220] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.221] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.222] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.222] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.223] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.223] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.224] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.225] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.225] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.226] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.226] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.229] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.230] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.230] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.231] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.232] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.232] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.233] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.233] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.234] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.235] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.235] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.236] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.236] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.237] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.238] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.238] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.239] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.239] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.240] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.240] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.241] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.242] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.242] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.249] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.250] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.251] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.251] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.252] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.252] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.253] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.254] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.254] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.255] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.255] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.256] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.256] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.257] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.258] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.261] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.261] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.262] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.262] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.263] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.264] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.264] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.265] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.265] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.266] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.267] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.267] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.268] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.268] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.269] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.269] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.270] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.271] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.271] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.272] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.272] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.273] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.277] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.278] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.278] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.279] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.279] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.280] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.281] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.281] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.282] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.282] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.283] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.283] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.284] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.285] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.285] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.286] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.286] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.287] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.287] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.288] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.289] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.302] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.302] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.305] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.306] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.306] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.307] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.307] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.308] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.308] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.309] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.310] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.310] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.311] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.311] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.312] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.313] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.313] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.314] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.314] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.315] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.315] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.316] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.317] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.317] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.318] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.318] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.319] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.320] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.320] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.323] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.324] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.324] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.325] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.325] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.326] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.327] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.327] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.328] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.328] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.329] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.330] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.330] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.331] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.331] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.332] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.333] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.333] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.334] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.335] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.335] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.337] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.340] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.341] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.342] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.342] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.343] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.344] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.344] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.345] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.345] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.346] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.347] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.347] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.348] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.349] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.349] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.350] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.351] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.351] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.355] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.356] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.356] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.357] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.358] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.359] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.360] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.360] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.361] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.361] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.362] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.363] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.364] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.364] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.365] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.366] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.367] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.369] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.370] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.371] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.371] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.372] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.373] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.374] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.374] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.375] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.376] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.377] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.377] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.378] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.379] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.380] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.380] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.381] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.381] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.382] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.383] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.401] Thread32Next (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0162.943] CloseHandle (hObject=0x150) returned 1 [0162.943] OpenThread (dwDesiredAccess=0x100000, bInheritHandle=0, dwThreadId=0x1004) returned 0x150 [0162.943] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xffffffff) returned 0x0 [0222.251] CloseHandle (hObject=0x150) returned 1 [0222.251] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0222.261] Thread32First (hSnapshot=0x150, lpte=0x18f8f8) returned 1 [0223.879] CloseHandle (hObject=0x150) returned 1 [0223.879] FreeLibrary (hLibModule=0x647c0000) returned 1 [0223.881] LocalFree (hMem=0x8c2bb8) returned 0x0 [0223.881] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0223.881] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0223.882] HeapFree (in: hHeap=0x8b0000, dwFlags=0x0, lpMem=0x8b3850 | out: hHeap=0x8b0000) returned 1 [0223.883] HeapFree (in: hHeap=0x8b0000, dwFlags=0x0, lpMem=0x8c1f68 | out: hHeap=0x8b0000) returned 1 [0223.883] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-2", hFile=0x0, dwFlags=0x800) returned 0x772e0000 [0223.884] GetProcAddress (hModule=0x772e0000, lpProcName="AppPolicyGetProcessTerminationMethod") returned 0x0 [0223.884] GetModuleHandleExW (in: dwFlags=0x0, lpModuleName="mscoree.dll", phModule=0x18f920 | out: phModule=0x18f920) returned 0 [0223.884] ExitProcess (uExitCode=0x0) [0223.885] HeapFree (in: hHeap=0x8b0000, dwFlags=0x0, lpMem=0x8c0a48 | out: hHeap=0x8b0000) returned 1 Thread: id = 465 os_tid = 0x1004 Process: id = "224" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x4b5fc000" os_pid = "0x1064" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getVersion /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 15323 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 15324 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 15325 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 15326 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 15327 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 15328 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 15329 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 15330 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 15331 start_va = 0xcf0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 15332 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 15333 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 15334 start_va = 0x7f050000 end_va = 0x7f072fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f050000" filename = "" Region: id = 15335 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 15336 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 15337 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 15338 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 15339 start_va = 0x400000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 15340 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 15341 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 15342 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 15343 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 15344 start_va = 0xd00000 end_va = 0xeaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 15345 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 15346 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 15348 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 15349 start_va = 0x7ef50000 end_va = 0x7f04ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ef50000" filename = "" Region: id = 15350 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 15351 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 15352 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 15353 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 15354 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 15355 start_va = 0x4f0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 15356 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 15357 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 15358 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 15359 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 15360 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 15361 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 15362 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 15363 start_va = 0xcf0000 end_va = 0xcf3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 15364 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 15365 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 15366 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 15367 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 15368 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 15369 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 15370 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 15371 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 15372 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 15373 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 15374 start_va = 0x5f0000 end_va = 0x777fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 15375 start_va = 0xd00000 end_va = 0xd29fff monitored = 0 entry_point = 0xd05680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 15376 start_va = 0xdb0000 end_va = 0xeaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 15377 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 15378 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 15379 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 15380 start_va = 0x780000 end_va = 0x900fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 15381 start_va = 0xd00000 end_va = 0xd1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 15382 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 15383 start_va = 0xeb0000 end_va = 0xf40fff monitored = 0 entry_point = 0xee8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 15384 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 15385 start_va = 0xd00000 end_va = 0xd0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 15386 start_va = 0xd10000 end_va = 0xd1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d10000" filename = "" Region: id = 15387 start_va = 0x910000 end_va = 0xa0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000910000" filename = "" Region: id = 15388 start_va = 0xd20000 end_va = 0xd3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 15389 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15390 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15391 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15392 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15393 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15394 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15395 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15396 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15397 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15398 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15399 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15400 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15401 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15402 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15403 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15404 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15405 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15406 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15407 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15408 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15409 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15410 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15411 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15412 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15413 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15414 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15415 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15416 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15417 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15418 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15419 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15420 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15421 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15422 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15423 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15424 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15425 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15426 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15427 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15428 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15429 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15430 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15431 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15432 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15433 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15434 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15435 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15436 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15437 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15438 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15439 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15440 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15441 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15442 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15443 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15444 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15445 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15446 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15447 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15448 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15449 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15450 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15451 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15452 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15453 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15454 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15455 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15456 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15457 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15458 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15459 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15460 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15461 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15462 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15463 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15464 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15465 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15466 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15467 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15468 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15469 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15470 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15471 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15472 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15473 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15474 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15475 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15476 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15477 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15478 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15479 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15480 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15481 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15482 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15483 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15484 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15485 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15486 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15487 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15488 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15489 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15490 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15491 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15492 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15493 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15494 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15495 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15496 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15497 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15498 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15499 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15500 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15501 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15502 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15503 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15504 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15505 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15506 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15507 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15508 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15509 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15510 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15511 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15512 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15513 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15514 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15515 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15516 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15517 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15518 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15519 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15520 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15521 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15522 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15523 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15524 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15525 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15526 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15527 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15528 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15529 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15530 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15531 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15532 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15533 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15534 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15535 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15536 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15537 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15538 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15539 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15540 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15541 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15542 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15543 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15544 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15545 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15546 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15547 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15548 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15549 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15550 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15551 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15552 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15553 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15554 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15555 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15556 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15557 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15558 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15559 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15560 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15561 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15562 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15563 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15564 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15565 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15566 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15567 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15568 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15569 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15570 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15571 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15572 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15573 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15574 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15575 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15576 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15577 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15578 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15579 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15580 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15581 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15582 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15583 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15584 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15585 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15586 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15587 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15588 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15589 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15590 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15591 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15592 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15593 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15594 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15595 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15596 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15597 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15598 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15599 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15600 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15601 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15602 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15603 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15604 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15605 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15606 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15607 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15608 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15609 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15610 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15611 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15612 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15613 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15614 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15615 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15616 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15617 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15618 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15619 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15620 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15621 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15622 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15623 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15624 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15625 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15626 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15627 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15628 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15629 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15630 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15631 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15632 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15633 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15634 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15635 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15636 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15637 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15638 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 15639 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 22928 start_va = 0xd00000 end_va = 0xd0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 22929 start_va = 0xd20000 end_va = 0xd3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 22930 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 22931 start_va = 0xd00000 end_va = 0xd05fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Thread: id = 469 os_tid = 0x103c [0163.142] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0163.142] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0163.142] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0163.142] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0163.142] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0163.142] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0163.143] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0163.143] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0163.144] GetProcessHeap () returned 0xdb0000 [0163.144] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0163.144] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0163.144] GetLastError () returned 0x7e [0163.144] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0163.144] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0163.144] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x364) returned 0xdc0a50 [0163.145] SetLastError (dwErrCode=0x7e) [0163.145] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0xe00) returned 0xdc0dc0 [0163.147] GetStartupInfoW (in: lpStartupInfo=0x18f848 | out: lpStartupInfo=0x18f848*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0163.147] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0163.147] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0163.147] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0163.147] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getVersion /fn_args=\"0\"" [0163.147] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getVersion /fn_args=\"0\"" [0163.147] GetACP () returned 0x4e4 [0163.147] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x0, Size=0x220) returned 0xdc1bc8 [0163.147] IsValidCodePage (CodePage=0x4e4) returned 1 [0163.147] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f868 | out: lpCPInfo=0x18f868) returned 1 [0163.147] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f130 | out: lpCPInfo=0x18f130) returned 1 [0163.147] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f744, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0163.147] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f744, cbMultiByte=256, lpWideCharStr=0x18eed8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0163.147] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f144 | out: lpCharType=0x18f144) returned 1 [0163.148] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f744, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0163.148] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f744, cbMultiByte=256, lpWideCharStr=0x18ee88, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0163.148] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0163.148] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0163.148] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0163.148] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ec78, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0163.148] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f644, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿùaÕ8\x80ø\x18", lpUsedDefaultChar=0x0) returned 256 [0163.148] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f744, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0163.148] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f744, cbMultiByte=256, lpWideCharStr=0x18eea8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0163.148] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0163.148] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ec98, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0163.148] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f544, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿùaÕ8\x80ø\x18", lpUsedDefaultChar=0x0) returned 256 [0163.149] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x0, Size=0x80) returned 0xdb3850 [0163.149] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0163.149] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x178) returned 0xdc1df0 [0163.149] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0163.149] GetLastError () returned 0x0 [0163.149] SetLastError (dwErrCode=0x0) [0163.149] GetEnvironmentStringsW () returned 0xdc1f70* [0163.149] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x0, Size=0xa8c) returned 0xdc2a08 [0163.149] FreeEnvironmentStringsW (penv=0xdc1f70) returned 1 [0163.149] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x90) returned 0xdb4540 [0163.150] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x3e) returned 0xdbab08 [0163.150] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x5c) returned 0xdb8a80 [0163.150] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x6e) returned 0xdb4838 [0163.150] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x78) returned 0xdc4148 [0163.150] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x62) returned 0xdb49d8 [0163.150] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x28) returned 0xdb3d70 [0163.150] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x48) returned 0xdb3fc0 [0163.150] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x1a) returned 0xdb3da0 [0163.150] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x3a) returned 0xdbafd0 [0163.150] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x62) returned 0xdb4608 [0163.150] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x2a) returned 0xdb86c8 [0163.150] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x2e) returned 0xdb8888 [0163.150] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x1c) returned 0xdb47a8 [0163.150] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x144) returned 0xdb9c98 [0163.150] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x7c) returned 0xdb4378 [0163.150] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x36) returned 0xdbe560 [0163.150] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x3a) returned 0xdbaa78 [0163.150] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x90) returned 0xdb3de8 [0163.150] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x24) returned 0xdb47d0 [0163.150] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x30) returned 0xdb8770 [0163.150] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x36) returned 0xdbe5a0 [0163.151] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x48) returned 0xdb3bd0 [0163.151] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x52) returned 0xdb38f0 [0163.151] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x3c) returned 0xdbab50 [0163.151] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0xd6) returned 0xdb9e58 [0163.151] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x2e) returned 0xdb8818 [0163.151] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x1e) returned 0xdb3c20 [0163.151] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x2c) returned 0xdb88f8 [0163.151] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x54) returned 0xdb28f0 [0163.151] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x52) returned 0xdb04b8 [0163.151] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x24) returned 0xdb4048 [0163.151] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x42) returned 0xdb4078 [0163.151] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x2c) returned 0xdb8700 [0163.151] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x44) returned 0xdb9f88 [0163.151] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x24) returned 0xdb40c8 [0163.151] HeapFree (in: hHeap=0xdb0000, dwFlags=0x0, lpMem=0xdc2a08 | out: hHeap=0xdb0000) returned 1 [0163.152] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x8, Size=0x800) returned 0xdc1f70 [0163.152] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0163.152] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0163.153] GetStartupInfoW (in: lpStartupInfo=0x18f8ac | out: lpStartupInfo=0x18f8ac*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0163.153] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getVersion /fn_args=\"0\"" [0163.153] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getVersion /fn_args=\"0\"", pNumArgs=0x18f898 | out: pNumArgs=0x18f898) returned 0xdc2bc0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0163.153] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0163.156] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x0, Size=0x1000) returned 0xdc44a8 [0163.156] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x0, Size=0x26) returned 0xdb82b8 [0163.156] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_getVersion", cchWideChar=-1, lpMultiByteStr=0xdb82b8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_getVersion", lpUsedDefaultChar=0x0) returned 19 [0163.157] GetLastError () returned 0x0 [0163.157] SetLastError (dwErrCode=0x0) [0163.157] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_getVersionW") returned 0x0 [0163.157] GetLastError () returned 0x7f [0163.157] SetLastError (dwErrCode=0x7f) [0163.157] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_getVersionA") returned 0x0 [0163.157] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_getVersion") returned 0x647caab6 [0163.157] RtlAllocateHeap (HeapHandle=0xdb0000, Flags=0x0, Size=0x4) returned 0xdb3e80 [0163.157] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0xdb3e80, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0163.158] GetActiveWindow () returned 0x0 [0163.158] HeapFree (in: hHeap=0xdb0000, dwFlags=0x0, lpMem=0xdc44a8 | out: hHeap=0xdb0000) returned 1 [0163.159] HeapFree (in: hHeap=0xdb0000, dwFlags=0x0, lpMem=0xdb82b8 | out: hHeap=0xdb0000) returned 1 [0163.159] HeapFree (in: hHeap=0xdb0000, dwFlags=0x0, lpMem=0xdb3e80 | out: hHeap=0xdb0000) returned 1 [0163.159] GetCurrentProcessId () returned 0x1064 [0163.159] GetCurrentThreadId () returned 0x103c [0163.159] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0163.169] Thread32First (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.170] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.170] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.171] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.172] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.173] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.173] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.174] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.175] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.176] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.176] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.177] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.178] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.179] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.179] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.180] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.181] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.182] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.182] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.190] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.191] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.192] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.192] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.193] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.194] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.195] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.195] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.213] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.214] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.215] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.216] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.216] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.217] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.218] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.219] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.219] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.220] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.221] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.222] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.222] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.223] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.224] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.225] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.225] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.226] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.227] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.228] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.229] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.229] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.230] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.231] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.232] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.232] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.233] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.234] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.234] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.235] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.236] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.237] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.237] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.238] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.239] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.239] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.240] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.241] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.242] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.247] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.248] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.249] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.249] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.250] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.251] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.252] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.252] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.253] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.254] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.254] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.255] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.256] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.257] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.257] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.258] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.259] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.260] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.261] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.261] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.262] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.263] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.264] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.264] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.265] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.266] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.267] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.267] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.268] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.269] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.269] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.270] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.271] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.272] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.272] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.273] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.275] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.275] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.276] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.277] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.277] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.278] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.279] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.280] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.280] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.281] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.282] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.283] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.283] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.284] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.285] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.286] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.286] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.287] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.288] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.289] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.289] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.350] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.351] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.351] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.353] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.353] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.354] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.355] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.356] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.356] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.357] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.358] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.359] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.359] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.360] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.361] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.362] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.362] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.363] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.364] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.365] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.365] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.366] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.367] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.368] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.368] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.369] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.370] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.371] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.371] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.372] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.373] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.374] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.374] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.375] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.376] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.376] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.377] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.378] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.378] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.379] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.380] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.381] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.382] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.382] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.391] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.392] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.393] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.393] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.394] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.395] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.396] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.396] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.397] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.398] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.398] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.420] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.421] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.422] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.423] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.423] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.424] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.425] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.426] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.426] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.427] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.428] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.429] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.429] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.433] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.434] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.435] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.435] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.436] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.437] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.438] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.438] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.439] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.440] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.440] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.441] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.442] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.443] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.443] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.444] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.445] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.472] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.473] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.474] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.475] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.475] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.476] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.478] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.478] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.479] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.480] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.480] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.481] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.482] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.482] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.483] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.483] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.484] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.484] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.485] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.486] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.486] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.487] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.487] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.488] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.489] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.489] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.490] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.490] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.491] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.491] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.492] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.493] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.494] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.494] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.495] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.495] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.496] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.496] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.497] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.498] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.498] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.499] Thread32Next (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0163.749] CloseHandle (hObject=0x150) returned 1 [0163.749] OpenThread (dwDesiredAccess=0x100000, bInheritHandle=0, dwThreadId=0x17c) returned 0x150 [0163.749] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xffffffff) returned 0x0 [0223.528] CloseHandle (hObject=0x150) returned 1 [0223.528] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0223.544] Thread32First (hSnapshot=0x150, lpte=0x18f87c) returned 1 [0225.084] CloseHandle (hObject=0x150) returned 1 [0225.084] FreeLibrary (hLibModule=0x647c0000) returned 1 [0225.086] LocalFree (hMem=0xdc2bc0) returned 0x0 [0225.086] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0225.086] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0225.087] HeapFree (in: hHeap=0xdb0000, dwFlags=0x0, lpMem=0xdb3850 | out: hHeap=0xdb0000) returned 1 [0225.087] HeapFree (in: hHeap=0xdb0000, dwFlags=0x0, lpMem=0xdc1f70 | out: hHeap=0xdb0000) returned 1 [0225.087] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-2", hFile=0x0, dwFlags=0x800) returned 0x772e0000 [0225.088] GetProcAddress (hModule=0x772e0000, lpProcName="AppPolicyGetProcessTerminationMethod") returned 0x0 [0225.088] GetModuleHandleExW (in: dwFlags=0x0, lpModuleName="mscoree.dll", phModule=0x18f8a4 | out: phModule=0x18f8a4) returned 0 [0225.088] ExitProcess (uExitCode=0x0) [0225.088] HeapFree (in: hHeap=0xdb0000, dwFlags=0x0, lpMem=0xdc0a50 | out: hHeap=0xdb0000) returned 1 Thread: id = 471 os_tid = 0x17c Process: id = "225" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x4a8ca000" os_pid = "0xc68" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_initialize /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 15649 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 15650 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 15651 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 15652 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 15653 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 15654 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 15655 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 15656 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 15657 start_va = 0xba0000 end_va = 0xba1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 15658 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 15659 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 15660 start_va = 0x7ef40000 end_va = 0x7ef62fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ef40000" filename = "" Region: id = 15661 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 15662 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 15663 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 15664 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 15665 start_va = 0x400000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 15666 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 15667 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 15668 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 15669 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 15670 start_va = 0xbb0000 end_va = 0xdbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bb0000" filename = "" Region: id = 15671 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 15672 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 15673 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 15674 start_va = 0x7ee40000 end_va = 0x7ef3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ee40000" filename = "" Region: id = 15675 start_va = 0x4a0000 end_va = 0x55dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 15676 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 15677 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 15678 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 15679 start_va = 0x560000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 15680 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 15681 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 15682 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 15683 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 15684 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 15685 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 15686 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 15687 start_va = 0xba0000 end_va = 0xba3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 15688 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 15689 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 15690 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 15691 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 15692 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 15693 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 15694 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 15695 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 15696 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 15697 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 15698 start_va = 0x660000 end_va = 0x7e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 15699 start_va = 0xbb0000 end_va = 0xbd9fff monitored = 0 entry_point = 0xbb5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 15700 start_va = 0xcc0000 end_va = 0xdbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 15701 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 15702 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 15703 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 15704 start_va = 0x490000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 15705 start_va = 0x7f0000 end_va = 0x970fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 15706 start_va = 0xbb0000 end_va = 0xcbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bb0000" filename = "" Region: id = 15707 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 15709 start_va = 0xbb0000 end_va = 0xc40fff monitored = 0 entry_point = 0xbe8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 15710 start_va = 0xcb0000 end_va = 0xcbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 15711 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 15712 start_va = 0xbb0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bb0000" filename = "" Region: id = 15713 start_va = 0xbc0000 end_va = 0xbc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 15714 start_va = 0xbc0000 end_va = 0xbc7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 15715 start_va = 0xbc0000 end_va = 0xbc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bc0000" filename = "" Region: id = 15716 start_va = 0xbd0000 end_va = 0xbd1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bd0000" filename = "" Region: id = 15717 start_va = 0xbc0000 end_va = 0xbc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bc0000" filename = "" Region: id = 15718 start_va = 0xbd0000 end_va = 0xbd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bd0000" filename = "" Region: id = 15719 start_va = 0xbc0000 end_va = 0xbc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 15720 start_va = 0xbd0000 end_va = 0xbd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bd0000" filename = "" Thread: id = 472 os_tid = 0xc18 [0163.962] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0163.963] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0163.963] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0163.963] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0163.963] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0163.963] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0163.964] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0163.964] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0163.964] GetProcessHeap () returned 0xcc0000 [0163.964] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0163.964] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0163.964] GetLastError () returned 0x7e [0163.965] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0163.965] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0163.965] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x364) returned 0xcd0a48 [0163.965] SetLastError (dwErrCode=0x7e) [0163.965] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0xe00) returned 0xcd0db8 [0163.967] GetStartupInfoW (in: lpStartupInfo=0x18f950 | out: lpStartupInfo=0x18f950*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0163.967] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0163.967] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0163.967] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0163.967] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_initialize /fn_args=\"0\"" [0163.967] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_initialize /fn_args=\"0\"" [0163.967] GetACP () returned 0x4e4 [0163.967] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x0, Size=0x220) returned 0xcd1bc0 [0163.967] IsValidCodePage (CodePage=0x4e4) returned 1 [0163.967] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f970 | out: lpCPInfo=0x18f970) returned 1 [0163.967] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f238 | out: lpCPInfo=0x18f238) returned 1 [0163.967] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f84c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0163.967] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f84c, cbMultiByte=256, lpWideCharStr=0x18efd8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0163.967] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f24c | out: lpCharType=0x18f24c) returned 1 [0163.968] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f84c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0163.968] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f84c, cbMultiByte=256, lpWideCharStr=0x18ef88, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0163.968] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0163.968] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0163.968] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0163.968] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ed78, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0163.968] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f74c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿhIÂ*\x88ù\x18", lpUsedDefaultChar=0x0) returned 256 [0163.968] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f84c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0163.968] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f84c, cbMultiByte=256, lpWideCharStr=0x18efa8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0163.968] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0163.968] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ed98, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0163.968] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f64c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿhIÂ*\x88ù\x18", lpUsedDefaultChar=0x0) returned 256 [0163.968] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x0, Size=0x80) returned 0xcc3850 [0163.968] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0163.968] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x178) returned 0xcd1de8 [0163.968] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0163.968] GetLastError () returned 0x0 [0163.968] SetLastError (dwErrCode=0x0) [0163.968] GetEnvironmentStringsW () returned 0xcd1f68* [0163.969] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x0, Size=0xa8c) returned 0xcd2a00 [0163.969] FreeEnvironmentStringsW (penv=0xcd1f68) returned 1 [0163.969] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x90) returned 0xcc47a0 [0163.969] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x3e) returned 0xccb010 [0163.969] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x5c) returned 0xcc8a78 [0163.969] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x6e) returned 0xcc4868 [0163.969] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x78) returned 0xcd38c0 [0163.969] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x62) returned 0xcc4c38 [0163.969] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x28) returned 0xcc3d70 [0163.969] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x48) returned 0xcc3fc0 [0163.969] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x1a) returned 0xcc0570 [0163.969] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x3a) returned 0xcca998 [0163.969] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x62) returned 0xcc3bd0 [0163.970] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x2a) returned 0xcc8688 [0163.970] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x2e) returned 0xcc8998 [0163.970] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x1c) returned 0xcc3da0 [0163.970] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x144) returned 0xcc9c90 [0163.970] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x7c) returned 0xcc82d8 [0163.970] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x36) returned 0xccdf58 [0163.970] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x3a) returned 0xccabd8 [0163.970] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x90) returned 0xcc4378 [0163.970] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x24) returned 0xcc38f0 [0163.970] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x30) returned 0xcc8768 [0163.970] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x36) returned 0xcce518 [0163.970] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x48) returned 0xcc28f0 [0163.970] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x52) returned 0xcc04b8 [0163.970] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x3c) returned 0xccac68 [0163.970] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0xd6) returned 0xcc9e50 [0163.970] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x2e) returned 0xcc89d0 [0163.970] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x1e) returned 0xcc2940 [0163.970] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x2c) returned 0xcc86c0 [0163.970] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x54) returned 0xcc3de8 [0163.970] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x52) returned 0xcc4048 [0163.970] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x24) returned 0xcc3e48 [0163.970] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x42) returned 0xcc40a8 [0163.970] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x2c) returned 0xcc88b8 [0163.970] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x44) returned 0xcc9f80 [0163.970] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x24) returned 0xcc3920 [0163.971] HeapFree (in: hHeap=0xcc0000, dwFlags=0x0, lpMem=0xcd2a00 | out: hHeap=0xcc0000) returned 1 [0163.971] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x8, Size=0x800) returned 0xcd1f68 [0163.971] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0163.971] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0163.972] GetStartupInfoW (in: lpStartupInfo=0x18f9b4 | out: lpStartupInfo=0x18f9b4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0163.972] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_initialize /fn_args=\"0\"" [0163.972] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_initialize /fn_args=\"0\"", pNumArgs=0x18f9a0 | out: pNumArgs=0x18f9a0) returned 0xcd2bb8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0163.972] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0163.975] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x0, Size=0x1000) returned 0xcd44a0 [0163.975] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x0, Size=0x26) returned 0xcca6c8 [0163.975] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_initialize", cchWideChar=-1, lpMultiByteStr=0xcca6c8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_initialize", lpUsedDefaultChar=0x0) returned 19 [0163.975] GetLastError () returned 0x0 [0163.975] SetLastError (dwErrCode=0x0) [0163.976] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_initializeW") returned 0x0 [0163.976] GetLastError () returned 0x7f [0163.976] SetLastError (dwErrCode=0x7f) [0163.976] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_initializeA") returned 0x0 [0163.976] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_initialize") returned 0x647caad2 [0163.976] RtlAllocateHeap (HeapHandle=0xcc0000, Flags=0x0, Size=0x4) returned 0xcc37f8 [0163.976] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0xcc37f8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0163.976] GetActiveWindow () returned 0x0 [0163.978] GetLastError () returned 0x7f [0163.978] SetLastError (dwErrCode=0x7f) Thread: id = 474 os_tid = 0xb90 Process: id = "226" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x4d75e000" os_pid = "0x13ac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "225" os_parent_pid = "0xc68" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_initialize /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "227" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x7012a000" os_pid = "0x1320" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_logout /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 15733 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 15734 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 15735 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 15736 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 15737 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 15738 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 15739 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 15740 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 15741 start_va = 0xd60000 end_va = 0xd61fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d60000" filename = "" Region: id = 15742 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 15743 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 15744 start_va = 0x7f630000 end_va = 0x7f652fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f630000" filename = "" Region: id = 15745 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 15746 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 15747 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 15748 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 15749 start_va = 0x400000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 15750 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 15751 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 15752 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 15753 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 15754 start_va = 0xd70000 end_va = 0xedffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d70000" filename = "" Region: id = 15755 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 15756 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 15757 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 15758 start_va = 0x7f530000 end_va = 0x7f62ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f530000" filename = "" Region: id = 15759 start_va = 0x4c0000 end_va = 0x57dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 15760 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 15761 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 15762 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 15763 start_va = 0x580000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 15764 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 15765 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 15766 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 15767 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 15768 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 15769 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 15770 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 15771 start_va = 0xd60000 end_va = 0xd63fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d60000" filename = "" Region: id = 15772 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 15773 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 15774 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 15775 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 15776 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 15777 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 15778 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 15779 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 15780 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 15781 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 15782 start_va = 0x680000 end_va = 0x807fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 15783 start_va = 0xd70000 end_va = 0xd99fff monitored = 0 entry_point = 0xd75680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 15784 start_va = 0xde0000 end_va = 0xedffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 15785 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 15786 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 15787 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 15788 start_va = 0x4b0000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 15789 start_va = 0x810000 end_va = 0x990fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 15790 start_va = 0xee0000 end_va = 0x10dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 15791 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 15792 start_va = 0xee0000 end_va = 0xf70fff monitored = 0 entry_point = 0xf18cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 15793 start_va = 0x10d0000 end_va = 0x10dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010d0000" filename = "" Region: id = 15794 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 15795 start_va = 0xd70000 end_va = 0xd7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d70000" filename = "" Region: id = 15796 start_va = 0x9a0000 end_va = 0xa9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 15797 start_va = 0xd70000 end_va = 0xd8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d70000" filename = "" Region: id = 15798 start_va = 0xd90000 end_va = 0xd95fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d90000" filename = "" Region: id = 15799 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15800 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15801 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15802 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15803 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15804 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15805 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15806 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15807 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15808 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15809 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15810 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15811 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15812 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15813 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15814 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15815 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15816 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15817 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15818 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15819 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15820 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15821 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15822 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15823 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15824 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15825 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15826 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15827 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15828 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15829 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15830 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15831 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15832 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15833 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15834 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15835 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15836 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15837 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15838 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15839 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15840 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15841 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15842 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15843 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15844 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15845 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15846 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15847 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15848 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15849 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15850 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15851 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15852 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15853 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15854 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15855 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15856 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15857 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15858 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15859 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15860 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15861 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15862 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15863 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15864 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15865 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15866 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15867 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15868 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15869 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15870 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15871 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15872 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15873 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15874 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15875 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15876 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15877 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15878 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15879 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15880 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15881 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15882 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15883 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15884 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15885 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15886 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15887 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15888 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15889 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15890 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15891 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15892 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15893 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15894 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15895 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15896 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15897 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15898 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15899 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15900 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15901 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15902 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15903 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15904 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15905 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15906 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15907 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15908 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15909 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15910 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15911 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15912 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15913 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15914 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15915 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15916 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15917 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15918 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15919 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15920 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15921 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15922 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15923 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15924 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15925 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15926 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15927 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15928 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15929 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15930 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15931 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15932 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15933 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15934 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15935 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15936 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15937 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15938 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15939 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15940 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15941 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15942 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15943 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15946 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15947 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15948 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15949 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15950 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15951 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15952 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15953 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15954 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15955 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15956 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15957 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15958 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15959 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15960 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15961 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15962 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15963 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15964 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15965 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15966 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15967 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15968 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15969 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15970 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15971 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15972 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15973 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15974 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15975 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15976 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15977 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15978 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15979 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15980 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15981 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15982 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15983 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15984 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15985 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15986 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15987 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15988 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15989 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15990 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15991 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15992 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15993 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15994 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15995 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15996 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15997 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15998 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 15999 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16002 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16003 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16004 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16005 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16006 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16007 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16008 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16009 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16010 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16011 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16012 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16013 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16014 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16015 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16016 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16017 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16018 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16019 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16020 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16021 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16022 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16023 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16024 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16025 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16026 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16027 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16028 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16029 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16030 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16031 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16032 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16033 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16034 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16035 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16036 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16037 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16038 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16039 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16040 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16041 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16042 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16043 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16044 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16045 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16046 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16047 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16048 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16049 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16050 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16051 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16052 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 23081 start_va = 0xd70000 end_va = 0xd7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d70000" filename = "" Region: id = 23082 start_va = 0xd70000 end_va = 0xd8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d70000" filename = "" Region: id = 23083 start_va = 0xd90000 end_va = 0xd95fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d90000" filename = "" Region: id = 23084 start_va = 0xd70000 end_va = 0xd75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Thread: id = 476 os_tid = 0x138c [0164.734] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0164.734] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0164.735] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0164.735] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0164.735] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0164.735] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0164.735] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0164.736] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0164.736] GetProcessHeap () returned 0xde0000 [0164.736] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0164.736] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0164.736] GetLastError () returned 0x7e [0164.736] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0164.736] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0164.737] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x364) returned 0xdf0a40 [0164.737] SetLastError (dwErrCode=0x7e) [0164.737] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0xe00) returned 0xdf0db0 [0164.738] GetStartupInfoW (in: lpStartupInfo=0x18fd80 | out: lpStartupInfo=0x18fd80*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0164.738] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0164.738] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0164.738] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0164.739] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_logout /fn_args=\"0\"" [0164.739] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_logout /fn_args=\"0\"" [0164.739] GetACP () returned 0x4e4 [0164.739] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x0, Size=0x220) returned 0xdf1bb8 [0164.739] IsValidCodePage (CodePage=0x4e4) returned 1 [0164.739] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fda0 | out: lpCPInfo=0x18fda0) returned 1 [0164.739] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f668 | out: lpCPInfo=0x18f668) returned 1 [0164.739] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc7c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0164.739] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc7c, cbMultiByte=256, lpWideCharStr=0x18f408, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0164.739] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f67c | out: lpCharType=0x18f67c) returned 1 [0164.739] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc7c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0164.739] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc7c, cbMultiByte=256, lpWideCharStr=0x18f3b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0164.739] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0164.739] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0164.739] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0164.739] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f1a8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0164.739] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fb7c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÔ\x8dËu¸ý\x18", lpUsedDefaultChar=0x0) returned 256 [0164.739] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc7c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0164.739] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc7c, cbMultiByte=256, lpWideCharStr=0x18f3d8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0164.739] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0164.739] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f1c8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0164.740] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fa7c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÔ\x8dËu¸ý\x18", lpUsedDefaultChar=0x0) returned 256 [0164.740] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x0, Size=0x80) returned 0xde3848 [0164.740] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0164.740] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x170) returned 0xdf1de0 [0164.740] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0164.740] GetLastError () returned 0x0 [0164.740] SetLastError (dwErrCode=0x0) [0164.740] GetEnvironmentStringsW () returned 0xdf1f58* [0164.740] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x0, Size=0xa8c) returned 0xdf29f0 [0164.740] FreeEnvironmentStringsW (penv=0xdf1f58) returned 1 [0164.740] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x90) returned 0xde4538 [0164.740] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x3e) returned 0xdeab88 [0164.740] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x5c) returned 0xde8810 [0164.740] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x6e) returned 0xde4600 [0164.740] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x78) returned 0xdf36b0 [0164.741] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x62) returned 0xde49d0 [0164.741] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x28) returned 0xde3d68 [0164.741] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x48) returned 0xde3fb8 [0164.741] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x1a) returned 0xde0570 [0164.741] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x3a) returned 0xdeab40 [0164.741] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x62) returned 0xde3bc8 [0164.741] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x2a) returned 0xde8570 [0164.741] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x2e) returned 0xde8458 [0164.741] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x1c) returned 0xde3d98 [0164.741] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x144) returned 0xde9c88 [0164.741] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x7c) returned 0xde8070 [0164.741] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x36) returned 0xdedf50 [0164.741] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x3a) returned 0xdea9d8 [0164.741] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x90) returned 0xde4370 [0164.741] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x24) returned 0xde38e8 [0164.741] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x30) returned 0xde8650 [0164.741] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x36) returned 0xdee690 [0164.741] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x48) returned 0xde28e8 [0164.741] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x52) returned 0xde04b8 [0164.741] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x3c) returned 0xdeacf0 [0164.741] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0xd6) returned 0xde9e48 [0164.741] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x2e) returned 0xde8490 [0164.741] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x1e) returned 0xde2938 [0164.741] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x2c) returned 0xde85a8 [0164.741] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x54) returned 0xde3de0 [0164.741] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x52) returned 0xde4040 [0164.742] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x24) returned 0xde3e40 [0164.742] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x42) returned 0xde40a0 [0164.742] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x2c) returned 0xde84c8 [0164.742] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x44) returned 0xde9f78 [0164.742] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x24) returned 0xde3918 [0164.742] HeapFree (in: hHeap=0xde0000, dwFlags=0x0, lpMem=0xdf29f0 | out: hHeap=0xde0000) returned 1 [0164.742] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x800) returned 0xdf1f58 [0164.810] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0164.810] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0164.810] GetStartupInfoW (in: lpStartupInfo=0x18fde4 | out: lpStartupInfo=0x18fde4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0164.810] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_logout /fn_args=\"0\"" [0164.810] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_logout /fn_args=\"0\"", pNumArgs=0x18fdd0 | out: pNumArgs=0x18fdd0) returned 0xdf2ba8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0164.811] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0164.813] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x0, Size=0x1000) returned 0xdf4490 [0164.813] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x0, Size=0x1e) returned 0xdea6c0 [0164.813] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_logout", cchWideChar=-1, lpMultiByteStr=0xdea6c0, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_logout", lpUsedDefaultChar=0x0) returned 15 [0164.814] GetLastError () returned 0x0 [0164.814] SetLastError (dwErrCode=0x0) [0164.814] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_logoutW") returned 0x0 [0164.814] GetLastError () returned 0x7f [0164.814] SetLastError (dwErrCode=0x7f) [0164.814] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_logoutA") returned 0x0 [0164.814] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_logout") returned 0x647cbcee [0164.814] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x0, Size=0x4) returned 0xde37f0 [0164.814] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0xde37f0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0164.814] GetActiveWindow () returned 0x0 [0164.815] HeapFree (in: hHeap=0xde0000, dwFlags=0x0, lpMem=0xdf4490 | out: hHeap=0xde0000) returned 1 [0164.815] HeapFree (in: hHeap=0xde0000, dwFlags=0x0, lpMem=0xdea6c0 | out: hHeap=0xde0000) returned 1 [0164.815] HeapFree (in: hHeap=0xde0000, dwFlags=0x0, lpMem=0xde37f0 | out: hHeap=0xde0000) returned 1 [0164.815] GetCurrentProcessId () returned 0x1320 [0164.815] GetCurrentThreadId () returned 0x138c [0164.815] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0164.824] Thread32First (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.824] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.825] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.826] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.826] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.827] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.827] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.828] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.829] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.829] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.830] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.830] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.831] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.831] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.832] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.833] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.833] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.834] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.834] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.835] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.836] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.838] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.839] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.839] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.840] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.840] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.841] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.841] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.842] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.843] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.843] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.844] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.844] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.845] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.846] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.846] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.847] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.847] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.848] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.849] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.849] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.850] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.850] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.851] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.851] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.901] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.902] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.902] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.903] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.904] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.904] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.905] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.906] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.906] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.907] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.908] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.908] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.909] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.910] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.910] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.911] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.912] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.912] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.913] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.914] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.916] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.916] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.917] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.918] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.918] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.919] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.920] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.920] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.921] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.922] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.922] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.923] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.924] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.924] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.925] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.926] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.926] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.927] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.928] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.928] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.929] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.930] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.952] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.953] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.953] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.954] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.955] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.955] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.956] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.957] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.957] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.958] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.959] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.960] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0164.960] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.007] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.009] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.009] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.010] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.011] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.012] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.013] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.013] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.014] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.015] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.016] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.016] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.017] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.018] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.019] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.020] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.020] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.021] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.022] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.023] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.024] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.025] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.026] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.026] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.027] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.028] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.029] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.030] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.030] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.031] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.032] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.033] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.034] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.034] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.035] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.036] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.037] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.038] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.038] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.039] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.040] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.041] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.042] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.043] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.043] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.073] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.074] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.075] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.076] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.076] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.077] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.078] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.079] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.080] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.081] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.081] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.082] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.083] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.084] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.085] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.085] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.087] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.088] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.088] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.089] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.090] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.091] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.092] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.092] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.093] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.094] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.095] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.096] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.096] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.097] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.098] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.099] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.100] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.100] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.101] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.102] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.103] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.104] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.105] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.106] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.106] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.107] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.108] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.109] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.110] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.110] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.111] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.112] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.113] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.114] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.114] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.115] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.116] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.117] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.135] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.136] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.137] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.137] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.138] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.139] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.140] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.140] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.141] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.142] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.143] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.144] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.144] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.145] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.146] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.147] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.147] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.148] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.150] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.151] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.151] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.152] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.153] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.154] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.155] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.156] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.156] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.157] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.158] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.159] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.160] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.160] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.161] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.162] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.163] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.164] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.165] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.165] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.166] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.167] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.168] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.169] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.169] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.170] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.171] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.172] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.173] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.173] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.174] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.175] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.176] Thread32Next (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0165.446] CloseHandle (hObject=0x150) returned 1 [0165.446] OpenThread (dwDesiredAccess=0x100000, bInheritHandle=0, dwThreadId=0xbfc) returned 0x150 [0165.446] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xffffffff) returned 0x0 [0225.007] CloseHandle (hObject=0x150) returned 1 [0225.008] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0225.016] Thread32First (hSnapshot=0x150, lpte=0x18fdb4) returned 1 [0226.149] CloseHandle (hObject=0x150) returned 1 [0226.149] FreeLibrary (hLibModule=0x647c0000) returned 1 [0226.151] LocalFree (hMem=0xdf2ba8) returned 0x0 [0226.151] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0226.151] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0226.152] HeapFree (in: hHeap=0xde0000, dwFlags=0x0, lpMem=0xde3848 | out: hHeap=0xde0000) returned 1 [0226.153] HeapFree (in: hHeap=0xde0000, dwFlags=0x0, lpMem=0xdf1f58 | out: hHeap=0xde0000) returned 1 [0226.153] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-2", hFile=0x0, dwFlags=0x800) returned 0x772e0000 [0226.154] GetProcAddress (hModule=0x772e0000, lpProcName="AppPolicyGetProcessTerminationMethod") returned 0x0 [0226.154] GetModuleHandleExW (in: dwFlags=0x0, lpModuleName="mscoree.dll", phModule=0x18fddc | out: phModule=0x18fddc) returned 0 [0226.154] ExitProcess (uExitCode=0x0) [0226.155] HeapFree (in: hHeap=0xde0000, dwFlags=0x0, lpMem=0xdf0a40 | out: hHeap=0xde0000) returned 1 Thread: id = 478 os_tid = 0xbfc Process: id = "228" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x1a541000" os_pid = "0x1050" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_createSession /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 16056 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 16057 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 16058 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 16059 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 16060 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 16061 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 16062 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 16063 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 16064 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 16065 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 16066 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 16067 start_va = 0x7e560000 end_va = 0x7e582fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e560000" filename = "" Region: id = 16068 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 16069 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 16070 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 16071 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 16073 start_va = 0x410000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 16074 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 16075 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 16076 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 16077 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 16078 start_va = 0x520000 end_va = 0x7effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 16079 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 16080 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 16081 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 16082 start_va = 0x7e460000 end_va = 0x7e55ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e460000" filename = "" Region: id = 16083 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 16084 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 16085 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 16086 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 16087 start_va = 0x520000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 16088 start_va = 0x6f0000 end_va = 0x7effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 16089 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 16090 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 16091 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 16092 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 16093 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 16094 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 16095 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 16096 start_va = 0x4c0000 end_va = 0x4c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 16097 start_va = 0x510000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 16098 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 16099 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 16100 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 16101 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 16102 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 16103 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 16104 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 16105 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 16106 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 16107 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 16108 start_va = 0x4d0000 end_va = 0x4f9fff monitored = 0 entry_point = 0x4d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 16109 start_va = 0x7f0000 end_va = 0x977fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 16110 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 16112 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 16113 start_va = 0x4d0000 end_va = 0x4d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 16114 start_va = 0x980000 end_va = 0xb00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000980000" filename = "" Region: id = 16115 start_va = 0xb10000 end_va = 0xcaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 16116 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 16117 start_va = 0x620000 end_va = 0x6b0fff monitored = 0 entry_point = 0x658cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 16118 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 16119 start_va = 0x4e0000 end_va = 0x4e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 16120 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 16121 start_va = 0x4f0000 end_va = 0x4f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 16122 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 16123 start_va = 0x500000 end_va = 0x501fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 16124 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 16125 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 16126 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 16127 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Thread: id = 479 os_tid = 0x1140 [0165.681] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0165.681] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0165.681] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0165.681] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0165.681] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0165.681] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0165.682] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0165.682] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0165.682] GetProcessHeap () returned 0x6f0000 [0165.683] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0165.683] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0165.683] GetLastError () returned 0x7e [0165.683] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0165.683] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0165.683] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x364) returned 0x7009a0 [0165.683] SetLastError (dwErrCode=0x7e) [0165.683] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0xe00) returned 0x700d10 [0165.685] GetStartupInfoW (in: lpStartupInfo=0x18f748 | out: lpStartupInfo=0x18f748*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0165.685] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0165.685] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0165.685] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0165.685] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_createSession /fn_args=\"0\"" [0165.685] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_createSession /fn_args=\"0\"" [0165.685] GetACP () returned 0x4e4 [0165.685] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x0, Size=0x220) returned 0x701b18 [0165.685] IsValidCodePage (CodePage=0x4e4) returned 1 [0165.685] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f768 | out: lpCPInfo=0x18f768) returned 1 [0165.685] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f030 | out: lpCPInfo=0x18f030) returned 1 [0165.685] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f644, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0165.685] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f644, cbMultiByte=256, lpWideCharStr=0x18edd8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0165.685] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f044 | out: lpCharType=0x18f044) returned 1 [0165.685] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f644, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0165.686] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f644, cbMultiByte=256, lpWideCharStr=0x18ed88, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0165.686] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0165.686] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0165.686] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0165.686] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18eb78, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0165.686] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f544, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ`·\x9dG\x80÷\x18", lpUsedDefaultChar=0x0) returned 256 [0165.686] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f644, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0165.686] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f644, cbMultiByte=256, lpWideCharStr=0x18eda8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0165.686] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0165.686] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18eb98, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0165.686] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f444, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ`·\x9dG\x80÷\x18", lpUsedDefaultChar=0x0) returned 256 [0165.686] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x0, Size=0x80) returned 0x6f3878 [0165.686] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0165.686] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x18e) returned 0x701d40 [0165.686] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0165.686] GetLastError () returned 0x0 [0165.686] SetLastError (dwErrCode=0x0) [0165.686] GetEnvironmentStringsW () returned 0x701ed8* [0165.687] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x0, Size=0xa8c) returned 0x702970 [0165.687] FreeEnvironmentStringsW (penv=0x701ed8) returned 1 [0165.687] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x90) returned 0x6f4568 [0165.687] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x3e) returned 0x6faa50 [0165.687] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x5c) returned 0x6f8840 [0165.687] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x6e) returned 0x6f4630 [0165.687] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x78) returned 0x703eb0 [0165.687] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x62) returned 0x6f4a00 [0165.687] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x28) returned 0x6f3d98 [0165.687] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x48) returned 0x6f3fe8 [0165.687] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x1a) returned 0x6f0570 [0165.687] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x3a) returned 0x6fa9c0 [0165.687] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x62) returned 0x6f3bf8 [0165.688] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x2a) returned 0x6f8530 [0165.688] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x2e) returned 0x6f8680 [0165.688] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x1c) returned 0x6f3dc8 [0165.688] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x144) returned 0x6f9cb8 [0165.688] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x7c) returned 0x6f80a0 [0165.688] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x36) returned 0x6fe4b0 [0165.688] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x3a) returned 0x6facd8 [0165.688] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x90) returned 0x6f43a0 [0165.688] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x24) returned 0x6f3918 [0165.688] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x30) returned 0x6f8488 [0165.688] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x36) returned 0x6fdfb0 [0165.688] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x48) returned 0x6f2908 [0165.688] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x52) returned 0x6f04b8 [0165.688] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x3c) returned 0x6fb158 [0165.688] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0xd6) returned 0x6f9e78 [0165.688] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x2e) returned 0x6f84f8 [0165.688] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x1e) returned 0x6f2958 [0165.688] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x2c) returned 0x6f84c0 [0165.688] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x54) returned 0x6f3e10 [0165.688] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x52) returned 0x6f4070 [0165.688] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x24) returned 0x6f3e70 [0165.688] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x42) returned 0x6f40d0 [0165.688] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x2c) returned 0x6f85a0 [0165.688] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x44) returned 0x6f9fa8 [0165.688] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x24) returned 0x6f3948 [0165.689] HeapFree (in: hHeap=0x6f0000, dwFlags=0x0, lpMem=0x702970 | out: hHeap=0x6f0000) returned 1 [0165.689] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x800) returned 0x701ed8 [0165.689] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0165.689] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0165.689] GetStartupInfoW (in: lpStartupInfo=0x18f7ac | out: lpStartupInfo=0x18f7ac*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0165.689] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_createSession /fn_args=\"0\"" [0165.689] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_createSession /fn_args=\"0\"", pNumArgs=0x18f798 | out: pNumArgs=0x18f798) returned 0x702b28*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0165.690] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0165.702] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x0, Size=0x1000) returned 0x704410 [0165.702] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x0, Size=0x3c) returned 0x6fb080 [0165.702] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_openssl_createSession", cchWideChar=-1, lpMultiByteStr=0x6fb080, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_openssl_createSession", lpUsedDefaultChar=0x0) returned 30 [0165.702] GetLastError () returned 0x0 [0165.702] SetLastError (dwErrCode=0x0) [0165.703] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_createSessionW") returned 0x0 [0165.703] GetLastError () returned 0x7f [0165.703] SetLastError (dwErrCode=0x7f) [0165.703] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_createSessionA") returned 0x0 [0165.703] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_createSession") returned 0x647cef31 [0165.703] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x0, Size=0x4) returned 0x6f3820 [0165.703] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x6f3820, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0165.703] GetActiveWindow () returned 0x0 [0165.704] GetLastError () returned 0x7f [0165.704] SetLastError (dwErrCode=0x7f) Thread: id = 481 os_tid = 0xbf4 Process: id = "229" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6b502000" os_pid = "0x13c0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "228" os_parent_pid = "0x1050" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_createSession /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "230" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x74b57000" os_pid = "0xdcc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_freeSession /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 16131 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 16132 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 16133 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 16134 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 16135 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 16136 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 16137 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 16138 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 16139 start_va = 0x4d0000 end_va = 0x4d1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 16140 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 16141 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 16142 start_va = 0x7f550000 end_va = 0x7f572fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f550000" filename = "" Region: id = 16143 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 16144 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 16145 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 16146 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 16149 start_va = 0x400000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 16150 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 16151 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 16152 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 16153 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 16154 start_va = 0x4e0000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 16155 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 16156 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 16157 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 16158 start_va = 0x7f450000 end_va = 0x7f54ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f450000" filename = "" Region: id = 16159 start_va = 0x490000 end_va = 0x54dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 16160 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 16161 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 16162 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 16163 start_va = 0x700000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 16164 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 16165 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 16166 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 16167 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 16168 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 16169 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 16170 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 16171 start_va = 0x550000 end_va = 0x553fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 16172 start_va = 0x600000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 16173 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 16174 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 16176 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 16177 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 16178 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 16179 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 16180 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 16181 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 16182 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 16183 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 16184 start_va = 0x560000 end_va = 0x589fff monitored = 0 entry_point = 0x565680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 16185 start_va = 0x800000 end_va = 0x987fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 16186 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 16187 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 16188 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 16189 start_va = 0x480000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 16190 start_va = 0x990000 end_va = 0xb10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 16191 start_va = 0xb20000 end_va = 0xcfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 16192 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 16193 start_va = 0x560000 end_va = 0x5f0fff monitored = 0 entry_point = 0x598cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 16194 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 16195 start_va = 0x560000 end_va = 0x560fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 16196 start_va = 0x570000 end_va = 0x570fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 16197 start_va = 0x570000 end_va = 0x577fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 16198 start_va = 0x570000 end_va = 0x570fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 16199 start_va = 0x580000 end_va = 0x581fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 16200 start_va = 0x570000 end_va = 0x570fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 16201 start_va = 0x580000 end_va = 0x580fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 16202 start_va = 0x570000 end_va = 0x570fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 16203 start_va = 0x580000 end_va = 0x580fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Thread: id = 482 os_tid = 0xc80 [0166.084] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0166.084] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0166.085] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0166.085] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0166.085] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0166.085] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0166.086] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0166.086] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0166.090] GetProcessHeap () returned 0x600000 [0166.090] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0166.090] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0166.090] GetLastError () returned 0x7e [0166.091] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0166.091] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0166.091] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x364) returned 0x6109a0 [0166.091] SetLastError (dwErrCode=0x7e) [0166.091] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0xe00) returned 0x610d10 [0166.093] GetStartupInfoW (in: lpStartupInfo=0x18f7b0 | out: lpStartupInfo=0x18f7b0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0166.093] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0166.093] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0166.093] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0166.093] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_freeSession /fn_args=\"0\"" [0166.093] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_freeSession /fn_args=\"0\"" [0166.093] GetACP () returned 0x4e4 [0166.093] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x220) returned 0x611b18 [0166.093] IsValidCodePage (CodePage=0x4e4) returned 1 [0166.093] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f7d0 | out: lpCPInfo=0x18f7d0) returned 1 [0166.093] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f098 | out: lpCPInfo=0x18f098) returned 1 [0166.093] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6ac, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0166.093] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6ac, cbMultiByte=256, lpWideCharStr=0x18ee38, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0166.093] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f0ac | out: lpCharType=0x18f0ac) returned 1 [0166.093] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6ac, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0166.093] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6ac, cbMultiByte=256, lpWideCharStr=0x18ede8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0166.094] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0166.094] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0166.094] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0166.094] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ebd8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0166.094] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f5ac, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ?Jÿ~è÷\x18", lpUsedDefaultChar=0x0) returned 256 [0166.094] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6ac, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0166.094] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6ac, cbMultiByte=256, lpWideCharStr=0x18ee08, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0166.094] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0166.094] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ebf8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0166.094] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f4ac, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ?Jÿ~è÷\x18", lpUsedDefaultChar=0x0) returned 256 [0166.094] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x80) returned 0x603870 [0166.094] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0166.094] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x18a) returned 0x611d40 [0166.094] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0166.094] GetLastError () returned 0x0 [0166.094] SetLastError (dwErrCode=0x0) [0166.094] GetEnvironmentStringsW () returned 0x611ed8* [0166.095] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0xa8c) returned 0x612970 [0166.095] FreeEnvironmentStringsW (penv=0x611ed8) returned 1 [0166.095] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x90) returned 0x604568 [0166.095] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3e) returned 0x60b038 [0166.095] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x5c) returned 0x608aa0 [0166.095] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x6e) returned 0x604630 [0166.095] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x78) returned 0x613eb0 [0166.095] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x62) returned 0x604a00 [0166.095] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x28) returned 0x603d90 [0166.095] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x48) returned 0x603fe8 [0166.095] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1a) returned 0x600570 [0166.095] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3a) returned 0x60ac00 [0166.095] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x62) returned 0x603bf0 [0166.096] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x2a) returned 0x6084f8 [0166.096] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x2e) returned 0x6086b8 [0166.096] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1c) returned 0x603dc0 [0166.096] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x144) returned 0x609cb8 [0166.096] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x7c) returned 0x6080a0 [0166.096] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x36) returned 0x60e470 [0166.096] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3a) returned 0x60aa50 [0166.096] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x90) returned 0x6043a0 [0166.096] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x24) returned 0x603910 [0166.096] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x30) returned 0x6085a0 [0166.096] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x36) returned 0x60e1b0 [0166.096] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x48) returned 0x602900 [0166.096] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x52) returned 0x6004b8 [0166.096] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x3c) returned 0x60b0c8 [0166.096] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0xd6) returned 0x609e78 [0166.096] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x2e) returned 0x608760 [0166.096] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x1e) returned 0x602950 [0166.096] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x2c) returned 0x608488 [0166.096] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x54) returned 0x603e08 [0166.096] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x52) returned 0x604070 [0166.096] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x24) returned 0x603e68 [0166.096] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x42) returned 0x6040d0 [0166.096] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x2c) returned 0x6085d8 [0166.096] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x44) returned 0x609fa8 [0166.096] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x24) returned 0x603940 [0166.097] HeapFree (in: hHeap=0x600000, dwFlags=0x0, lpMem=0x612970 | out: hHeap=0x600000) returned 1 [0166.097] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x8, Size=0x800) returned 0x611ed8 [0166.097] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0166.097] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0166.097] GetStartupInfoW (in: lpStartupInfo=0x18f814 | out: lpStartupInfo=0x18f814*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0166.097] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_freeSession /fn_args=\"0\"" [0166.097] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_freeSession /fn_args=\"0\"", pNumArgs=0x18f800 | out: pNumArgs=0x18f800) returned 0x612b28*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0166.098] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0166.100] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x1000) returned 0x614410 [0166.100] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x38) returned 0x60def0 [0166.100] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_openssl_freeSession", cchWideChar=-1, lpMultiByteStr=0x60def0, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_openssl_freeSession", lpUsedDefaultChar=0x0) returned 28 [0166.100] GetLastError () returned 0x0 [0166.100] SetLastError (dwErrCode=0x0) [0166.101] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_freeSessionW") returned 0x0 [0166.101] GetLastError () returned 0x7f [0166.101] SetLastError (dwErrCode=0x7f) [0166.101] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_freeSessionA") returned 0x0 [0166.101] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_freeSession") returned 0x647cf0be [0166.101] RtlAllocateHeap (HeapHandle=0x600000, Flags=0x0, Size=0x4) returned 0x603818 [0166.101] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x603818, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0166.101] GetActiveWindow () returned 0x0 [0166.102] GetLastError () returned 0x7f [0166.102] SetLastError (dwErrCode=0x7f) Thread: id = 484 os_tid = 0x10bc Process: id = "231" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x49fab000" os_pid = "0x1090" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "230" os_parent_pid = "0xdcc" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_freeSession /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "232" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x7536d000" os_pid = "0xc70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getCleanupHook /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 16209 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 16210 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 16211 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 16212 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 16213 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 16214 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 16215 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 16216 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 16217 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 16218 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 16219 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 16220 start_va = 0x7e340000 end_va = 0x7e362fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e340000" filename = "" Region: id = 16221 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 16222 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 16223 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 16224 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 16231 start_va = 0x410000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 16232 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 16233 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 16234 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 16235 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 16236 start_va = 0x600000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 16248 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 16249 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 16250 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 16251 start_va = 0x7e240000 end_va = 0x7e33ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e240000" filename = "" Region: id = 16252 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 16253 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 16254 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 16255 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 16256 start_va = 0x4c0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 16257 start_va = 0x5f0000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 16258 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 16259 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 16280 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 16281 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 16282 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 16283 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 16284 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 16285 start_va = 0x5c0000 end_va = 0x5c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 16286 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 16287 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 16288 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 16289 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 16290 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 16291 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 16292 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 16293 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 16294 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 16295 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 16296 start_va = 0x600000 end_va = 0x629fff monitored = 0 entry_point = 0x605680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 16297 start_va = 0x750000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 16298 start_va = 0x850000 end_va = 0x9d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 16299 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 16300 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 16301 start_va = 0x5d0000 end_va = 0x5d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 16302 start_va = 0x9e0000 end_va = 0xb60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009e0000" filename = "" Region: id = 16303 start_va = 0xb70000 end_va = 0xd3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 16304 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 16305 start_va = 0x600000 end_va = 0x690fff monitored = 0 entry_point = 0x638cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 16309 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 16310 start_va = 0x5e0000 end_va = 0x5e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 16311 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 16312 start_va = 0x600000 end_va = 0x607fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 16315 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 16316 start_va = 0x610000 end_va = 0x611fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 16317 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 16318 start_va = 0x610000 end_va = 0x610fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 16319 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 16320 start_va = 0x610000 end_va = 0x610fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Thread: id = 486 os_tid = 0x10a4 [0167.483] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0167.484] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0167.484] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0167.484] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0167.484] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0167.484] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0167.485] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0167.485] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0167.486] GetProcessHeap () returned 0x750000 [0167.486] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0167.486] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0167.486] GetLastError () returned 0x7e [0167.486] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0167.486] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0167.486] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x364) returned 0x7609a0 [0167.487] SetLastError (dwErrCode=0x7e) [0167.487] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xe00) returned 0x760d10 [0167.489] GetStartupInfoW (in: lpStartupInfo=0x18fc64 | out: lpStartupInfo=0x18fc64*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0167.489] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0167.489] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0167.489] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0167.489] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getCleanupHook /fn_args=\"0\"" [0167.489] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getCleanupHook /fn_args=\"0\"" [0167.489] GetACP () returned 0x4e4 [0167.489] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x220) returned 0x761b18 [0167.489] IsValidCodePage (CodePage=0x4e4) returned 1 [0167.489] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fc84 | out: lpCPInfo=0x18fc84) returned 1 [0167.489] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f54c | out: lpCPInfo=0x18f54c) returned 1 [0167.489] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb60, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0167.489] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb60, cbMultiByte=256, lpWideCharStr=0x18f2e8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0167.490] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f560 | out: lpCharType=0x18f560) returned 1 [0167.494] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb60, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0167.494] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb60, cbMultiByte=256, lpWideCharStr=0x18f2a8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0167.494] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0167.495] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0167.495] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0167.495] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f098, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0167.495] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fa60, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ®çË*\x9cü\x18", lpUsedDefaultChar=0x0) returned 256 [0167.495] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb60, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0167.495] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb60, cbMultiByte=256, lpWideCharStr=0x18f2b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0167.495] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0167.495] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f0a8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0167.495] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f960, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ®çË*\x9cü\x18", lpUsedDefaultChar=0x0) returned 256 [0167.495] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x80) returned 0x753878 [0167.495] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0167.495] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x190) returned 0x761d40 [0167.495] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0167.496] GetLastError () returned 0x0 [0167.496] SetLastError (dwErrCode=0x0) [0167.496] GetEnvironmentStringsW () returned 0x761ed8* [0167.496] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0xa8c) returned 0x762970 [0167.496] FreeEnvironmentStringsW (penv=0x761ed8) returned 1 [0167.496] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x90) returned 0x7547c8 [0167.496] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x3e) returned 0x75ab28 [0167.496] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x5c) returned 0x758aa0 [0167.496] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x6e) returned 0x754890 [0167.496] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x78) returned 0x7636b0 [0167.497] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x62) returned 0x754c60 [0167.497] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x28) returned 0x753d98 [0167.497] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x48) returned 0x754248 [0167.497] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x1a) returned 0x750570 [0167.497] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x3a) returned 0x75afa8 [0167.497] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x62) returned 0x753bf8 [0167.497] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x2a) returned 0x758678 [0167.497] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x2e) returned 0x758720 [0167.497] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x1c) returned 0x753dc8 [0167.497] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x144) returned 0x759cb8 [0167.497] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x7c) returned 0x758300 [0167.497] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x36) returned 0x75e230 [0167.497] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x3a) returned 0x75adf8 [0167.497] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x90) returned 0x754600 [0167.497] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x24) returned 0x753918 [0167.497] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x30) returned 0x7587c8 [0167.497] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x36) returned 0x75e630 [0167.497] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x48) returned 0x752908 [0167.497] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x52) returned 0x7504b8 [0167.498] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x3c) returned 0x75ae88 [0167.498] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xd6) returned 0x759e78 [0167.498] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x2e) returned 0x758800 [0167.498] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x1e) returned 0x752958 [0167.498] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x2c) returned 0x758838 [0167.498] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x54) returned 0x753e10 [0167.498] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x52) returned 0x7542d0 [0167.498] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x24) returned 0x753e70 [0167.498] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x42) returned 0x754330 [0167.498] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x2c) returned 0x758870 [0167.498] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x44) returned 0x759fa8 [0167.498] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x24) returned 0x753948 [0167.498] HeapFree (in: hHeap=0x750000, dwFlags=0x0, lpMem=0x762970 | out: hHeap=0x750000) returned 1 [0167.498] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x800) returned 0x761ed8 [0167.499] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0167.499] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0167.499] GetStartupInfoW (in: lpStartupInfo=0x18fcc8 | out: lpStartupInfo=0x18fcc8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0167.499] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getCleanupHook /fn_args=\"0\"" [0167.499] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getCleanupHook /fn_args=\"0\"", pNumArgs=0x18fcb4 | out: pNumArgs=0x18fcb4) returned 0x762b28*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0167.500] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0167.503] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x1000) returned 0x764410 [0167.503] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x3e) returned 0x75adb0 [0167.503] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_openssl_getCleanupHook", cchWideChar=-1, lpMultiByteStr=0x75adb0, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_openssl_getCleanupHook", lpUsedDefaultChar=0x0) returned 31 [0167.503] GetLastError () returned 0x0 [0167.503] SetLastError (dwErrCode=0x0) [0167.504] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_getCleanupHookW") returned 0x0 [0167.504] GetLastError () returned 0x7f [0167.504] SetLastError (dwErrCode=0x7f) [0167.504] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_getCleanupHookA") returned 0x0 [0167.504] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_getCleanupHook") returned 0x647cf05a [0167.504] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x4) returned 0x753820 [0167.504] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x753820, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0167.504] GetActiveWindow () returned 0x0 [0167.507] GetLastError () returned 0x7f [0167.507] SetLastError (dwErrCode=0x7f) Thread: id = 488 os_tid = 0xc9c Process: id = "233" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x3877d000" os_pid = "0x1130" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "232" os_parent_pid = "0xc70" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getCleanupHook /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "234" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x4a583000" os_pid = "0xce8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getX509 /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 16330 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 16331 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 16332 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 16333 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 16334 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 16335 start_va = 0x4c0000 end_va = 0x4c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 16336 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 16337 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 16338 start_va = 0x7e990000 end_va = 0x7e9b2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e990000" filename = "" Region: id = 16339 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 16340 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 16341 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 16342 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 16343 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 16344 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 16345 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 16346 start_va = 0x4d0000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 16347 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 16348 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 16349 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 16350 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 16351 start_va = 0x690000 end_va = 0x8dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 16353 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 16354 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 16355 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 16356 start_va = 0x7e890000 end_va = 0x7e98ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e890000" filename = "" Region: id = 16357 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 16358 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 16359 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 16360 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 16361 start_va = 0x4c0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 16362 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 16363 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 16364 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 16365 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 16366 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 16367 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 16368 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 16369 start_va = 0x5c0000 end_va = 0x5c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 16370 start_va = 0x680000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 16371 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 16372 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 16373 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 16374 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 16375 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 16376 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 16377 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 16378 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 16379 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 16380 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 16381 start_va = 0x5d0000 end_va = 0x5f9fff monitored = 0 entry_point = 0x5d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 16382 start_va = 0x8e0000 end_va = 0xa67fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 16383 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 16384 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 16385 start_va = 0x5d0000 end_va = 0x5d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 16386 start_va = 0x5e0000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 16387 start_va = 0xa70000 end_va = 0xbf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a70000" filename = "" Region: id = 16388 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 16389 start_va = 0x690000 end_va = 0x720fff monitored = 0 entry_point = 0x6c8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 16390 start_va = 0x7e0000 end_va = 0x8dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 16391 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 16392 start_va = 0x5e0000 end_va = 0x5e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 16393 start_va = 0x600000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 16394 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 16395 start_va = 0x5f0000 end_va = 0x5f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 16399 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 16400 start_va = 0x610000 end_va = 0x611fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 16401 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 16402 start_va = 0x610000 end_va = 0x610fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 16403 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 16404 start_va = 0x610000 end_va = 0x610fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Thread: id = 490 os_tid = 0xdd0 [0168.556] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0168.557] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0168.557] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0168.557] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0168.557] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0168.557] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0168.558] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0168.558] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0168.558] GetProcessHeap () returned 0x7e0000 [0168.558] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0168.559] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0168.559] GetLastError () returned 0x7e [0168.559] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0168.559] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0168.559] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x364) returned 0x7f0a58 [0168.559] SetLastError (dwErrCode=0x7e) [0168.559] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0xe00) returned 0x7f0dc8 [0168.561] GetStartupInfoW (in: lpStartupInfo=0x18f84c | out: lpStartupInfo=0x18f84c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0168.561] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0168.561] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0168.561] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0168.561] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getX509 /fn_args=\"0\"" [0168.561] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getX509 /fn_args=\"0\"" [0168.561] GetACP () returned 0x4e4 [0168.561] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x0, Size=0x220) returned 0x7f1bd0 [0168.561] IsValidCodePage (CodePage=0x4e4) returned 1 [0168.561] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f86c | out: lpCPInfo=0x18f86c) returned 1 [0168.561] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f134 | out: lpCPInfo=0x18f134) returned 1 [0168.561] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f748, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0168.561] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f748, cbMultiByte=256, lpWideCharStr=0x18eed8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0168.562] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f148 | out: lpCharType=0x18f148) returned 1 [0168.562] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f748, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0168.562] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f748, cbMultiByte=256, lpWideCharStr=0x18ee88, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0168.562] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0168.562] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0168.562] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0168.562] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ec78, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0168.562] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f648, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿz$\x10 \x84ø\x18", lpUsedDefaultChar=0x0) returned 256 [0168.562] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f748, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0168.562] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f748, cbMultiByte=256, lpWideCharStr=0x18eea8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0168.562] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0168.562] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ec98, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0168.562] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f548, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿz$\x10 \x84ø\x18", lpUsedDefaultChar=0x0) returned 256 [0168.562] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x0, Size=0x80) returned 0x7e3860 [0168.562] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0168.563] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x182) returned 0x7f1df8 [0168.563] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0168.563] GetLastError () returned 0x0 [0168.563] SetLastError (dwErrCode=0x0) [0168.563] GetEnvironmentStringsW () returned 0x7f1f88* [0168.563] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x0, Size=0xa8c) returned 0x7f2a20 [0168.563] FreeEnvironmentStringsW (penv=0x7f1f88) returned 1 [0168.563] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x90) returned 0x7e4550 [0168.563] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x3e) returned 0x7ead98 [0168.563] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x5c) returned 0x7e8a88 [0168.563] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x6e) returned 0x7e4618 [0168.563] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x78) returned 0x7f3e60 [0168.564] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x62) returned 0x7e4c48 [0168.564] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x28) returned 0x7e3d80 [0168.564] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x48) returned 0x7e3fd0 [0168.564] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x1a) returned 0x7e0570 [0168.564] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x3a) returned 0x7eade0 [0168.564] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x62) returned 0x7e3be0 [0168.564] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x2a) returned 0x7e8778 [0168.564] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x2e) returned 0x7e86d0 [0168.564] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x1c) returned 0x7e3db0 [0168.564] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x144) returned 0x7e9ca0 [0168.564] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x7c) returned 0x7e82e8 [0168.564] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x36) returned 0x7ee4e8 [0168.564] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x3a) returned 0x7eb068 [0168.564] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x90) returned 0x7e4388 [0168.564] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x24) returned 0x7e3900 [0168.564] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x30) returned 0x7e87e8 [0168.564] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x36) returned 0x7ee3a8 [0168.564] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x48) returned 0x7e28f8 [0168.564] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x52) returned 0x7e04b8 [0168.564] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x3c) returned 0x7eacc0 [0168.564] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0xd6) returned 0x7e9e60 [0168.564] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x2e) returned 0x7e8858 [0168.564] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x1e) returned 0x7e2948 [0168.564] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x2c) returned 0x7e8820 [0168.564] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x54) returned 0x7e3df8 [0168.564] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x52) returned 0x7e4058 [0168.564] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x24) returned 0x7e3e58 [0168.564] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x42) returned 0x7e40b8 [0168.564] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x2c) returned 0x7e8890 [0168.564] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x44) returned 0x7e9f90 [0168.564] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x24) returned 0x7e3930 [0168.565] HeapFree (in: hHeap=0x7e0000, dwFlags=0x0, lpMem=0x7f2a20 | out: hHeap=0x7e0000) returned 1 [0168.565] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x800) returned 0x7f1f88 [0168.566] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0168.566] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0168.566] GetStartupInfoW (in: lpStartupInfo=0x18f8b0 | out: lpStartupInfo=0x18f8b0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0168.566] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getX509 /fn_args=\"0\"" [0168.566] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getX509 /fn_args=\"0\"", pNumArgs=0x18f89c | out: pNumArgs=0x18f89c) returned 0x7f2bd8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0168.566] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0168.667] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x0, Size=0x1000) returned 0x7f44c0 [0168.667] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x0, Size=0x30) returned 0x7e8938 [0168.667] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_openssl_getX509", cchWideChar=-1, lpMultiByteStr=0x7e8938, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_openssl_getX509", lpUsedDefaultChar=0x0) returned 24 [0168.667] GetLastError () returned 0x0 [0168.667] SetLastError (dwErrCode=0x0) [0168.667] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_getX509W") returned 0x0 [0168.667] GetLastError () returned 0x7f [0168.668] SetLastError (dwErrCode=0x7f) [0168.668] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_getX509A") returned 0x0 [0168.668] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_getX509") returned 0x647ced54 [0168.668] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x0, Size=0x4) returned 0x7e3808 [0168.668] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x7e3808, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0168.668] GetActiveWindow () returned 0x0 [0168.669] GetLastError () returned 0x7f [0168.669] SetLastError (dwErrCode=0x7f) Thread: id = 492 os_tid = 0xb9c Process: id = "235" image_name = "werfault.exe" filename = "c:\\windows\\syswow64\\werfault.exe" page_root = "0x4a235000" os_pid = "0xb60" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "234" os_parent_pid = "0xce8" cmd_line = "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 3304 -s 364" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 16405 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 16406 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 16407 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 16408 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 16409 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 16410 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 16411 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 16412 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 16413 start_va = 0xcc0000 end_va = 0xcc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 16414 start_va = 0x10e0000 end_va = 0x1122fff monitored = 0 entry_point = 0x1100f50 region_type = mapped_file name = "werfault.exe" filename = "\\Windows\\SysWOW64\\WerFault.exe" (normalized: "c:\\windows\\syswow64\\werfault.exe") Region: id = 16415 start_va = 0x1130000 end_va = 0x512ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 16416 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 16417 start_va = 0x7f140000 end_va = 0x7f162fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f140000" filename = "" Region: id = 16418 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 16419 start_va = 0x7fff0000 end_va = 0x7dfb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 16420 start_va = 0x7dfb201b0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfb201b0000" filename = "" Region: id = 16421 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 16422 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 16423 start_va = 0x100000 end_va = 0x15ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 16424 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 16425 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 16426 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 16427 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 16428 start_va = 0xcd0000 end_va = 0xe8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 16429 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 16430 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 16431 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 16432 start_va = 0x7f040000 end_va = 0x7f13ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f040000" filename = "" Region: id = 16433 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 16434 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 16435 start_va = 0x100000 end_va = 0x13ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 16436 start_va = 0x150000 end_va = 0x15ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 16437 start_va = 0x160000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 16438 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 16439 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 16440 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 16441 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 16442 start_va = 0xcc0000 end_va = 0xcc3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 16443 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 16444 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 16445 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 16446 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 16447 start_va = 0x6fb30000 end_va = 0x6fbb6fff monitored = 0 entry_point = 0x6fb9dbc0 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\SysWOW64\\wer.dll" (normalized: "c:\\windows\\syswow64\\wer.dll") Region: id = 16448 start_va = 0x6fbc0000 end_va = 0x6fcfefff monitored = 0 entry_point = 0x6fbed880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 16449 start_va = 0x6fb00000 end_va = 0x6fb21fff monitored = 0 entry_point = 0x6fb091f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 16450 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 16451 start_va = 0x6faa0000 end_va = 0x6faf3fff monitored = 0 entry_point = 0x6fad10d0 region_type = mapped_file name = "faultrep.dll" filename = "\\Windows\\SysWOW64\\Faultrep.dll" (normalized: "c:\\windows\\syswow64\\faultrep.dll") Region: id = 16452 start_va = 0x6fa70000 end_va = 0x6fa90fff monitored = 0 entry_point = 0x6fa8a910 region_type = mapped_file name = "dbgcore.dll" filename = "\\Windows\\SysWOW64\\dbgcore.dll" (normalized: "c:\\windows\\syswow64\\dbgcore.dll") Region: id = 16453 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 16454 start_va = 0xe90000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e90000" filename = "" Region: id = 16455 start_va = 0xe90000 end_va = 0xfcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e90000" filename = "" Region: id = 16456 start_va = 0x1020000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 16457 start_va = 0xcd0000 end_va = 0xcd3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 16458 start_va = 0xd90000 end_va = 0xe8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d90000" filename = "" Region: id = 16459 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 16460 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 16461 start_va = 0x4c0000 end_va = 0x647fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 16462 start_va = 0xce0000 end_va = 0xd09fff monitored = 0 entry_point = 0xce5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 16463 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 16464 start_va = 0x650000 end_va = 0x7d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 16465 start_va = 0x5130000 end_va = 0x652ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005130000" filename = "" Region: id = 16482 start_va = 0xce0000 end_va = 0xce3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werfault.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\WerFault.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werfault.exe.mui") Region: id = 16490 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 16491 start_va = 0x140000 end_va = 0x140fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 16492 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 16493 start_va = 0xcf0000 end_va = 0xd6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 16533 start_va = 0xcf0000 end_va = 0xcf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 16534 start_va = 0xd60000 end_va = 0xd6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d60000" filename = "" Region: id = 16535 start_va = 0xd00000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 16536 start_va = 0xd10000 end_va = 0xd10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d10000" filename = "" Region: id = 16537 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 16538 start_va = 0xd10000 end_va = 0xd10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d10000" filename = "" Region: id = 16539 start_va = 0x6530000 end_va = 0x6d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006530000" filename = "" Region: id = 16540 start_va = 0xd10000 end_va = 0xd16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 16541 start_va = 0xd10000 end_va = 0xd16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 16542 start_va = 0xd10000 end_va = 0xd16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 16543 start_va = 0xd10000 end_va = 0xd16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 16544 start_va = 0xd10000 end_va = 0xd16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 16545 start_va = 0xd10000 end_va = 0xd16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 16546 start_va = 0xd10000 end_va = 0xd16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 16547 start_va = 0xd10000 end_va = 0xd16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 16548 start_va = 0xd10000 end_va = 0xd16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 16549 start_va = 0xd10000 end_va = 0xd16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 16550 start_va = 0xd10000 end_va = 0xd16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 16551 start_va = 0xd10000 end_va = 0xd16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 16558 start_va = 0xd10000 end_va = 0xd16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 16559 start_va = 0xd10000 end_va = 0xd16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 16560 start_va = 0xd10000 end_va = 0xd16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 16561 start_va = 0xd10000 end_va = 0xd16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 16562 start_va = 0xd10000 end_va = 0xd16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 16563 start_va = 0xd10000 end_va = 0xd16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 16564 start_va = 0xd10000 end_va = 0xd16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 16565 start_va = 0xd10000 end_va = 0xd16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 16566 start_va = 0xd10000 end_va = 0xd16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 16567 start_va = 0xd10000 end_va = 0xd16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 16568 start_va = 0xd10000 end_va = 0xd16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 16569 start_va = 0xd10000 end_va = 0xd16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 16570 start_va = 0xd10000 end_va = 0xd16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 16571 start_va = 0xd10000 end_va = 0xd16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 16572 start_va = 0xd10000 end_va = 0xd16fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 16582 start_va = 0x1a0000 end_va = 0x1dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 16583 start_va = 0x7e0000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 16584 start_va = 0xe90000 end_va = 0xf0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e90000" filename = "" Region: id = 16585 start_va = 0xfc0000 end_va = 0xfcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fc0000" filename = "" Region: id = 16589 start_va = 0xd10000 end_va = 0xd11fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "faultrep.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\faultrep.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\faultrep.dll.mui") Region: id = 16592 start_va = 0xd20000 end_va = 0xd20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 16593 start_va = 0x6ef60000 end_va = 0x6f37dfff monitored = 0 entry_point = 0x6f05ee80 region_type = mapped_file name = "dbgeng.dll" filename = "\\Windows\\SysWOW64\\dbgeng.dll" (normalized: "c:\\windows\\syswow64\\dbgeng.dll") Region: id = 16594 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 16595 start_va = 0x6f740000 end_va = 0x6f7affff monitored = 0 entry_point = 0x6f794b90 region_type = mapped_file name = "dbgmodel.dll" filename = "\\Windows\\SysWOW64\\DbgModel.dll" (normalized: "c:\\windows\\syswow64\\dbgmodel.dll") Region: id = 16596 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 16597 start_va = 0x6530000 end_va = 0x6619fff monitored = 0 entry_point = 0x656d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 16598 start_va = 0x70050000 end_va = 0x70059fff monitored = 0 entry_point = 0x70053200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 16599 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 16600 start_va = 0x6f5d0000 end_va = 0x6f5d7fff monitored = 0 entry_point = 0x6f5d17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 16601 start_va = 0x6530000 end_va = 0x662ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006530000" filename = "" Region: id = 16602 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 16603 start_va = 0x6630000 end_va = 0x6966fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 16604 start_va = 0xd20000 end_va = 0xd21fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 16605 start_va = 0xd20000 end_va = 0xd23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 16606 start_va = 0xd20000 end_va = 0xd25fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 16607 start_va = 0xd20000 end_va = 0xd27fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 16608 start_va = 0x7e0000 end_va = 0x8dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 16609 start_va = 0xd20000 end_va = 0xd29fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 16610 start_va = 0xd20000 end_va = 0xd2bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 16611 start_va = 0xd20000 end_va = 0xd2dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 16612 start_va = 0xd20000 end_va = 0xd2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 16613 start_va = 0xd20000 end_va = 0xd31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 16614 start_va = 0xd20000 end_va = 0xd33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 16615 start_va = 0xd20000 end_va = 0xd35fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 16616 start_va = 0xd20000 end_va = 0xd37fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 16617 start_va = 0xd20000 end_va = 0xd39fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 16618 start_va = 0xd20000 end_va = 0xd3bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 16619 start_va = 0xd20000 end_va = 0xd3dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 16620 start_va = 0xd20000 end_va = 0xd3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 16639 start_va = 0x6970000 end_va = 0x6a4ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 16688 start_va = 0x6a50000 end_va = 0x6b1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006a50000" filename = "" Region: id = 16689 start_va = 0xf10000 end_va = 0xfbdfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f10000" filename = "" Region: id = 16694 start_va = 0x1030000 end_va = 0x10d6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001030000" filename = "" Region: id = 16703 start_va = 0xd20000 end_va = 0xd20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 16704 start_va = 0xd30000 end_va = 0xd32fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wer.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wer.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wer.dll.mui") Region: id = 16705 start_va = 0xd40000 end_va = 0xd43fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d40000" filename = "" Region: id = 16706 start_va = 0x6a50000 end_va = 0x724ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a50000" filename = "" Region: id = 16707 start_va = 0xd50000 end_va = 0xd56fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 16708 start_va = 0xd50000 end_va = 0xd56fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 16709 start_va = 0xd50000 end_va = 0xd56fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 16710 start_va = 0xd50000 end_va = 0xd56fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 16711 start_va = 0xd50000 end_va = 0xd56fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 16712 start_va = 0xd50000 end_va = 0xd56fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 16713 start_va = 0xd50000 end_va = 0xd56fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 16726 start_va = 0xd50000 end_va = 0xd56fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 16727 start_va = 0xd50000 end_va = 0xd56fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 16728 start_va = 0xd50000 end_va = 0xd56fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 16729 start_va = 0xd50000 end_va = 0xd56fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 16730 start_va = 0xd50000 end_va = 0xd56fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 16731 start_va = 0xd50000 end_va = 0xd56fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 16732 start_va = 0xd50000 end_va = 0xd56fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 16733 start_va = 0xd50000 end_va = 0xd56fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 16734 start_va = 0xd50000 end_va = 0xd56fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 16735 start_va = 0xd50000 end_va = 0xd56fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 16736 start_va = 0xd50000 end_va = 0xd56fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 16737 start_va = 0xd50000 end_va = 0xd56fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 16738 start_va = 0xd50000 end_va = 0xd56fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 16739 start_va = 0xd50000 end_va = 0xd56fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 16740 start_va = 0xd50000 end_va = 0xd56fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 16741 start_va = 0x6a50000 end_va = 0x6b4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006a50000" filename = "" Region: id = 16763 start_va = 0xd50000 end_va = 0xd56fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 16764 start_va = 0xd50000 end_va = 0xd56fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 16765 start_va = 0xd50000 end_va = 0xd56fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 16766 start_va = 0xd50000 end_va = 0xd56fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 16767 start_va = 0xd50000 end_va = 0xd56fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 16768 start_va = 0x6fa00000 end_va = 0x6fa63fff monitored = 0 entry_point = 0x6fa3e270 region_type = mapped_file name = "werui.dll" filename = "\\Windows\\SysWOW64\\werui.dll" (normalized: "c:\\windows\\syswow64\\werui.dll") Region: id = 16769 start_va = 0x1a0000 end_va = 0x1a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 16770 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 16771 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 16772 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 16773 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 16774 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 16782 start_va = 0x731b0000 end_va = 0x733befff monitored = 0 entry_point = 0x7325b0a0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 16783 start_va = 0x6f460000 end_va = 0x6f5c6fff monitored = 0 entry_point = 0x6f4db9d0 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\SysWOW64\\dui70.dll" (normalized: "c:\\windows\\syswow64\\dui70.dll") Region: id = 16784 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 16785 start_va = 0x6f430000 end_va = 0x6f457fff monitored = 0 entry_point = 0x6f437820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 16786 start_va = 0xd50000 end_va = 0xd50fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 16787 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 16801 start_va = 0xd50000 end_va = 0xd50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 16802 start_va = 0x759b0000 end_va = 0x75a33fff monitored = 0 entry_point = 0x759d6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 16803 start_va = 0xd70000 end_va = 0xd70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 16823 start_va = 0x6f380000 end_va = 0x6f3b3fff monitored = 0 entry_point = 0x6f398280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 18106 start_va = 0x8e0000 end_va = 0x91ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008e0000" filename = "" Region: id = 18107 start_va = 0x920000 end_va = 0x95ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000920000" filename = "" Region: id = 18108 start_va = 0x960000 end_va = 0x99ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Region: id = 18109 start_va = 0x9a0000 end_va = 0x9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 18110 start_va = 0x9e0000 end_va = 0xa1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 18111 start_va = 0xa20000 end_va = 0xa5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Region: id = 18112 start_va = 0x6f870000 end_va = 0x6f878fff monitored = 0 entry_point = 0x6f873830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 18244 start_va = 0xd50000 end_va = 0xd50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 18245 start_va = 0x6f7c0000 end_va = 0x6f7f3fff monitored = 0 entry_point = 0x6f7d8280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 18820 start_va = 0x6f800000 end_va = 0x6f808fff monitored = 0 entry_point = 0x6f803830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 19012 start_va = 0xd50000 end_va = 0xd54fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werui.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\werui.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werui.dll.mui") Region: id = 19013 start_va = 0xd80000 end_va = 0xd80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d80000" filename = "" Region: id = 19014 start_va = 0x6f7c0000 end_va = 0x6f7f3fff monitored = 0 entry_point = 0x6f7d8280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 19110 start_va = 0x6f830000 end_va = 0x6f838fff monitored = 0 entry_point = 0x6f833830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 19245 start_va = 0xa60000 end_va = 0xa9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 19246 start_va = 0xaa0000 end_va = 0xadffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000aa0000" filename = "" Region: id = 19247 start_va = 0xd80000 end_va = 0xd80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d80000" filename = "" Region: id = 19248 start_va = 0x6f7c0000 end_va = 0x6f7f3fff monitored = 0 entry_point = 0x6f7d8280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 19632 start_va = 0x6f830000 end_va = 0x6f838fff monitored = 0 entry_point = 0x6f833830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 19757 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 19758 start_va = 0x6f6c0000 end_va = 0x6f73afff monitored = 0 entry_point = 0x6f6e4d80 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\SysWOW64\\duser.dll" (normalized: "c:\\windows\\syswow64\\duser.dll") Region: id = 19775 start_va = 0xae0000 end_va = 0xb1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 19776 start_va = 0xb20000 end_va = 0xb5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 19777 start_va = 0x6f630000 end_va = 0x6f6b0fff monitored = 0 entry_point = 0x6f636310 region_type = mapped_file name = "riched20.dll" filename = "\\Windows\\SysWOW64\\riched20.dll" (normalized: "c:\\windows\\syswow64\\riched20.dll") Region: id = 19778 start_va = 0x6f790000 end_va = 0x6f7a5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 19779 start_va = 0x6f750000 end_va = 0x6f780fff monitored = 0 entry_point = 0x6f7622d0 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\SysWOW64\\msls31.dll" (normalized: "c:\\windows\\syswow64\\msls31.dll") Region: id = 19780 start_va = 0xd80000 end_va = 0xd80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d80000" filename = "" Region: id = 19781 start_va = 0x6b50000 end_va = 0x6c0bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006b50000" filename = "" Region: id = 19782 start_va = 0xd80000 end_va = 0xd83fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d80000" filename = "" Region: id = 19783 start_va = 0x74230000 end_va = 0x7424cfff monitored = 0 entry_point = 0x74233b10 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 19784 start_va = 0xf10000 end_va = 0xf13fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f10000" filename = "" Region: id = 19785 start_va = 0xf20000 end_va = 0xf20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 19786 start_va = 0xf30000 end_va = 0xf30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f30000" filename = "" Region: id = 19788 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 19789 start_va = 0xf40000 end_va = 0xf40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "duser.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\duser.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\duser.dll.mui") Region: id = 19790 start_va = 0x6f9f0000 end_va = 0x6f9fcfff monitored = 0 entry_point = 0x6f9f7d80 region_type = mapped_file name = "atlthunk.dll" filename = "\\Windows\\SysWOW64\\atlthunk.dll" (normalized: "c:\\windows\\syswow64\\atlthunk.dll") Region: id = 19791 start_va = 0xf50000 end_va = 0xf52fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui") Region: id = 19792 start_va = 0x1f0000 end_va = 0x1f2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 19793 start_va = 0x6c10000 end_va = 0x7101fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006c10000" filename = "" Region: id = 19794 start_va = 0x7110000 end_va = 0x814ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 19802 start_va = 0xb60000 end_va = 0xba1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b60000" filename = "" Region: id = 19871 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 19872 start_va = 0x77500000 end_va = 0x7761efff monitored = 0 entry_point = 0x77545980 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Thread: id = 493 os_tid = 0xd4c Thread: id = 494 os_tid = 0xcf4 Thread: id = 498 os_tid = 0xe64 Thread: id = 521 os_tid = 0xc2c Thread: id = 523 os_tid = 0x1370 Thread: id = 524 os_tid = 0x5d0 Thread: id = 560 os_tid = 0xc94 Thread: id = 573 os_tid = 0x1100 Process: id = "236" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x72eb3000" os_pid = "0xcbc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getEVP /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 16466 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 16467 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 16468 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 16469 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 16470 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 16471 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 16472 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 16473 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 16474 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 16475 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 16476 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 16477 start_va = 0x7fb90000 end_va = 0x7fbb2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fb90000" filename = "" Region: id = 16478 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 16479 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 16480 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 16481 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 16484 start_va = 0x410000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 16485 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 16486 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 16487 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 16488 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 16489 start_va = 0x600000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 16495 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 16496 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 16497 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 16498 start_va = 0x7fa90000 end_va = 0x7fb8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fa90000" filename = "" Region: id = 16499 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 16500 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 16501 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 16502 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 16503 start_va = 0x4c0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 16504 start_va = 0x5f0000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 16505 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 16506 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 16507 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 16508 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 16509 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 16510 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 16511 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 16512 start_va = 0x5c0000 end_va = 0x5c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 16513 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 16514 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 16515 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 16516 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 16517 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 16518 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 16519 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 16520 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 16521 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 16522 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 16523 start_va = 0x600000 end_va = 0x629fff monitored = 0 entry_point = 0x605680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 16524 start_va = 0x750000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 16525 start_va = 0x850000 end_va = 0x9d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 16526 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 16527 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 16528 start_va = 0x5d0000 end_va = 0x5d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 16529 start_va = 0x9e0000 end_va = 0xb60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009e0000" filename = "" Region: id = 16530 start_va = 0xb70000 end_va = 0xd1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 16531 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 16532 start_va = 0x600000 end_va = 0x690fff monitored = 0 entry_point = 0x638cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 16554 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 16555 start_va = 0x5e0000 end_va = 0x5e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 16556 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 16557 start_va = 0x600000 end_va = 0x607fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 16573 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 16574 start_va = 0x610000 end_va = 0x611fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 16575 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 16576 start_va = 0x610000 end_va = 0x610fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 16577 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 16586 start_va = 0x610000 end_va = 0x610fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Thread: id = 495 os_tid = 0x9f8 [0169.260] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0169.260] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0169.261] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0169.261] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0169.261] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0169.261] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0169.262] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0169.262] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0169.263] GetProcessHeap () returned 0x750000 [0169.263] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0169.263] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0169.263] GetLastError () returned 0x7e [0169.263] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0169.263] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0169.263] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x364) returned 0x7609a0 [0169.263] SetLastError (dwErrCode=0x7e) [0169.264] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xe00) returned 0x760d10 [0169.265] GetStartupInfoW (in: lpStartupInfo=0x18fe08 | out: lpStartupInfo=0x18fe08*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0169.265] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0169.265] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0169.265] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0169.265] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getEVP /fn_args=\"0\"" [0169.265] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getEVP /fn_args=\"0\"" [0169.266] GetACP () returned 0x4e4 [0169.266] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x220) returned 0x761b18 [0169.266] IsValidCodePage (CodePage=0x4e4) returned 1 [0169.266] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fe28 | out: lpCPInfo=0x18fe28) returned 1 [0169.266] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f6f0 | out: lpCPInfo=0x18f6f0) returned 1 [0169.266] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd04, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0169.266] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd04, cbMultiByte=256, lpWideCharStr=0x18f498, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0169.266] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f704 | out: lpCharType=0x18f704) returned 1 [0169.266] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd04, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0169.266] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd04, cbMultiByte=256, lpWideCharStr=0x18f448, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0169.266] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0169.266] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0169.266] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0169.266] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f238, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0169.266] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fc04, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿªW¨Q@þ\x18", lpUsedDefaultChar=0x0) returned 256 [0169.266] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd04, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0169.266] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd04, cbMultiByte=256, lpWideCharStr=0x18f468, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0169.266] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0169.266] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f258, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0169.266] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fb04, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿªW¨Q@þ\x18", lpUsedDefaultChar=0x0) returned 256 [0169.267] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x80) returned 0x753878 [0169.267] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0169.267] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x190) returned 0x761d40 [0169.267] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0169.267] GetLastError () returned 0x0 [0169.267] SetLastError (dwErrCode=0x0) [0169.267] GetEnvironmentStringsW () returned 0x761ed8* [0169.267] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0xa8c) returned 0x762970 [0169.267] FreeEnvironmentStringsW (penv=0x761ed8) returned 1 [0169.267] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x90) returned 0x7547c8 [0169.267] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x3e) returned 0x75ad20 [0169.267] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x5c) returned 0x758aa0 [0169.267] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x6e) returned 0x754890 [0169.267] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x78) returned 0x763430 [0169.268] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x62) returned 0x754c60 [0169.268] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x28) returned 0x753d98 [0169.268] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x48) returned 0x753fe8 [0169.268] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x1a) returned 0x750570 [0169.268] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x3a) returned 0x75aa98 [0169.268] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x62) returned 0x753bf8 [0169.268] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x2a) returned 0x758758 [0169.268] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x2e) returned 0x7588e0 [0169.268] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x1c) returned 0x753dc8 [0169.268] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x144) returned 0x759cb8 [0169.268] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x7c) returned 0x758300 [0169.268] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x36) returned 0x75e170 [0169.268] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x3a) returned 0x75afa8 [0169.268] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x90) returned 0x7543a0 [0169.268] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x24) returned 0x753918 [0169.268] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x30) returned 0x758950 [0169.268] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x36) returned 0x75e270 [0169.268] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x48) returned 0x752908 [0169.268] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x52) returned 0x7504b8 [0169.268] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x3c) returned 0x75aed0 [0169.268] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xd6) returned 0x759e78 [0169.268] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x2e) returned 0x758988 [0169.268] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x1e) returned 0x752958 [0169.268] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x2c) returned 0x758918 [0169.268] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x54) returned 0x753e10 [0169.268] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x52) returned 0x754070 [0169.268] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x24) returned 0x753e70 [0169.268] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x42) returned 0x7540d0 [0169.268] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x2c) returned 0x7589c0 [0169.268] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x44) returned 0x759fa8 [0169.269] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x24) returned 0x753948 [0169.269] HeapFree (in: hHeap=0x750000, dwFlags=0x0, lpMem=0x762970 | out: hHeap=0x750000) returned 1 [0169.269] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x800) returned 0x761ed8 [0169.269] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0169.269] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0169.269] GetStartupInfoW (in: lpStartupInfo=0x18fe6c | out: lpStartupInfo=0x18fe6c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0169.269] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getEVP /fn_args=\"0\"" [0169.269] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getEVP /fn_args=\"0\"", pNumArgs=0x18fe58 | out: pNumArgs=0x18fe58) returned 0x762b28*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0169.270] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0169.313] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x1000) returned 0x764410 [0169.313] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x3e) returned 0x75aae0 [0169.313] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_openssl_session_getEVP", cchWideChar=-1, lpMultiByteStr=0x75aae0, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_openssl_session_getEVP", lpUsedDefaultChar=0x0) returned 31 [0169.314] GetLastError () returned 0x0 [0169.314] SetLastError (dwErrCode=0x0) [0169.314] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_session_getEVPW") returned 0x0 [0169.314] GetLastError () returned 0x7f [0169.314] SetLastError (dwErrCode=0x7f) [0169.314] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_session_getEVPA") returned 0x0 [0169.314] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_session_getEVP") returned 0x647cf371 [0169.314] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x4) returned 0x753820 [0169.314] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x753820, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0169.314] GetActiveWindow () returned 0x0 [0169.315] GetLastError () returned 0x7f [0169.315] SetLastError (dwErrCode=0x7f) Thread: id = 497 os_tid = 0xb68 Process: id = "237" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x1353b000" os_pid = "0xcc0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "236" os_parent_pid = "0xcbc" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getEVP /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "238" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x4a29c000" os_pid = "0xe48" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getRSA /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 16621 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 16622 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 16623 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 16624 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 16625 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 16626 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 16627 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 16628 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 16629 start_va = 0xed0000 end_va = 0xed1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ed0000" filename = "" Region: id = 16630 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 16631 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 16632 start_va = 0x7f420000 end_va = 0x7f442fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f420000" filename = "" Region: id = 16633 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 16634 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 16635 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 16636 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 16640 start_va = 0x1c0000 end_va = 0x1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 16641 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 16642 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 16643 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 16644 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 16645 start_va = 0xee0000 end_va = 0x100ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 16646 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 16647 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 16648 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 16649 start_va = 0x7f320000 end_va = 0x7f41ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f320000" filename = "" Region: id = 16650 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 16651 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 16652 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 16653 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 16654 start_va = 0x500000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 16655 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 16656 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 16657 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 16658 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 16659 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 16660 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 16661 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 16662 start_va = 0xed0000 end_va = 0xed3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ed0000" filename = "" Region: id = 16663 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 16664 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 16665 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 16666 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 16667 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 16668 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 16669 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 16670 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 16671 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 16672 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 16673 start_va = 0x600000 end_va = 0x787fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 16674 start_va = 0xee0000 end_va = 0xf09fff monitored = 0 entry_point = 0xee5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 16675 start_va = 0xf10000 end_va = 0x100ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f10000" filename = "" Region: id = 16676 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 16677 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 16678 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 16679 start_va = 0x790000 end_va = 0x910fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 16680 start_va = 0x1010000 end_va = 0x11bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001010000" filename = "" Region: id = 16681 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 16682 start_va = 0x1010000 end_va = 0x10a0fff monitored = 0 entry_point = 0x1048cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 16683 start_va = 0x11b0000 end_va = 0x11bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011b0000" filename = "" Region: id = 16684 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 16685 start_va = 0xee0000 end_va = 0xee0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 16686 start_va = 0xef0000 end_va = 0xef0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ef0000" filename = "" Region: id = 16687 start_va = 0xef0000 end_va = 0xef7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ef0000" filename = "" Region: id = 16690 start_va = 0xef0000 end_va = 0xef0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Region: id = 16691 start_va = 0xf00000 end_va = 0xf01fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f00000" filename = "" Region: id = 16692 start_va = 0xef0000 end_va = 0xef0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Region: id = 16693 start_va = 0xf00000 end_va = 0xf00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f00000" filename = "" Region: id = 16695 start_va = 0xef0000 end_va = 0xef0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ef0000" filename = "" Region: id = 16696 start_va = 0xf00000 end_va = 0xf00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Thread: id = 500 os_tid = 0xe4c [0170.872] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0170.872] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0170.872] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0170.872] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0170.872] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0170.873] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0170.873] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0170.873] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0170.874] GetProcessHeap () returned 0xf10000 [0170.874] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0170.874] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0170.874] GetLastError () returned 0x7e [0170.874] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0170.874] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0170.874] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x364) returned 0xf209a0 [0170.874] SetLastError (dwErrCode=0x7e) [0170.875] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0xe00) returned 0xf20d10 [0170.876] GetStartupInfoW (in: lpStartupInfo=0x18f8d4 | out: lpStartupInfo=0x18f8d4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0170.876] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0170.876] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0170.876] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0170.876] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getRSA /fn_args=\"0\"" [0170.876] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getRSA /fn_args=\"0\"" [0170.876] GetACP () returned 0x4e4 [0170.876] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x0, Size=0x220) returned 0xf21b18 [0170.876] IsValidCodePage (CodePage=0x4e4) returned 1 [0170.876] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f8f4 | out: lpCPInfo=0x18f8f4) returned 1 [0170.876] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f1bc | out: lpCPInfo=0x18f1bc) returned 1 [0170.877] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7d0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0170.877] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7d0, cbMultiByte=256, lpWideCharStr=0x18ef58, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0170.877] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f1d0 | out: lpCharType=0x18f1d0) returned 1 [0170.877] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7d0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0170.877] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7d0, cbMultiByte=256, lpWideCharStr=0x18ef18, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0170.877] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0170.877] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0170.877] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0170.877] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ed08, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0170.877] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f6d0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ¢ìg]\x0cù\x18", lpUsedDefaultChar=0x0) returned 256 [0170.877] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7d0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0170.877] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7d0, cbMultiByte=256, lpWideCharStr=0x18ef28, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0170.877] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0170.877] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ed18, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0170.877] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f5d0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ¢ìg]\x0cù\x18", lpUsedDefaultChar=0x0) returned 256 [0170.877] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x0, Size=0x80) returned 0xf13878 [0170.877] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0170.878] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x190) returned 0xf21d40 [0170.878] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0170.878] GetLastError () returned 0x0 [0170.878] SetLastError (dwErrCode=0x0) [0170.878] GetEnvironmentStringsW () returned 0xf21ed8* [0170.878] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x0, Size=0xa8c) returned 0xf22970 [0170.878] FreeEnvironmentStringsW (penv=0xf21ed8) returned 1 [0170.878] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x90) returned 0xf14568 [0170.878] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x3e) returned 0xf1b0c8 [0170.878] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x5c) returned 0xf18aa0 [0170.878] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x6e) returned 0xf14630 [0170.878] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x78) returned 0xf240b0 [0170.879] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x62) returned 0xf14c60 [0170.879] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x28) returned 0xf13d98 [0170.879] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x48) returned 0xf13fe8 [0170.879] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x1a) returned 0xf10570 [0170.879] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x3a) returned 0xf1af18 [0170.879] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x62) returned 0xf13bf8 [0170.879] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x2a) returned 0xf18720 [0170.879] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x2e) returned 0xf18678 [0170.879] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x1c) returned 0xf13dc8 [0170.879] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x144) returned 0xf19cb8 [0170.879] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x7c) returned 0xf18300 [0170.879] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x36) returned 0xf1e030 [0170.879] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x3a) returned 0xf1aa08 [0170.879] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x90) returned 0xf143a0 [0170.879] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x24) returned 0xf13918 [0170.879] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x30) returned 0xf18790 [0170.879] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x36) returned 0xf1e0f0 [0170.879] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x48) returned 0xf12908 [0170.879] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x52) returned 0xf104b8 [0170.879] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x3c) returned 0xf1ac00 [0170.879] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0xd6) returned 0xf19e78 [0170.879] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x2e) returned 0xf18918 [0170.879] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x1e) returned 0xf12958 [0170.879] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x2c) returned 0xf187c8 [0170.879] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x54) returned 0xf13e10 [0170.879] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x52) returned 0xf14070 [0170.879] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x24) returned 0xf13e70 [0170.879] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x42) returned 0xf140d0 [0170.879] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x2c) returned 0xf18838 [0170.879] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x44) returned 0xf19fa8 [0170.879] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x24) returned 0xf13948 [0170.880] HeapFree (in: hHeap=0xf10000, dwFlags=0x0, lpMem=0xf22970 | out: hHeap=0xf10000) returned 1 [0170.880] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x800) returned 0xf21ed8 [0170.880] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0170.880] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0170.880] GetStartupInfoW (in: lpStartupInfo=0x18f938 | out: lpStartupInfo=0x18f938*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0170.880] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getRSA /fn_args=\"0\"" [0170.881] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getRSA /fn_args=\"0\"", pNumArgs=0x18f924 | out: pNumArgs=0x18f924) returned 0xf22b28*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0170.881] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0170.883] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x0, Size=0x1000) returned 0xf24410 [0170.883] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x0, Size=0x3e) returned 0xf1b110 [0170.883] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_openssl_session_getRSA", cchWideChar=-1, lpMultiByteStr=0xf1b110, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_openssl_session_getRSA", lpUsedDefaultChar=0x0) returned 31 [0170.884] GetLastError () returned 0x0 [0170.884] SetLastError (dwErrCode=0x0) [0170.884] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_session_getRSAW") returned 0x0 [0170.884] GetLastError () returned 0x7f [0170.884] SetLastError (dwErrCode=0x7f) [0170.884] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_session_getRSAA") returned 0x0 [0170.884] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_session_getRSA") returned 0x647cf249 [0170.884] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x0, Size=0x4) returned 0xf13820 [0170.884] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0xf13820, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0170.884] GetActiveWindow () returned 0x0 [0170.885] GetLastError () returned 0x7f [0170.885] SetLastError (dwErrCode=0x7f) Thread: id = 502 os_tid = 0x13d0 Process: id = "239" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x58700000" os_pid = "0x6a8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "238" os_parent_pid = "0xe48" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getRSA /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "240" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6d721000" os_pid = "0x3a8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "234" os_parent_pid = "0xce8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getX509 /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "241" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x34fde000" os_pid = "0x1384" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getX509 /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 16742 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 16743 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 16744 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 16745 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 16746 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 16747 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 16748 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 16749 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 16750 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 16751 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 16752 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 16753 start_va = 0x7ee80000 end_va = 0x7eea2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ee80000" filename = "" Region: id = 16754 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 16755 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 16756 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 16757 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 16775 start_va = 0x410000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 16776 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 16777 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 16778 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 16779 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 16780 start_va = 0x510000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 16781 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 16788 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 16789 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 16790 start_va = 0x7ed80000 end_va = 0x7ee7ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed80000" filename = "" Region: id = 16791 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 16792 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 16793 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 16794 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 16795 start_va = 0x670000 end_va = 0x76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 16796 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 16797 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 16798 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 16799 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 16800 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 16806 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 16807 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 16808 start_va = 0x4c0000 end_va = 0x4c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 16809 start_va = 0x500000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 16810 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 16811 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 16812 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 16813 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 16814 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 16815 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 16816 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 16817 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 16818 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 16819 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 16820 start_va = 0x4d0000 end_va = 0x4f9fff monitored = 0 entry_point = 0x4d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 16821 start_va = 0x770000 end_va = 0x8f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 16822 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 16824 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 16825 start_va = 0x4d0000 end_va = 0x4d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 16826 start_va = 0x900000 end_va = 0xa80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000900000" filename = "" Region: id = 16827 start_va = 0xa90000 end_va = 0xc3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a90000" filename = "" Region: id = 16828 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 16829 start_va = 0xa90000 end_va = 0xb20fff monitored = 0 entry_point = 0xac8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 16830 start_va = 0xc30000 end_va = 0xc3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 16854 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 16855 start_va = 0x4e0000 end_va = 0x4e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 16856 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 16857 start_va = 0x4f0000 end_va = 0x4f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 16859 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 16860 start_va = 0x510000 end_va = 0x511fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 16861 start_va = 0x570000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 16862 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 16863 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 16864 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 16865 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Thread: id = 505 os_tid = 0xb70 [0172.686] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0172.686] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0172.686] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0172.686] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0172.686] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0172.687] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0172.687] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0172.688] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0172.688] GetProcessHeap () returned 0x570000 [0172.688] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0172.688] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0172.688] GetLastError () returned 0x7e [0172.689] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0172.689] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0172.689] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x364) returned 0x5809a0 [0172.689] SetLastError (dwErrCode=0x7e) [0172.689] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0xe00) returned 0x580d10 [0172.691] GetStartupInfoW (in: lpStartupInfo=0x18f760 | out: lpStartupInfo=0x18f760*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0172.691] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0172.691] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0172.691] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0172.692] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getX509 /fn_args=\"0\"" [0172.692] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getX509 /fn_args=\"0\"" [0172.692] GetACP () returned 0x4e4 [0172.692] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x220) returned 0x581b18 [0172.692] IsValidCodePage (CodePage=0x4e4) returned 1 [0172.692] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f780 | out: lpCPInfo=0x18f780) returned 1 [0172.692] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f048 | out: lpCPInfo=0x18f048) returned 1 [0172.692] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f65c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0172.692] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f65c, cbMultiByte=256, lpWideCharStr=0x18ede8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0172.692] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f05c | out: lpCharType=0x18f05c) returned 1 [0172.692] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f65c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0172.692] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f65c, cbMultiByte=256, lpWideCharStr=0x18ed98, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0172.692] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0172.693] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0172.693] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0172.693] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18eb88, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0172.693] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f55c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", lpUsedDefaultChar=0x0) returned 256 [0172.693] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f65c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0172.693] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f65c, cbMultiByte=256, lpWideCharStr=0x18edb8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0172.693] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0172.693] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18eba8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0172.693] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f45c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", lpUsedDefaultChar=0x0) returned 256 [0172.693] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x80) returned 0x573878 [0172.693] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0172.693] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x192) returned 0x581d40 [0172.693] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0172.693] GetLastError () returned 0x0 [0172.693] SetLastError (dwErrCode=0x0) [0172.694] GetEnvironmentStringsW () returned 0x581ee0* [0172.694] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa8c) returned 0x582978 [0172.694] FreeEnvironmentStringsW (penv=0x581ee0) returned 1 [0172.694] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x90) returned 0x574568 [0172.694] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x3e) returned 0x57ac48 [0172.694] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x5c) returned 0x578aa0 [0172.694] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x6e) returned 0x574630 [0172.694] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x78) returned 0x583938 [0172.695] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x62) returned 0x574c60 [0172.695] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x28) returned 0x573d98 [0172.695] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x48) returned 0x573fe8 [0172.695] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x1a) returned 0x570570 [0172.695] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x3a) returned 0x57aed0 [0172.695] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x62) returned 0x573bf8 [0172.695] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x2a) returned 0x5786e8 [0172.695] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x2e) returned 0x578800 [0172.695] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x1c) returned 0x573dc8 [0172.695] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x144) returned 0x579cb8 [0172.695] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x7c) returned 0x578300 [0172.695] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x36) returned 0x57e4f0 [0172.695] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x3a) returned 0x57b110 [0172.695] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x90) returned 0x5743a0 [0172.695] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x24) returned 0x573918 [0172.695] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x30) returned 0x578988 [0172.695] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x36) returned 0x57e2b0 [0172.695] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x48) returned 0x572908 [0172.695] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x52) returned 0x5704b8 [0172.695] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x3c) returned 0x57aae0 [0172.695] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0xd6) returned 0x579e78 [0172.695] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x2e) returned 0x578838 [0172.758] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x1e) returned 0x572958 [0172.758] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x2c) returned 0x578678 [0172.758] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x54) returned 0x573e10 [0172.759] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x52) returned 0x574070 [0172.759] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x24) returned 0x573e70 [0172.759] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x42) returned 0x5740d0 [0172.759] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x2c) returned 0x578720 [0172.759] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x44) returned 0x579fa8 [0172.759] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x24) returned 0x573948 [0172.759] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x582978 | out: hHeap=0x570000) returned 1 [0172.759] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x800) returned 0x581ee0 [0172.760] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0172.760] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0172.760] GetStartupInfoW (in: lpStartupInfo=0x18f7c4 | out: lpStartupInfo=0x18f7c4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0172.760] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getX509 /fn_args=\"0\"" [0172.760] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getX509 /fn_args=\"0\"", pNumArgs=0x18f7b0 | out: pNumArgs=0x18f7b0) returned 0x582b30*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0172.761] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0172.764] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x1000) returned 0x584418 [0172.764] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40) returned 0x57ab70 [0172.764] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_openssl_session_getX509", cchWideChar=-1, lpMultiByteStr=0x57ab70, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_openssl_session_getX509", lpUsedDefaultChar=0x0) returned 32 [0172.764] GetLastError () returned 0x0 [0172.764] SetLastError (dwErrCode=0x0) [0172.764] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_session_getX509W") returned 0x0 [0172.765] GetLastError () returned 0x7f [0172.765] SetLastError (dwErrCode=0x7f) [0172.765] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_session_getX509A") returned 0x0 [0172.765] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_session_getX509") returned 0x647cf5b2 [0172.765] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x4) returned 0x573820 [0172.765] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x573820, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0172.765] GetActiveWindow () returned 0x0 [0172.766] GetLastError () returned 0x7f [0172.766] SetLastError (dwErrCode=0x7f) Thread: id = 507 os_tid = 0xf14 Process: id = "242" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x52e26000" os_pid = "0xba0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "241" os_parent_pid = "0x1384" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getX509 /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "243" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x33caa000" os_pid = "0xee8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_setCleanupHook /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 16866 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 16867 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 16868 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 16869 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 16870 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 16871 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 16872 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 16873 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 16874 start_va = 0xc10000 end_va = 0xc11fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 16875 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 16876 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 16877 start_va = 0x7fb00000 end_va = 0x7fb22fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fb00000" filename = "" Region: id = 16878 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 16879 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 16880 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 16881 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 16888 start_va = 0x400000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 16889 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 16890 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 16891 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 16892 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 16893 start_va = 0xc20000 end_va = 0xedffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 16894 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 16895 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 16896 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 16897 start_va = 0x7fa00000 end_va = 0x7fafffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fa00000" filename = "" Region: id = 16898 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 16899 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 16900 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 16901 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 16902 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 16903 start_va = 0x560000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 16904 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 16905 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 16906 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 16907 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 16908 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 16909 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 16910 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 16911 start_va = 0xc10000 end_va = 0xc13fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 16912 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 16913 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 16914 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 16915 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 16916 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 16917 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 16918 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 16919 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 16920 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 16921 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 16922 start_va = 0x660000 end_va = 0x7e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 16923 start_va = 0xc20000 end_va = 0xc49fff monitored = 0 entry_point = 0xc25680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 16924 start_va = 0xde0000 end_va = 0xedffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 16925 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 16928 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 16929 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 16930 start_va = 0x7f0000 end_va = 0x970fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 16931 start_va = 0xc20000 end_va = 0xc9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 16932 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 16933 start_va = 0xca0000 end_va = 0xd30fff monitored = 0 entry_point = 0xcd8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 16936 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 16937 start_va = 0xc20000 end_va = 0xc20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 16938 start_va = 0xc90000 end_va = 0xc9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c90000" filename = "" Region: id = 16939 start_va = 0xc30000 end_va = 0xc30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 16940 start_va = 0xc30000 end_va = 0xc37fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 16944 start_va = 0xc30000 end_va = 0xc30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 16945 start_va = 0xc40000 end_va = 0xc41fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c40000" filename = "" Region: id = 16946 start_va = 0xc30000 end_va = 0xc30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 16947 start_va = 0xc40000 end_va = 0xc40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c40000" filename = "" Region: id = 16948 start_va = 0xc30000 end_va = 0xc30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 16949 start_va = 0xc40000 end_va = 0xc40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Thread: id = 508 os_tid = 0x980 [0174.561] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0174.563] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0174.563] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0174.563] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0174.563] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0174.563] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0174.564] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0174.564] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0174.565] GetProcessHeap () returned 0xde0000 [0174.565] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0174.565] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0174.565] GetLastError () returned 0x7e [0174.565] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0174.565] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0174.565] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x364) returned 0xdf09a8 [0174.566] SetLastError (dwErrCode=0x7e) [0174.566] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0xe00) returned 0xdf0d18 [0174.568] GetStartupInfoW (in: lpStartupInfo=0x18fd58 | out: lpStartupInfo=0x18fd58*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0174.568] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0174.568] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0174.568] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0174.568] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_setCleanupHook /fn_args=\"0\"" [0174.568] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_setCleanupHook /fn_args=\"0\"" [0174.568] GetACP () returned 0x4e4 [0174.568] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x0, Size=0x220) returned 0xdf1b20 [0174.568] IsValidCodePage (CodePage=0x4e4) returned 1 [0174.568] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fd78 | out: lpCPInfo=0x18fd78) returned 1 [0174.568] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f640 | out: lpCPInfo=0x18f640) returned 1 [0174.568] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc54, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0174.568] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc54, cbMultiByte=256, lpWideCharStr=0x18f3e8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0174.569] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f654 | out: lpCharType=0x18f654) returned 1 [0174.569] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc54, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0174.569] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc54, cbMultiByte=256, lpWideCharStr=0x18f398, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0174.569] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0174.569] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0174.569] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0174.569] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f188, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0174.569] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fb54, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ·\x8c¸L\x90ý\x18", lpUsedDefaultChar=0x0) returned 256 [0174.569] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc54, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0174.569] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc54, cbMultiByte=256, lpWideCharStr=0x18f3b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0174.570] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0174.570] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f1a8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0174.570] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fa54, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ·\x8c¸L\x90ý\x18", lpUsedDefaultChar=0x0) returned 256 [0174.570] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x0, Size=0x80) returned 0xde3878 [0174.570] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0174.570] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x190) returned 0xdf1d48 [0174.570] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0174.570] GetLastError () returned 0x0 [0174.570] SetLastError (dwErrCode=0x0) [0174.570] GetEnvironmentStringsW () returned 0xdf1ee0* [0174.571] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x0, Size=0xa8c) returned 0xdf2978 [0174.571] FreeEnvironmentStringsW (penv=0xdf1ee0) returned 1 [0174.571] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x90) returned 0xde4568 [0174.571] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x3e) returned 0xdeac08 [0174.571] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x5c) returned 0xde8aa8 [0174.571] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x6e) returned 0xde4860 [0174.571] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x78) returned 0xdf4338 [0174.571] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x62) returned 0xde4a00 [0174.571] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x28) returned 0xde3d98 [0174.571] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x48) returned 0xde3fe8 [0174.571] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x1a) returned 0xde3dc8 [0174.572] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x3a) returned 0xdeaf20 [0174.572] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x62) returned 0xde4630 [0174.572] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x2a) returned 0xde88e8 [0174.572] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x2e) returned 0xde8798 [0174.572] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x1c) returned 0xde47d0 [0174.572] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x144) returned 0xde9cc0 [0174.572] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x7c) returned 0xde43a0 [0174.572] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x36) returned 0xdedf38 [0174.572] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x3a) returned 0xdeac50 [0174.572] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x90) returned 0xde3e10 [0174.572] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x24) returned 0xde47f8 [0174.572] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x30) returned 0xde8920 [0174.572] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x36) returned 0xdee1b8 [0174.572] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x48) returned 0xde3bf8 [0174.572] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x52) returned 0xde3918 [0174.572] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x3c) returned 0xdeac98 [0174.572] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0xd6) returned 0xde9e80 [0174.572] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x2e) returned 0xde89c8 [0174.572] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x1e) returned 0xde3c48 [0174.572] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x2c) returned 0xde8958 [0174.572] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x54) returned 0xde2908 [0174.572] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x52) returned 0xde04b8 [0174.572] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x24) returned 0xde4070 [0174.572] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x42) returned 0xde40a0 [0174.572] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x2c) returned 0xde8760 [0174.572] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x44) returned 0xde9fb0 [0174.573] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x24) returned 0xde40f0 [0174.573] HeapFree (in: hHeap=0xde0000, dwFlags=0x0, lpMem=0xdf2978 | out: hHeap=0xde0000) returned 1 [0174.573] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x8, Size=0x800) returned 0xdf1ee0 [0174.573] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0174.573] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0174.574] GetStartupInfoW (in: lpStartupInfo=0x18fdbc | out: lpStartupInfo=0x18fdbc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0174.574] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_setCleanupHook /fn_args=\"0\"" [0174.574] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_setCleanupHook /fn_args=\"0\"", pNumArgs=0x18fda8 | out: pNumArgs=0x18fda8) returned 0xdf2b30*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0174.574] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0174.577] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x0, Size=0x1000) returned 0xdf4418 [0174.577] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x0, Size=0x3e) returned 0xdeab30 [0174.577] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_openssl_setCleanupHook", cchWideChar=-1, lpMultiByteStr=0xdeab30, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_openssl_setCleanupHook", lpUsedDefaultChar=0x0) returned 31 [0174.578] GetLastError () returned 0x0 [0174.578] SetLastError (dwErrCode=0x0) [0174.578] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_setCleanupHookW") returned 0x0 [0174.578] GetLastError () returned 0x7f [0174.578] SetLastError (dwErrCode=0x7f) [0174.578] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_setCleanupHookA") returned 0x0 [0174.578] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_setCleanupHook") returned 0x647cf08a [0174.578] RtlAllocateHeap (HeapHandle=0xde0000, Flags=0x0, Size=0x4) returned 0xde3ea8 [0174.578] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0xde3ea8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0174.579] GetActiveWindow () returned 0x0 [0174.580] GetLastError () returned 0x7f [0174.580] SetLastError (dwErrCode=0x7f) Thread: id = 510 os_tid = 0x5b4 Process: id = "244" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x72ed7000" os_pid = "0x734" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "243" os_parent_pid = "0xee8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_setCleanupHook /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "245" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x50d09000" os_pid = "0xc10" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_plugAndPlay /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 16972 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 16973 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 16974 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 16975 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 16976 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 16977 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 16978 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 16979 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 16980 start_va = 0x700000 end_va = 0x701fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 16981 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 16982 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 16983 start_va = 0x7f0d0000 end_va = 0x7f0f2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f0d0000" filename = "" Region: id = 16984 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 16985 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 16986 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 16987 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 16994 start_va = 0x400000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 16995 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 16996 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 16997 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 16998 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 16999 start_va = 0x710000 end_va = 0x98ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 17003 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 17004 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 17005 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 17006 start_va = 0x7efd0000 end_va = 0x7f0cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efd0000" filename = "" Region: id = 17007 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 17008 start_va = 0x570000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 17009 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 17010 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 17011 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 17012 start_va = 0x580000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 17013 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 17014 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 17015 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 17016 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 17017 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 17019 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 17020 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 17021 start_va = 0x700000 end_va = 0x703fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 17022 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 17023 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 17024 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 17025 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 17026 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 17027 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 17028 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 17029 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 17030 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 17039 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 17040 start_va = 0x710000 end_va = 0x739fff monitored = 0 entry_point = 0x715680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 17041 start_va = 0x890000 end_va = 0x98ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 17042 start_va = 0x990000 end_va = 0xb17fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 17043 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 17045 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 17046 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 17047 start_va = 0x710000 end_va = 0x76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 17048 start_va = 0xb20000 end_va = 0xca0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 17049 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 17050 start_va = 0x770000 end_va = 0x800fff monitored = 0 entry_point = 0x7a8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 17052 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 17053 start_va = 0x710000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 17054 start_va = 0x760000 end_va = 0x76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 17055 start_va = 0x770000 end_va = 0x86ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 17056 start_va = 0x710000 end_va = 0x72ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 17059 start_va = 0x730000 end_va = 0x735fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000730000" filename = "" Region: id = 17060 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17061 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17062 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17063 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17064 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17065 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17066 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17067 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17068 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17069 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17070 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17071 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17072 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17073 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17074 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17075 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17076 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17077 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17078 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17079 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17080 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17081 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17082 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17083 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17084 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17085 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17086 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17087 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17088 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17089 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17090 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17091 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17092 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17093 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17094 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17095 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17096 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17097 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17098 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17099 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17100 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17101 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17102 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17103 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17104 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17105 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17106 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17107 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17108 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17109 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17110 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17111 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17112 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17113 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17114 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17115 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17116 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17117 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17123 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17124 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17125 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17126 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17127 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17128 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17129 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17130 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17131 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17132 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17133 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17134 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17135 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17136 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17137 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17138 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17139 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17140 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17141 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17142 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17143 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17144 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17145 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17146 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17147 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17148 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17149 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17150 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17151 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17152 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17153 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17154 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17155 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17156 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17157 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17158 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17159 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17160 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17161 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17162 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17163 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17164 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17165 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17166 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17167 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17168 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17187 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17188 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17189 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17190 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17191 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17192 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17193 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17194 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17195 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17196 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17197 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17198 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17199 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17200 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17201 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17202 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17203 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17204 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17205 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17206 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17207 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17208 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17209 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17210 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17211 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17212 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17213 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17214 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17215 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17216 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17217 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17218 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17219 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17220 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17221 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17222 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17223 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17224 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17225 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17226 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17227 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17228 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17229 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17230 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17231 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17232 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17233 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17234 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17235 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17236 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17237 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17238 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17239 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17240 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17241 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17242 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17266 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17267 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17268 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17270 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17271 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17272 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17273 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17274 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17275 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17276 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17277 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17278 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17279 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17280 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17281 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17282 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17283 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17284 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17285 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17286 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17287 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17288 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17289 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17290 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17291 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17292 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17293 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17294 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17295 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17296 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17297 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17298 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17299 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17300 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17301 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17302 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17303 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17304 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17305 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17306 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17307 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17308 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17309 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17310 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17311 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17312 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17313 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17314 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17315 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17316 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17317 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17329 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17330 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17331 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17332 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17333 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17334 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17335 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17336 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17337 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17338 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17339 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17340 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17341 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17342 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17343 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17344 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17345 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17346 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17347 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17350 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17351 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17352 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17353 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17354 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17355 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17356 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17357 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17358 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17359 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17360 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17361 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17362 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17363 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17364 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17365 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17366 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17367 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17368 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17369 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17370 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17371 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17372 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17373 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17374 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17375 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17376 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17377 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17378 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17379 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17380 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17381 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17382 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17383 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17403 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17404 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17405 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17406 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17407 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17408 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17409 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17410 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17411 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17412 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17413 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17414 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17415 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17416 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17417 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17418 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17419 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17420 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17421 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17422 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17423 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17424 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17425 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17426 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17427 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17428 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17429 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17430 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17431 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17432 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17433 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17434 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17435 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17436 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17437 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17438 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17439 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17440 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17441 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17442 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17443 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17444 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17445 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17446 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17447 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17448 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17449 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17450 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17451 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17452 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17453 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17454 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17455 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17456 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17457 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17458 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17459 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17460 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17461 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17462 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17463 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17464 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17465 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17466 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17467 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17468 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17469 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17470 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17492 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17493 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17494 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17495 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17496 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17497 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17498 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17499 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17500 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17501 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17502 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17503 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17504 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17505 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17506 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17507 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17508 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17509 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17510 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17511 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17512 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17513 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17514 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17515 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17516 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17517 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17518 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17519 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17520 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17521 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17522 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17523 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17524 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17525 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17526 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17527 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17528 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17529 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17530 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17531 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17532 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17533 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17534 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17535 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17536 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17537 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17538 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17539 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17540 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17541 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17542 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17543 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17544 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17545 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17546 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17547 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17548 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17554 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17555 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17556 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17557 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17558 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17559 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17560 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17561 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17562 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17563 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17564 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17565 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17566 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17567 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17568 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17569 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17570 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17571 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17572 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17573 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17574 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17575 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17576 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17577 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17578 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17579 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17580 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17581 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17582 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17583 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17584 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17585 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17586 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17587 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17588 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17589 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17590 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17591 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17592 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17593 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17594 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17595 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17596 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17597 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17598 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17599 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17600 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17601 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17602 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17603 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17604 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17605 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17606 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17607 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17608 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17609 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17610 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17611 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17612 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17613 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17614 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17615 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17616 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17617 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17618 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17619 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17620 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17621 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17622 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17667 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 17668 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 23971 start_va = 0x710000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 23972 start_va = 0x710000 end_va = 0x72ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 23973 start_va = 0x730000 end_va = 0x735fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000730000" filename = "" Region: id = 23974 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Thread: id = 512 os_tid = 0xd98 [0176.540] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0176.540] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0176.541] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0176.541] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0176.541] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0176.541] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0176.542] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0176.542] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0176.543] GetProcessHeap () returned 0x890000 [0176.543] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0176.543] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0176.543] GetLastError () returned 0x7e [0176.543] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0176.543] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0176.543] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x364) returned 0x8a0a50 [0176.544] SetLastError (dwErrCode=0x7e) [0176.544] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0xe00) returned 0x8a0dc0 [0176.546] GetStartupInfoW (in: lpStartupInfo=0x18f87c | out: lpStartupInfo=0x18f87c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0176.546] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0176.546] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0176.546] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0176.546] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_plugAndPlay /fn_args=\"0\"" [0176.546] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_plugAndPlay /fn_args=\"0\"" [0176.546] GetACP () returned 0x4e4 [0176.546] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x0, Size=0x220) returned 0x8a1bc8 [0176.546] IsValidCodePage (CodePage=0x4e4) returned 1 [0176.546] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f89c | out: lpCPInfo=0x18f89c) returned 1 [0176.546] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f164 | out: lpCPInfo=0x18f164) returned 1 [0176.546] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f778, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0176.546] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f778, cbMultiByte=256, lpWideCharStr=0x18ef08, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0176.546] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f178 | out: lpCharType=0x18f178) returned 1 [0176.547] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f778, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0176.547] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f778, cbMultiByte=256, lpWideCharStr=0x18eeb8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0176.547] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0176.547] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0176.547] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0176.547] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18eca8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0176.547] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f678, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÍ\x9c5\x7f´ø\x18", lpUsedDefaultChar=0x0) returned 256 [0176.547] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f778, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0176.547] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f778, cbMultiByte=256, lpWideCharStr=0x18eed8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0176.547] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0176.547] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ecc8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0176.547] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f578, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÍ\x9c5\x7f´ø\x18", lpUsedDefaultChar=0x0) returned 256 [0176.548] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x0, Size=0x80) returned 0x893858 [0176.548] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0176.548] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x17a) returned 0x8a1df0 [0176.548] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0176.548] GetLastError () returned 0x0 [0176.548] SetLastError (dwErrCode=0x0) [0176.548] GetEnvironmentStringsW () returned 0x8a1f78* [0176.548] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x0, Size=0xa8c) returned 0x8a2a10 [0176.548] FreeEnvironmentStringsW (penv=0x8a1f78) returned 1 [0176.549] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x90) returned 0x894548 [0176.549] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x3e) returned 0x89add8 [0176.549] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x5c) returned 0x898a80 [0176.549] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x6e) returned 0x894610 [0176.549] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x78) returned 0x8a3e50 [0176.549] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x62) returned 0x894c40 [0176.549] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x28) returned 0x893d78 [0176.549] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x48) returned 0x893fc8 [0176.549] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x1a) returned 0x890570 [0176.549] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x3a) returned 0x89ae68 [0176.549] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x62) returned 0x893bd8 [0176.549] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x2a) returned 0x898968 [0176.549] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x2e) returned 0x898738 [0176.549] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x1c) returned 0x893da8 [0176.549] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x144) returned 0x899c98 [0176.549] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x7c) returned 0x8982e0 [0176.549] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x36) returned 0x89e0a0 [0176.549] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x3a) returned 0x89ad48 [0176.549] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x90) returned 0x894380 [0176.550] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x24) returned 0x8938f8 [0176.550] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x30) returned 0x898770 [0176.550] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x36) returned 0x89e520 [0176.550] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x48) returned 0x8928f0 [0176.550] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x52) returned 0x8904b8 [0176.550] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x3c) returned 0x89a9a0 [0176.550] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0xd6) returned 0x899e58 [0176.550] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x2e) returned 0x8987a8 [0176.550] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x1e) returned 0x892940 [0176.550] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x2c) returned 0x8988f8 [0176.550] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x54) returned 0x893df0 [0176.550] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x52) returned 0x894050 [0176.550] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x24) returned 0x893e50 [0176.550] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x42) returned 0x8940b0 [0176.550] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x2c) returned 0x8987e0 [0176.550] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x44) returned 0x899f88 [0176.550] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x24) returned 0x893928 [0176.551] HeapFree (in: hHeap=0x890000, dwFlags=0x0, lpMem=0x8a2a10 | out: hHeap=0x890000) returned 1 [0176.551] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x8, Size=0x800) returned 0x8a1f78 [0176.551] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0176.551] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0176.551] GetStartupInfoW (in: lpStartupInfo=0x18f8e0 | out: lpStartupInfo=0x18f8e0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0176.551] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_plugAndPlay /fn_args=\"0\"" [0176.552] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_plugAndPlay /fn_args=\"0\"", pNumArgs=0x18f8cc | out: pNumArgs=0x18f8cc) returned 0x8a2bc8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0176.552] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0176.556] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x0, Size=0x1000) returned 0x8a44b0 [0176.556] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x0, Size=0x28) returned 0x89a7b8 [0176.556] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_plugAndPlay", cchWideChar=-1, lpMultiByteStr=0x89a7b8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_plugAndPlay", lpUsedDefaultChar=0x0) returned 20 [0176.556] GetLastError () returned 0x0 [0176.556] SetLastError (dwErrCode=0x0) [0176.556] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_plugAndPlayW") returned 0x0 [0176.557] GetLastError () returned 0x7f [0176.557] SetLastError (dwErrCode=0x7f) [0176.557] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_plugAndPlayA") returned 0x0 [0176.557] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_plugAndPlay") returned 0x647cbbbd [0176.557] RtlAllocateHeap (HeapHandle=0x890000, Flags=0x0, Size=0x4) returned 0x893800 [0176.557] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x893800, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0176.557] GetActiveWindow () returned 0x0 [0176.558] HeapFree (in: hHeap=0x890000, dwFlags=0x0, lpMem=0x8a44b0 | out: hHeap=0x890000) returned 1 [0176.559] HeapFree (in: hHeap=0x890000, dwFlags=0x0, lpMem=0x89a7b8 | out: hHeap=0x890000) returned 1 [0176.559] HeapFree (in: hHeap=0x890000, dwFlags=0x0, lpMem=0x893800 | out: hHeap=0x890000) returned 1 [0176.559] GetCurrentProcessId () returned 0xc10 [0176.559] GetCurrentThreadId () returned 0xd98 [0176.559] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0176.675] Thread32First (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.676] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.676] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.677] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.678] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.678] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.679] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.679] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.680] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.681] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.681] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.682] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.683] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.683] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.684] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.684] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.685] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.686] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.686] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.687] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.687] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.688] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.689] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.689] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.690] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.690] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.691] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.692] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.692] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.693] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.693] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.694] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.694] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.695] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.696] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.697] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.698] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.698] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.699] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.699] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.700] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.700] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.701] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.702] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.703] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.703] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.704] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.705] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.705] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.706] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.706] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.707] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.707] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.708] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.709] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.709] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.710] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.710] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.847] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.848] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.849] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.849] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.850] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.851] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.852] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.853] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.854] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.855] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.855] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.856] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.857] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.858] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.858] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.859] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.860] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.861] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.861] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.862] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.863] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.864] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.865] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.865] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.866] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.867] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.868] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.869] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.870] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.870] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.871] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.872] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.873] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.873] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.874] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.875] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.876] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.877] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.877] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.878] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.879] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.880] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.880] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.881] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.882] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0176.883] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.231] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.232] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.233] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.233] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.234] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.235] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.235] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.236] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.237] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.238] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.238] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.239] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.240] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.240] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.241] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.242] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.243] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.244] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.244] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.245] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.246] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.247] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.247] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.248] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.249] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.250] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.250] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.251] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.252] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.253] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.253] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.254] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.255] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.256] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.257] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.257] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.258] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.259] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.260] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.261] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.262] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.262] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.263] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.264] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.265] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.265] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.266] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.267] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.268] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.268] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.269] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.270] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.271] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.272] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.272] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.273] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.443] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.444] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.445] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.609] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.610] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.611] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.612] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.613] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.613] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.614] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.615] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.615] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.616] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.617] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.621] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.621] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.622] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.623] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.624] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.624] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.625] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.626] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.626] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.627] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.627] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.628] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.629] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.629] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.630] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.631] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.632] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.632] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.635] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.636] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.636] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.637] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.638] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.639] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.639] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.640] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.641] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.641] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.642] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.643] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.644] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.644] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.645] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.646] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.647] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.647] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.648] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.792] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.793] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.794] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.794] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.795] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.796] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.796] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.797] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.798] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.798] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.799] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.800] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.800] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.801] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.802] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.803] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.803] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.804] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.806] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.924] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.924] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.925] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.926] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.926] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.927] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.927] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.928] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.929] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.929] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.931] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.932] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.932] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.933] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.934] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.934] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.935] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.935] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.936] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.937] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.937] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.938] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.938] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.939] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.940] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.940] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.941] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.941] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.942] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.943] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.943] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.944] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.944] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0177.945] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.153] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.154] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.154] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.155] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.155] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.156] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.157] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.157] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.158] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.158] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.159] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.159] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.160] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.161] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.161] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.162] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.162] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.163] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.164] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.166] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.167] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.168] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.168] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.169] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.169] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.170] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.171] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.171] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.172] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.172] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.173] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.174] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.174] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.175] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.175] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.176] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.176] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.177] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.178] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.178] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.179] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.179] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.180] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.181] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.181] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.182] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.183] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.183] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.184] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.184] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.185] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.186] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.186] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.187] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.187] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.188] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.189] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.189] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.190] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.190] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.191] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.191] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.192] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.193] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.193] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.194] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.195] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.195] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.347] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.347] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.348] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.349] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.349] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.350] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.351] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.351] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.352] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.353] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.353] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.354] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.355] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.355] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.356] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.356] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.357] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.358] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.358] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.359] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.359] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.360] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.361] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.361] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.362] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.362] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.363] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.364] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.364] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.365] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.366] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.366] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.367] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.367] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.368] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.370] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.371] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.371] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.372] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.372] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.373] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.374] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.374] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.375] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.375] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.376] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.376] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.377] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.378] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.378] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.379] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.379] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.380] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.381] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.381] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.382] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.382] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.480] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.481] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.481] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.482] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.483] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.483] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.484] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.484] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.485] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.486] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.486] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.487] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.487] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.488] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.488] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.489] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.490] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.490] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.491] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.491] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.492] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.493] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.494] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.495] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.495] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.496] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.496] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.497] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.498] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.498] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.499] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.499] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.500] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.500] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.501] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.502] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.502] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.503] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.504] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.504] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.505] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.505] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.506] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.507] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.507] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.508] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.509] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.509] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.510] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.511] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.511] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.512] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.513] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.513] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.514] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.515] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.515] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.516] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.517] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.517] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.518] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.519] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.519] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.520] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.520] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.521] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.522] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.522] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.523] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.790] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0178.790] Thread32Next (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0179.288] CloseHandle (hObject=0x150) returned 1 [0179.288] OpenThread (dwDesiredAccess=0x100000, bInheritHandle=0, dwThreadId=0xccc) returned 0x150 [0179.288] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xffffffff) returned 0x0 [0236.165] CloseHandle (hObject=0x150) returned 1 [0236.165] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0236.178] Thread32First (hSnapshot=0x150, lpte=0x18f8b0) returned 1 [0238.139] CloseHandle (hObject=0x150) returned 1 [0238.139] FreeLibrary (hLibModule=0x647c0000) returned 1 [0238.141] LocalFree (hMem=0x8a2bc8) returned 0x0 [0238.141] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0238.141] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0238.142] HeapFree (in: hHeap=0x890000, dwFlags=0x0, lpMem=0x893858 | out: hHeap=0x890000) returned 1 [0238.142] HeapFree (in: hHeap=0x890000, dwFlags=0x0, lpMem=0x8a1f78 | out: hHeap=0x890000) returned 1 [0238.142] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-2", hFile=0x0, dwFlags=0x800) returned 0x772e0000 [0238.143] GetProcAddress (hModule=0x772e0000, lpProcName="AppPolicyGetProcessTerminationMethod") returned 0x0 [0238.143] GetModuleHandleExW (in: dwFlags=0x0, lpModuleName="mscoree.dll", phModule=0x18f8d8 | out: phModule=0x18f8d8) returned 0 [0238.143] ExitProcess (uExitCode=0x0) [0238.144] HeapFree (in: hHeap=0x890000, dwFlags=0x0, lpMem=0x8a0a50 | out: hHeap=0x890000) returned 1 Thread: id = 514 os_tid = 0xccc Process: id = "246" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x3ec20000" os_pid = "0x1134" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_removeProvider /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 17246 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 17247 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 17248 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 17249 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 17250 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 17251 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 17252 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 17253 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 17254 start_va = 0x5e0000 end_va = 0x5e1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 17255 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 17256 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 17257 start_va = 0x7ed70000 end_va = 0x7ed92fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed70000" filename = "" Region: id = 17258 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 17259 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 17260 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 17261 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 17322 start_va = 0x400000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 17323 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 17324 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 17325 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 17326 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 17327 start_va = 0x5f0000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 17328 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 17385 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 17386 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 17387 start_va = 0x7ec70000 end_va = 0x7ed6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ec70000" filename = "" Region: id = 17388 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 17389 start_va = 0x5b0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 17390 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 17391 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 17392 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 17393 start_va = 0x5c0000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 17394 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 17395 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 17396 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 17397 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 17398 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 17399 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 17400 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 17401 start_va = 0x6c0000 end_va = 0x6c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 17402 start_va = 0x720000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 17472 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 17473 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 17474 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 17475 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 17476 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 17477 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 17478 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 17479 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 17480 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 17481 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 17482 start_va = 0x6d0000 end_va = 0x6f9fff monitored = 0 entry_point = 0x6d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 17483 start_va = 0x820000 end_va = 0x9a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 17484 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 17485 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 17486 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 17487 start_va = 0x9b0000 end_va = 0xb30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009b0000" filename = "" Region: id = 17488 start_va = 0xb40000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b40000" filename = "" Region: id = 17489 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 17490 start_va = 0xb40000 end_va = 0xbd0fff monitored = 0 entry_point = 0xb78cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 17491 start_va = 0xc10000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 17550 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 17551 start_va = 0x6d0000 end_va = 0x6d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 17552 start_va = 0x6e0000 end_va = 0x6e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 17553 start_va = 0x6e0000 end_va = 0x6e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 17666 start_va = 0x6e0000 end_va = 0x6e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 17671 start_va = 0x6f0000 end_va = 0x6f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006f0000" filename = "" Region: id = 17672 start_va = 0x6e0000 end_va = 0x6e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 17673 start_va = 0x6f0000 end_va = 0x6f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006f0000" filename = "" Region: id = 17674 start_va = 0x6e0000 end_va = 0x6e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 17675 start_va = 0x6f0000 end_va = 0x6f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Thread: id = 517 os_tid = 0xc78 [0178.440] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0178.440] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0178.441] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0178.441] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0178.441] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0178.441] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0178.442] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0178.442] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0178.442] GetProcessHeap () returned 0x720000 [0178.443] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0178.443] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0178.443] GetLastError () returned 0x7e [0178.443] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0178.443] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0178.443] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x364) returned 0x730a60 [0178.444] SetLastError (dwErrCode=0x7e) [0178.444] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0xe00) returned 0x730dd0 [0178.446] GetStartupInfoW (in: lpStartupInfo=0x18fb94 | out: lpStartupInfo=0x18fb94*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0178.446] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0178.446] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0178.446] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0178.446] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_removeProvider /fn_args=\"0\"" [0178.446] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_removeProvider /fn_args=\"0\"" [0178.446] GetACP () returned 0x4e4 [0178.447] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x0, Size=0x220) returned 0x731bd8 [0178.447] IsValidCodePage (CodePage=0x4e4) returned 1 [0178.447] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fbb4 | out: lpCPInfo=0x18fbb4) returned 1 [0178.447] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f47c | out: lpCPInfo=0x18f47c) returned 1 [0178.447] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa90, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0178.447] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa90, cbMultiByte=256, lpWideCharStr=0x18f218, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0178.447] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f490 | out: lpCharType=0x18f490) returned 1 [0178.447] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa90, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0178.447] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa90, cbMultiByte=256, lpWideCharStr=0x18f1d8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0178.447] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0178.447] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0178.447] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0178.447] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18efc8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0178.447] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f990, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÎ\x844ÖÌû\x18", lpUsedDefaultChar=0x0) returned 256 [0178.447] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa90, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0178.448] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa90, cbMultiByte=256, lpWideCharStr=0x18f1e8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0178.448] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0178.448] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18efd8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0178.448] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f890, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÎ\x844ÖÌû\x18", lpUsedDefaultChar=0x0) returned 256 [0178.448] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x0, Size=0x80) returned 0x723860 [0178.448] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0178.448] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x180) returned 0x731e00 [0178.448] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0178.448] GetLastError () returned 0x0 [0178.448] SetLastError (dwErrCode=0x0) [0178.448] GetEnvironmentStringsW () returned 0x731f88* [0178.448] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x0, Size=0xa8c) returned 0x732a20 [0178.449] FreeEnvironmentStringsW (penv=0x731f88) returned 1 [0178.449] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x90) returned 0x724550 [0178.449] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x3e) returned 0x72ae78 [0178.449] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x5c) returned 0x728a90 [0178.449] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x6e) returned 0x724848 [0178.449] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x78) returned 0x734360 [0178.449] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x62) returned 0x7249e8 [0178.449] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x28) returned 0x723d80 [0178.449] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x48) returned 0x723fd0 [0178.449] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x1a) returned 0x723db0 [0178.449] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x3a) returned 0x72ad10 [0178.449] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x62) returned 0x724618 [0178.449] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x2a) returned 0x728780 [0178.449] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x2e) returned 0x7286a0 [0178.449] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x1c) returned 0x7247b8 [0178.449] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x144) returned 0x729ca8 [0178.449] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x7c) returned 0x724388 [0178.449] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x36) returned 0x72e170 [0178.449] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x3a) returned 0x72ade8 [0178.449] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x90) returned 0x723df8 [0178.450] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x24) returned 0x7247e0 [0178.450] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x30) returned 0x7287b8 [0178.450] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x36) returned 0x72dff0 [0178.450] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x48) returned 0x723be0 [0178.450] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x52) returned 0x723900 [0178.450] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x3c) returned 0x72aec0 [0178.450] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0xd6) returned 0x729e68 [0178.450] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x2e) returned 0x728940 [0178.450] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x1e) returned 0x723c30 [0178.450] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x2c) returned 0x7286d8 [0178.450] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x54) returned 0x7228f8 [0178.450] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x52) returned 0x7204b8 [0178.450] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x24) returned 0x724058 [0178.450] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x42) returned 0x724088 [0178.450] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x2c) returned 0x728978 [0178.450] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x44) returned 0x729f98 [0178.450] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x24) returned 0x7240d8 [0178.451] HeapFree (in: hHeap=0x720000, dwFlags=0x0, lpMem=0x732a20 | out: hHeap=0x720000) returned 1 [0178.451] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x800) returned 0x731f88 [0178.451] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0178.451] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0178.451] GetStartupInfoW (in: lpStartupInfo=0x18fbf8 | out: lpStartupInfo=0x18fbf8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0178.451] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_removeProvider /fn_args=\"0\"" [0178.451] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_removeProvider /fn_args=\"0\"", pNumArgs=0x18fbe4 | out: pNumArgs=0x18fbe4) returned 0x732bd8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0178.452] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0178.454] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x0, Size=0x1000) returned 0x7344c0 [0178.454] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x0, Size=0x2e) returned 0x7289e8 [0178.454] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_removeProvider", cchWideChar=-1, lpMultiByteStr=0x7289e8, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_removeProvider", lpUsedDefaultChar=0x0) returned 23 [0178.454] GetLastError () returned 0x0 [0178.454] SetLastError (dwErrCode=0x0) [0178.454] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_removeProviderW") returned 0x0 [0178.455] GetLastError () returned 0x7f [0178.455] SetLastError (dwErrCode=0x7f) [0178.455] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_removeProviderA") returned 0x0 [0178.455] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_removeProvider") returned 0x647cb8c9 [0178.455] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x0, Size=0x4) returned 0x723e90 [0178.455] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x723e90, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0178.455] GetActiveWindow () returned 0x0 [0178.456] GetLastError () returned 0x7f [0178.456] SetLastError (dwErrCode=0x7f) Thread: id = 520 os_tid = 0xb94 Process: id = "247" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x45a86000" os_pid = "0x938" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "246" os_parent_pid = "0x1134" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_removeProvider /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "248" image_name = "werfault.exe" filename = "c:\\windows\\syswow64\\werfault.exe" page_root = "0x6313e000" os_pid = "0x13e8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "246" os_parent_pid = "0x1134" cmd_line = "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 4404 -s 364" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 17678 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 17679 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 17680 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 17681 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 17682 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 17683 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 17684 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 17685 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 17686 start_va = 0x620000 end_va = 0x620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 17687 start_va = 0x10e0000 end_va = 0x1122fff monitored = 0 entry_point = 0x1100f50 region_type = mapped_file name = "werfault.exe" filename = "\\Windows\\SysWOW64\\WerFault.exe" (normalized: "c:\\windows\\syswow64\\werfault.exe") Region: id = 17688 start_va = 0x1130000 end_va = 0x512ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 17689 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 17690 start_va = 0x7ee40000 end_va = 0x7ee62fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ee40000" filename = "" Region: id = 17691 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 17692 start_va = 0x7fff0000 end_va = 0x7dfb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 17693 start_va = 0x7dfb201b0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfb201b0000" filename = "" Region: id = 17694 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 17695 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 17696 start_va = 0x400000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 17697 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 17698 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 17700 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 17701 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 17702 start_va = 0x630000 end_va = 0x8dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 17703 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 17704 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 17705 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 17706 start_va = 0x7ed40000 end_va = 0x7ee3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed40000" filename = "" Region: id = 17707 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 17725 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 17726 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 17727 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 17728 start_va = 0x570000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 17729 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 17730 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 17731 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 17732 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 17733 start_va = 0x620000 end_va = 0x623fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 17734 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 17735 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 17736 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 17737 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 17738 start_va = 0x6fb30000 end_va = 0x6fbb6fff monitored = 0 entry_point = 0x6fb9dbc0 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\SysWOW64\\wer.dll" (normalized: "c:\\windows\\syswow64\\wer.dll") Region: id = 17745 start_va = 0x6fb00000 end_va = 0x6fb21fff monitored = 0 entry_point = 0x6fb091f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 17746 start_va = 0x6fbc0000 end_va = 0x6fcfefff monitored = 0 entry_point = 0x6fbed880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 17747 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 17748 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 17749 start_va = 0x6faa0000 end_va = 0x6faf3fff monitored = 0 entry_point = 0x6fad10d0 region_type = mapped_file name = "faultrep.dll" filename = "\\Windows\\SysWOW64\\Faultrep.dll" (normalized: "c:\\windows\\syswow64\\faultrep.dll") Region: id = 17750 start_va = 0x6fa70000 end_va = 0x6fa90fff monitored = 0 entry_point = 0x6fa8a910 region_type = mapped_file name = "dbgcore.dll" filename = "\\Windows\\SysWOW64\\dbgcore.dll" (normalized: "c:\\windows\\syswow64\\dbgcore.dll") Region: id = 17751 start_va = 0x630000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 17752 start_va = 0x7e0000 end_va = 0x8dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 17753 start_va = 0x650000 end_va = 0x7cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 17754 start_va = 0x630000 end_va = 0x633fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 17755 start_va = 0x640000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 17756 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 17757 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 17758 start_va = 0x650000 end_va = 0x679fff monitored = 0 entry_point = 0x655680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 17759 start_va = 0x7c0000 end_va = 0x7cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 17760 start_va = 0x8e0000 end_va = 0xa67fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 17761 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 17776 start_va = 0x650000 end_va = 0x653fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werfault.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\WerFault.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werfault.exe.mui") Region: id = 17777 start_va = 0xa70000 end_va = 0xbf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a70000" filename = "" Region: id = 17778 start_va = 0x5130000 end_va = 0x652ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005130000" filename = "" Region: id = 17799 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 17800 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 17801 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 17802 start_va = 0xc00000 end_va = 0xdaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 17852 start_va = 0x660000 end_va = 0x660fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 17853 start_va = 0x670000 end_va = 0x670fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 17854 start_va = 0x680000 end_va = 0x680fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 17855 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 17856 start_va = 0x680000 end_va = 0x680fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 17857 start_va = 0x6530000 end_va = 0x6d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006530000" filename = "" Region: id = 17858 start_va = 0x680000 end_va = 0x686fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 17859 start_va = 0x680000 end_va = 0x686fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 17860 start_va = 0x680000 end_va = 0x686fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 17861 start_va = 0x680000 end_va = 0x686fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 17862 start_va = 0x680000 end_va = 0x686fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 17863 start_va = 0x680000 end_va = 0x686fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 17864 start_va = 0x680000 end_va = 0x686fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 17865 start_va = 0x680000 end_va = 0x686fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 17866 start_va = 0x680000 end_va = 0x686fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 17867 start_va = 0x680000 end_va = 0x686fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 17868 start_va = 0x680000 end_va = 0x686fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 17869 start_va = 0x680000 end_va = 0x686fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 17870 start_va = 0x680000 end_va = 0x686fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 17871 start_va = 0x680000 end_va = 0x686fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 17872 start_va = 0x680000 end_va = 0x686fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 17873 start_va = 0x680000 end_va = 0x686fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 17874 start_va = 0x680000 end_va = 0x686fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 17875 start_va = 0x680000 end_va = 0x686fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 17876 start_va = 0x680000 end_va = 0x686fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 17877 start_va = 0x680000 end_va = 0x686fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 17878 start_va = 0x680000 end_va = 0x686fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 17879 start_va = 0x680000 end_va = 0x686fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 17880 start_va = 0x680000 end_va = 0x686fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 17881 start_va = 0x680000 end_va = 0x686fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 17882 start_va = 0x680000 end_va = 0x686fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 17883 start_va = 0x680000 end_va = 0x686fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 17884 start_va = 0x680000 end_va = 0x686fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 18024 start_va = 0x450000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 18025 start_va = 0x490000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 18026 start_va = 0x680000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 18113 start_va = 0x700000 end_va = 0x701fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "faultrep.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\faultrep.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\faultrep.dll.mui") Region: id = 18114 start_va = 0x710000 end_va = 0x710fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 18115 start_va = 0x6ef60000 end_va = 0x6f37dfff monitored = 0 entry_point = 0x6f05ee80 region_type = mapped_file name = "dbgeng.dll" filename = "\\Windows\\SysWOW64\\dbgeng.dll" (normalized: "c:\\windows\\syswow64\\dbgeng.dll") Region: id = 18116 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 18117 start_va = 0x6f800000 end_va = 0x6f86ffff monitored = 0 entry_point = 0x6f854b90 region_type = mapped_file name = "dbgmodel.dll" filename = "\\Windows\\SysWOW64\\DbgModel.dll" (normalized: "c:\\windows\\syswow64\\dbgmodel.dll") Region: id = 18118 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 18119 start_va = 0xc00000 end_va = 0xce9fff monitored = 0 entry_point = 0xc3d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 18120 start_va = 0xda0000 end_va = 0xdaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 18121 start_va = 0x70050000 end_va = 0x70059fff monitored = 0 entry_point = 0x70053200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 18122 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 18123 start_va = 0x6f5d0000 end_va = 0x6f5d7fff monitored = 0 entry_point = 0x6f5d17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 18124 start_va = 0xc00000 end_va = 0xcfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 18125 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 18142 start_va = 0x6530000 end_va = 0x6866fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 18143 start_va = 0x710000 end_va = 0x711fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 18144 start_va = 0x710000 end_va = 0x713fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 18145 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 18146 start_va = 0x710000 end_va = 0x717fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 18147 start_va = 0x450000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 18148 start_va = 0x710000 end_va = 0x719fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 18149 start_va = 0x710000 end_va = 0x71bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 18150 start_va = 0x710000 end_va = 0x71dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 18151 start_va = 0x710000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 18152 start_va = 0x710000 end_va = 0x721fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 18153 start_va = 0x710000 end_va = 0x723fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 18154 start_va = 0x710000 end_va = 0x725fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 18155 start_va = 0x710000 end_va = 0x727fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 18156 start_va = 0x710000 end_va = 0x729fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 18157 start_va = 0x710000 end_va = 0x72bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 18158 start_va = 0x710000 end_va = 0x72dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 18159 start_va = 0x710000 end_va = 0x72ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 18168 start_va = 0xdb0000 end_va = 0xe8ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 18233 start_va = 0xe90000 end_va = 0xf55fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e90000" filename = "" Region: id = 18234 start_va = 0x710000 end_va = 0x7b9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 18243 start_va = 0xf60000 end_va = 0x1008fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f60000" filename = "" Region: id = 18437 start_va = 0x710000 end_va = 0x710fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 18438 start_va = 0x720000 end_va = 0x722fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wer.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wer.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wer.dll.mui") Region: id = 18439 start_va = 0x730000 end_va = 0x733fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 18509 start_va = 0x6870000 end_va = 0x706ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006870000" filename = "" Region: id = 18510 start_va = 0x740000 end_va = 0x746fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 18511 start_va = 0x740000 end_va = 0x746fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 18512 start_va = 0x740000 end_va = 0x746fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 18513 start_va = 0x740000 end_va = 0x746fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 18514 start_va = 0x740000 end_va = 0x746fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 18515 start_va = 0x740000 end_va = 0x746fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 18516 start_va = 0x740000 end_va = 0x746fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 18517 start_va = 0x740000 end_va = 0x746fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 18518 start_va = 0x740000 end_va = 0x746fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 18519 start_va = 0x740000 end_va = 0x746fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 18520 start_va = 0x740000 end_va = 0x746fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 18521 start_va = 0x740000 end_va = 0x746fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 18522 start_va = 0x740000 end_va = 0x746fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 18523 start_va = 0x740000 end_va = 0x746fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 18524 start_va = 0x740000 end_va = 0x746fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 18525 start_va = 0x740000 end_va = 0x746fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 18599 start_va = 0x740000 end_va = 0x746fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 18600 start_va = 0x740000 end_va = 0x746fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 18601 start_va = 0x740000 end_va = 0x746fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 18602 start_va = 0x740000 end_va = 0x746fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 18603 start_va = 0x740000 end_va = 0x746fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 18604 start_va = 0x740000 end_va = 0x746fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 18605 start_va = 0xe90000 end_va = 0xf8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e90000" filename = "" Region: id = 18606 start_va = 0x740000 end_va = 0x746fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 18607 start_va = 0x740000 end_va = 0x746fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 18608 start_va = 0x740000 end_va = 0x746fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 18609 start_va = 0x740000 end_va = 0x746fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 18610 start_va = 0x740000 end_va = 0x746fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 18670 start_va = 0x6fa00000 end_va = 0x6fa63fff monitored = 0 entry_point = 0x6fa3e270 region_type = mapped_file name = "werui.dll" filename = "\\Windows\\SysWOW64\\werui.dll" (normalized: "c:\\windows\\syswow64\\werui.dll") Region: id = 18671 start_va = 0x550000 end_va = 0x551fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 18672 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 18673 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 18674 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 18675 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 18676 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 18702 start_va = 0x731b0000 end_va = 0x733befff monitored = 0 entry_point = 0x7325b0a0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 18703 start_va = 0x6f460000 end_va = 0x6f5c6fff monitored = 0 entry_point = 0x6f4db9d0 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\SysWOW64\\dui70.dll" (normalized: "c:\\windows\\syswow64\\dui70.dll") Region: id = 18704 start_va = 0x560000 end_va = 0x561fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 18705 start_va = 0x6f430000 end_va = 0x6f457fff monitored = 0 entry_point = 0x6f437820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 18706 start_va = 0x740000 end_va = 0x740fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 18707 start_va = 0x580000 end_va = 0x581fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 18708 start_va = 0x740000 end_va = 0x740fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 18709 start_va = 0x759b0000 end_va = 0x75a33fff monitored = 0 entry_point = 0x759d6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 18710 start_va = 0x750000 end_va = 0x750fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18711 start_va = 0x6f7c0000 end_va = 0x6f7f3fff monitored = 0 entry_point = 0x6f7d8280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 19167 start_va = 0x590000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 19168 start_va = 0x5d0000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 19169 start_va = 0x760000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 19170 start_va = 0xd00000 end_va = 0xd3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 19171 start_va = 0xd40000 end_va = 0xd7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d40000" filename = "" Region: id = 19172 start_va = 0xf90000 end_va = 0xfcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 19173 start_va = 0x6f830000 end_va = 0x6f838fff monitored = 0 entry_point = 0x6f833830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 19286 start_va = 0x740000 end_va = 0x740fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 19287 start_va = 0x6f7c0000 end_va = 0x6f7f3fff monitored = 0 entry_point = 0x6f7d8280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 19652 start_va = 0x6f830000 end_va = 0x6f838fff monitored = 0 entry_point = 0x6f833830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 19820 start_va = 0x740000 end_va = 0x744fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werui.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\werui.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werui.dll.mui") Region: id = 19821 start_va = 0x7a0000 end_va = 0x7a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 19822 start_va = 0x6f7c0000 end_va = 0x6f7f3fff monitored = 0 entry_point = 0x6f7d8280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 19930 start_va = 0x6f830000 end_va = 0x6f838fff monitored = 0 entry_point = 0x6f833830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 20160 start_va = 0xfd0000 end_va = 0x100ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fd0000" filename = "" Region: id = 20161 start_va = 0x1010000 end_va = 0x104ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001010000" filename = "" Region: id = 20170 start_va = 0x7a0000 end_va = 0x7a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 20171 start_va = 0x6f7c0000 end_va = 0x6f7f3fff monitored = 0 entry_point = 0x6f7d8280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 20399 start_va = 0x6f840000 end_va = 0x6f848fff monitored = 0 entry_point = 0x6f843830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 20554 start_va = 0x610000 end_va = 0x611fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 20555 start_va = 0x6f6c0000 end_va = 0x6f73afff monitored = 0 entry_point = 0x6f6e4d80 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\SysWOW64\\duser.dll" (normalized: "c:\\windows\\syswow64\\duser.dll") Region: id = 20557 start_va = 0x1050000 end_va = 0x108ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 20558 start_va = 0x1090000 end_va = 0x10cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 20559 start_va = 0x6f630000 end_va = 0x6f6b0fff monitored = 0 entry_point = 0x6f636310 region_type = mapped_file name = "riched20.dll" filename = "\\Windows\\SysWOW64\\riched20.dll" (normalized: "c:\\windows\\syswow64\\riched20.dll") Region: id = 20560 start_va = 0x6f790000 end_va = 0x6f7a5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 20561 start_va = 0x6f750000 end_va = 0x6f780fff monitored = 0 entry_point = 0x6f7622d0 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\SysWOW64\\msls31.dll" (normalized: "c:\\windows\\syswow64\\msls31.dll") Region: id = 20562 start_va = 0x7a0000 end_va = 0x7a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 20563 start_va = 0x6870000 end_va = 0x692bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006870000" filename = "" Region: id = 20564 start_va = 0x7a0000 end_va = 0x7a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 20565 start_va = 0x74230000 end_va = 0x7424cfff monitored = 0 entry_point = 0x74233b10 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 20566 start_va = 0x7b0000 end_va = 0x7b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 20567 start_va = 0x7d0000 end_va = 0x7d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 20568 start_va = 0xd80000 end_va = 0xd80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d80000" filename = "" Region: id = 20576 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 20577 start_va = 0xd90000 end_va = 0xd90fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "duser.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\duser.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\duser.dll.mui") Region: id = 20578 start_va = 0x6f9f0000 end_va = 0x6f9fcfff monitored = 0 entry_point = 0x6f9f7d80 region_type = mapped_file name = "atlthunk.dll" filename = "\\Windows\\SysWOW64\\atlthunk.dll" (normalized: "c:\\windows\\syswow64\\atlthunk.dll") Region: id = 20579 start_va = 0x10d0000 end_va = 0x10d2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui") Region: id = 20580 start_va = 0x6940000 end_va = 0x6942fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006940000" filename = "" Region: id = 20596 start_va = 0x6950000 end_va = 0x6e41fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006950000" filename = "" Region: id = 20597 start_va = 0x6e50000 end_va = 0x7e8ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 20598 start_va = 0x7e90000 end_va = 0x7ed1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007e90000" filename = "" Region: id = 20599 start_va = 0x6930000 end_va = 0x6930fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006930000" filename = "" Region: id = 20600 start_va = 0x77500000 end_va = 0x7761efff monitored = 0 entry_point = 0x77545980 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Thread: id = 522 os_tid = 0xc34 Thread: id = 527 os_tid = 0x13b8 Thread: id = 529 os_tid = 0x1178 Thread: id = 551 os_tid = 0xe28 Thread: id = 552 os_tid = 0x12ac Thread: id = 553 os_tid = 0x12a0 Thread: id = 588 os_tid = 0xc84 Thread: id = 600 os_tid = 0x13f8 Process: id = "249" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x32b35000" os_pid = "0x1380" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setForkMode /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 17709 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 17710 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 17711 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 17712 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 17713 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 17714 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 17715 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 17716 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 17717 start_va = 0xc20000 end_va = 0xc21fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 17718 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 17719 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 17720 start_va = 0x7f910000 end_va = 0x7f932fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f910000" filename = "" Region: id = 17721 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 17722 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 17723 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 17724 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 17739 start_va = 0x1c0000 end_va = 0x1dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 17740 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 17741 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 17742 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 17743 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 17744 start_va = 0xc30000 end_va = 0xe0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 17763 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 17764 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 17765 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 17766 start_va = 0x7f810000 end_va = 0x7f90ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f810000" filename = "" Region: id = 17767 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 17768 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 17769 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 17770 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 17771 start_va = 0x500000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 17772 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 17773 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 17774 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 17775 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 17780 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 17781 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 17782 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 17783 start_va = 0xc20000 end_va = 0xc23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 17784 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 17785 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 17786 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 17787 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 17788 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 17789 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 17790 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 17791 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 17792 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 17793 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 17794 start_va = 0x600000 end_va = 0x787fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 17795 start_va = 0xc30000 end_va = 0xc59fff monitored = 0 entry_point = 0xc35680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 17796 start_va = 0xd10000 end_va = 0xe0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d10000" filename = "" Region: id = 17797 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 17803 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 17804 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 17805 start_va = 0x1d0000 end_va = 0x1dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 17806 start_va = 0x790000 end_va = 0x910fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 17807 start_va = 0xc30000 end_va = 0xc4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 17808 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 17809 start_va = 0xc50000 end_va = 0xce0fff monitored = 0 entry_point = 0xc88cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 17811 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 17812 start_va = 0xc30000 end_va = 0xc3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 17813 start_va = 0xc40000 end_va = 0xc4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 17814 start_va = 0x920000 end_va = 0xa1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000920000" filename = "" Region: id = 17815 start_va = 0xc50000 end_va = 0xc6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 17816 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17817 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17818 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17819 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17820 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17821 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17822 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17823 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17824 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17825 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17826 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17827 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17828 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17829 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17830 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17831 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17832 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17833 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17834 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17835 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17836 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17837 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17838 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17839 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17840 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17841 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17842 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17843 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17844 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17845 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17846 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17847 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17848 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17885 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17886 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17887 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17888 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17889 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17890 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17891 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17892 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17893 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17894 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17895 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17896 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17897 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17898 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17899 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17900 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17901 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17902 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17903 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17904 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17905 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17906 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17907 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17908 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17909 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17910 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17911 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17912 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17913 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17914 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17915 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17916 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17917 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17918 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17919 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17920 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17921 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17922 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17923 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17924 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17925 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17926 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17927 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17928 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17929 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17930 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17931 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17932 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17933 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17934 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17935 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17936 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17937 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17938 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17939 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17940 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17941 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17942 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17943 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17944 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17945 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17946 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17947 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17948 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17949 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17950 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17951 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17952 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17953 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17954 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17955 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17956 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17957 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17958 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17959 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17960 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17961 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17962 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17963 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17964 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17965 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17966 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17967 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17968 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17969 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17970 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17971 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17972 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17973 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17974 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17975 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17976 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17977 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17978 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17979 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17980 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17981 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17982 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17983 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17984 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17985 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17986 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17987 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17988 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17989 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17990 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17991 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17992 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17993 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17994 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17995 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17996 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17997 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17998 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 17999 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18000 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18001 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18002 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18003 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18004 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18005 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18006 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18007 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18008 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18009 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18010 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18011 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18012 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18013 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18014 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18015 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18016 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18017 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18018 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18019 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18020 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18021 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18022 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18023 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18027 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18028 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18029 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18030 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18031 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18032 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18033 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18034 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18035 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18036 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18037 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18038 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18039 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18040 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18041 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18042 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18043 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18044 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18045 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18046 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18047 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18048 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18049 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18050 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18051 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18052 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18053 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18054 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18055 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18056 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18057 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18058 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18059 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18060 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18061 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18062 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18063 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18064 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18065 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18066 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18067 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18068 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18069 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18070 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18071 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18072 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18073 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18074 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18075 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18076 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18077 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18078 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18079 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18080 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18081 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18082 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18083 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18084 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18085 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18086 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18087 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18088 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18089 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18090 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18091 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18092 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18093 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18094 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18095 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18096 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18097 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18098 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18099 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18100 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18101 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18102 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18103 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18104 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 18105 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 24256 start_va = 0xc30000 end_va = 0xc3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 24257 start_va = 0xc50000 end_va = 0xc6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 24258 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Region: id = 24259 start_va = 0xc30000 end_va = 0xc35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c30000" filename = "" Thread: id = 525 os_tid = 0xd64 [0180.016] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0180.016] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0180.016] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0180.016] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0180.016] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0180.016] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0180.017] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0180.017] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0180.018] GetProcessHeap () returned 0xd10000 [0180.018] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0180.018] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0180.018] GetLastError () returned 0x7e [0180.018] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0180.018] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0180.018] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x364) returned 0xd20a50 [0180.019] SetLastError (dwErrCode=0x7e) [0180.019] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0xe00) returned 0xd20dc0 [0180.021] GetStartupInfoW (in: lpStartupInfo=0x18f878 | out: lpStartupInfo=0x18f878*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0180.021] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0180.021] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0180.021] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0180.021] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setForkMode /fn_args=\"0\"" [0180.021] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setForkMode /fn_args=\"0\"" [0180.021] GetACP () returned 0x4e4 [0180.021] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x0, Size=0x220) returned 0xd21bc8 [0180.021] IsValidCodePage (CodePage=0x4e4) returned 1 [0180.021] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f898 | out: lpCPInfo=0x18f898) returned 1 [0180.021] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f160 | out: lpCPInfo=0x18f160) returned 1 [0180.021] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f774, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0180.021] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f774, cbMultiByte=256, lpWideCharStr=0x18ef08, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0180.021] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f174 | out: lpCharType=0x18f174) returned 1 [0180.021] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f774, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0180.021] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f774, cbMultiByte=256, lpWideCharStr=0x18eeb8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0180.021] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0180.022] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0180.022] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0180.022] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18eca8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0180.022] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f674, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ®T_¸°ø\x18", lpUsedDefaultChar=0x0) returned 256 [0180.022] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f774, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0180.022] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f774, cbMultiByte=256, lpWideCharStr=0x18eed8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0180.022] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0180.022] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ecc8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0180.022] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f574, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ®T_¸°ø\x18", lpUsedDefaultChar=0x0) returned 256 [0180.022] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x0, Size=0x80) returned 0xd13858 [0180.022] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0180.022] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x17a) returned 0xd21df0 [0180.022] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0180.022] GetLastError () returned 0x0 [0180.022] SetLastError (dwErrCode=0x0) [0180.022] GetEnvironmentStringsW () returned 0xd21f78* [0180.023] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x0, Size=0xa8c) returned 0xd22a10 [0180.023] FreeEnvironmentStringsW (penv=0xd21f78) returned 1 [0180.023] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x90) returned 0xd147a8 [0180.023] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x3e) returned 0xd1afd0 [0180.023] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x5c) returned 0xd18a80 [0180.023] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x6e) returned 0xd14870 [0180.023] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x78) returned 0xd23dd0 [0180.023] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x62) returned 0xd14c40 [0180.023] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x28) returned 0xd13d78 [0180.023] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x48) returned 0xd13fc8 [0180.023] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x1a) returned 0xd10570 [0180.023] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x3a) returned 0xd1b060 [0180.023] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x62) returned 0xd13bd8 [0180.023] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x2a) returned 0xd18850 [0180.023] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x2e) returned 0xd18930 [0180.023] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x1c) returned 0xd13da8 [0180.094] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x144) returned 0xd19c98 [0180.095] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x7c) returned 0xd182e0 [0180.095] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x36) returned 0xd1e520 [0180.095] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x3a) returned 0xd1ad00 [0180.095] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x90) returned 0xd145e0 [0180.095] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x24) returned 0xd138f8 [0180.095] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x30) returned 0xd189a0 [0180.095] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x36) returned 0xd1e1a0 [0180.095] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x48) returned 0xd128f0 [0180.095] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x52) returned 0xd104b8 [0180.095] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x3c) returned 0xd1ab08 [0180.095] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0xd6) returned 0xd19e58 [0180.095] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x2e) returned 0xd18888 [0180.095] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x1e) returned 0xd12940 [0180.095] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x2c) returned 0xd18738 [0180.095] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x54) returned 0xd13df0 [0180.095] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x52) returned 0xd14050 [0180.095] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x24) returned 0xd13e50 [0180.095] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x42) returned 0xd140b0 [0180.095] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x2c) returned 0xd189d8 [0180.095] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x44) returned 0xd19f88 [0180.095] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x24) returned 0xd13928 [0180.096] HeapFree (in: hHeap=0xd10000, dwFlags=0x0, lpMem=0xd22a10 | out: hHeap=0xd10000) returned 1 [0180.096] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x8, Size=0x800) returned 0xd21f78 [0180.096] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0180.096] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0180.096] GetStartupInfoW (in: lpStartupInfo=0x18f8dc | out: lpStartupInfo=0x18f8dc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0180.096] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setForkMode /fn_args=\"0\"" [0180.097] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setForkMode /fn_args=\"0\"", pNumArgs=0x18f8c8 | out: pNumArgs=0x18f8c8) returned 0xd22bc8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0180.097] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0180.100] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x0, Size=0x1000) returned 0xd244b0 [0180.100] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x0, Size=0x28) returned 0xd1a6d0 [0180.100] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_setForkMode", cchWideChar=-1, lpMultiByteStr=0xd1a6d0, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_setForkMode", lpUsedDefaultChar=0x0) returned 20 [0180.100] GetLastError () returned 0x0 [0180.100] SetLastError (dwErrCode=0x0) [0180.100] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setForkModeW") returned 0x0 [0180.101] GetLastError () returned 0x7f [0180.101] SetLastError (dwErrCode=0x7f) [0180.101] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setForkModeA") returned 0x0 [0180.101] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setForkMode") returned 0x647cb012 [0180.101] RtlAllocateHeap (HeapHandle=0xd10000, Flags=0x0, Size=0x4) returned 0xd13800 [0180.101] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0xd13800, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0180.101] GetActiveWindow () returned 0x0 [0180.102] HeapFree (in: hHeap=0xd10000, dwFlags=0x0, lpMem=0xd244b0 | out: hHeap=0xd10000) returned 1 [0180.103] HeapFree (in: hHeap=0xd10000, dwFlags=0x0, lpMem=0xd1a6d0 | out: hHeap=0xd10000) returned 1 [0180.103] HeapFree (in: hHeap=0xd10000, dwFlags=0x0, lpMem=0xd13800 | out: hHeap=0xd10000) returned 1 [0180.103] GetCurrentProcessId () returned 0x1380 [0180.103] GetCurrentThreadId () returned 0xd64 [0180.103] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0180.113] Thread32First (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.114] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.114] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.115] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.116] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.116] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.117] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.118] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.119] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.120] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.120] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.121] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.121] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.122] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.123] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.123] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.124] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.124] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.125] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.126] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.126] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.127] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.127] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.128] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.129] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.129] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.130] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.130] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.131] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.131] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.132] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.133] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.228] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.228] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.229] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.229] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.230] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.231] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.231] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.232] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.232] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.233] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.234] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.234] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.235] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.235] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.236] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.237] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.237] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.238] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.238] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.239] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.240] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.240] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.241] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.241] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.242] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.243] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.244] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.244] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.245] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.246] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.246] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.247] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.247] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.248] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.249] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.249] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.250] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.250] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.251] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.251] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.252] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.253] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.253] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.254] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.254] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.255] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.256] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.256] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.257] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.257] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.258] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.259] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.259] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.260] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.260] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.261] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.262] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.262] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.263] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.264] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.264] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.265] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.265] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.266] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.267] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.267] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.268] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.268] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.269] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.269] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.270] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.271] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.271] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.272] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.272] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.273] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.327] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.328] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.328] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.329] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.329] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.330] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.331] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.331] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.332] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.332] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.333] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.334] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.334] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.335] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.335] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.336] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.337] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.337] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.338] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.339] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.339] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.340] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.340] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.341] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.341] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.342] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.343] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.343] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.344] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.344] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.345] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.346] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.347] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.347] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.348] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.348] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.349] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.350] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.350] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.351] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.353] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.354] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.355] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.355] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.356] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.356] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.357] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.358] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.358] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.359] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.359] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.360] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.361] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.361] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.362] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.362] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.363] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.364] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.364] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.365] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.365] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.366] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.367] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.429] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.431] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.431] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.432] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.432] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.433] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.434] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.434] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.435] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.435] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.436] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.437] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.437] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.438] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.439] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.439] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.440] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.440] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.441] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.441] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.442] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.443] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.443] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.444] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.444] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.445] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.446] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.446] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.447] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.447] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.448] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.449] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.449] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.450] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.450] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.451] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.451] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.452] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.453] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.453] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.454] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.454] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.455] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.455] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.456] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.457] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.457] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.458] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.458] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.459] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.460] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.460] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.461] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.462] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.462] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.463] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.464] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.465] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.466] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.466] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.467] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.467] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.468] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.469] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.469] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.470] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.470] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.471] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.471] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.472] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.473] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.473] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.474] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.474] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.475] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.476] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.476] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.515] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0180.516] Thread32Next (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0181.244] CloseHandle (hObject=0x150) returned 1 [0181.245] OpenThread (dwDesiredAccess=0x100000, bInheritHandle=0, dwThreadId=0x1368) returned 0x150 [0181.245] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xffffffff) returned 0x0 [0240.051] CloseHandle (hObject=0x150) returned 1 [0240.052] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0240.069] Thread32First (hSnapshot=0x150, lpte=0x18f8ac) returned 1 [0241.516] CloseHandle (hObject=0x150) returned 1 [0241.516] FreeLibrary (hLibModule=0x647c0000) returned 1 [0241.517] LocalFree (hMem=0xd22bc8) returned 0x0 [0241.517] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0241.518] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0241.519] HeapFree (in: hHeap=0xd10000, dwFlags=0x0, lpMem=0xd13858 | out: hHeap=0xd10000) returned 1 [0241.519] HeapFree (in: hHeap=0xd10000, dwFlags=0x0, lpMem=0xd21f78 | out: hHeap=0xd10000) returned 1 [0241.519] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-2", hFile=0x0, dwFlags=0x800) returned 0x772e0000 [0241.520] GetProcAddress (hModule=0x772e0000, lpProcName="AppPolicyGetProcessTerminationMethod") returned 0x0 [0241.520] GetModuleHandleExW (in: dwFlags=0x0, lpModuleName="mscoree.dll", phModule=0x18f8d4 | out: phModule=0x18f8d4) returned 0 [0241.520] ExitProcess (uExitCode=0x0) [0241.521] HeapFree (in: hHeap=0xd10000, dwFlags=0x0, lpMem=0xd20a50 | out: hHeap=0xd10000) returned 1 Thread: id = 528 os_tid = 0x1368 Process: id = "250" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x3294c000" os_pid = "0x11e0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogHook /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 18126 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 18127 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 18128 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 18129 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 18130 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 18131 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 18132 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 18133 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 18134 start_va = 0x600000 end_va = 0x601fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 18135 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 18136 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 18137 start_va = 0x7e540000 end_va = 0x7e562fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e540000" filename = "" Region: id = 18138 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 18139 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 18140 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 18141 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 18160 start_va = 0x400000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 18161 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 18162 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 18163 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 18164 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 18165 start_va = 0x610000 end_va = 0x7effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 18166 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 18167 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 18169 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 18170 start_va = 0x7e440000 end_va = 0x7e53ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e440000" filename = "" Region: id = 18171 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 18172 start_va = 0x4c0000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 18173 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 18174 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 18175 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 18176 start_va = 0x4d0000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 18177 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 18178 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 18179 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 18180 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 18181 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 18182 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 18183 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 18184 start_va = 0x600000 end_va = 0x603fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 18185 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 18186 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 18187 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 18188 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 18189 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 18190 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 18191 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 18192 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 18193 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 18194 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 18195 start_va = 0x610000 end_va = 0x639fff monitored = 0 entry_point = 0x615680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 18196 start_va = 0x6f0000 end_va = 0x7effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 18197 start_va = 0x7f0000 end_va = 0x977fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 18198 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 18199 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 18200 start_va = 0x5d0000 end_va = 0x5d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 18201 start_va = 0x610000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 18202 start_va = 0x980000 end_va = 0xb00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000980000" filename = "" Region: id = 18203 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 18204 start_va = 0x620000 end_va = 0x6b0fff monitored = 0 entry_point = 0x658cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 18205 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 18206 start_va = 0x620000 end_va = 0x620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 18207 start_va = 0x630000 end_va = 0x630fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 18208 start_va = 0x630000 end_va = 0x637fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 18209 start_va = 0x630000 end_va = 0x630fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 18210 start_va = 0x640000 end_va = 0x641fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 18229 start_va = 0x630000 end_va = 0x630fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 18230 start_va = 0x640000 end_va = 0x640fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 18231 start_va = 0x630000 end_va = 0x630fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 18232 start_va = 0x640000 end_va = 0x640fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Thread: id = 530 os_tid = 0x14c [0181.321] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0181.321] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0181.321] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0181.321] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0181.321] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0181.321] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0181.322] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0181.322] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0181.322] GetProcessHeap () returned 0x6f0000 [0181.322] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0181.323] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0181.323] GetLastError () returned 0x7e [0181.323] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0181.323] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0181.323] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x364) returned 0x700a48 [0181.323] SetLastError (dwErrCode=0x7e) [0181.323] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0xe00) returned 0x700db8 [0181.325] GetStartupInfoW (in: lpStartupInfo=0x18f834 | out: lpStartupInfo=0x18f834*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0181.325] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0181.325] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0181.325] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0181.325] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogHook /fn_args=\"0\"" [0181.325] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogHook /fn_args=\"0\"" [0181.325] GetACP () returned 0x4e4 [0181.325] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x0, Size=0x220) returned 0x701bc0 [0181.325] IsValidCodePage (CodePage=0x4e4) returned 1 [0181.325] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f854 | out: lpCPInfo=0x18f854) returned 1 [0181.325] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f11c | out: lpCPInfo=0x18f11c) returned 1 [0181.325] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f730, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0181.325] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f730, cbMultiByte=256, lpWideCharStr=0x18eeb8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0181.325] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f130 | out: lpCharType=0x18f130) returned 1 [0181.326] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f730, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0181.326] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f730, cbMultiByte=256, lpWideCharStr=0x18ee78, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0181.326] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0181.326] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0181.326] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0181.326] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ec68, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0181.326] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f630, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÞWÕÊlø\x18", lpUsedDefaultChar=0x0) returned 256 [0181.326] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f730, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0181.326] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f730, cbMultiByte=256, lpWideCharStr=0x18ee88, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0181.326] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0181.326] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ec78, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0181.326] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f530, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÞWÕÊlø\x18", lpUsedDefaultChar=0x0) returned 256 [0181.326] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x0, Size=0x80) returned 0x6f3850 [0181.326] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0181.326] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x178) returned 0x701de8 [0181.326] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0181.326] GetLastError () returned 0x0 [0181.326] SetLastError (dwErrCode=0x0) [0181.326] GetEnvironmentStringsW () returned 0x701f68* [0181.327] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x0, Size=0xa8c) returned 0x702a00 [0181.327] FreeEnvironmentStringsW (penv=0x701f68) returned 1 [0181.327] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x90) returned 0x6f4540 [0181.327] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x3e) returned 0x6fad88 [0181.327] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x5c) returned 0x6f8818 [0181.327] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x6e) returned 0x6f4608 [0181.327] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x78) returned 0x7036c0 [0181.327] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x62) returned 0x6f49d8 [0181.327] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x28) returned 0x6f3d70 [0181.327] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x48) returned 0x6f3fc0 [0181.327] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x1a) returned 0x6f0570 [0181.327] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x3a) returned 0x6fab90 [0181.327] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x62) returned 0x6f3bd0 [0181.327] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x2a) returned 0x6f8460 [0181.327] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x2e) returned 0x6f8508 [0181.327] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x1c) returned 0x6f3da0 [0181.327] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x144) returned 0x6f9c90 [0181.328] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x7c) returned 0x6f8078 [0181.328] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x36) returned 0x6fe418 [0181.328] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x3a) returned 0x6fad40 [0181.328] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x90) returned 0x6f4378 [0181.328] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x24) returned 0x6f38f0 [0181.328] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x30) returned 0x6f8498 [0181.328] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x36) returned 0x6fe198 [0181.328] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x48) returned 0x6f28f0 [0181.328] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x52) returned 0x6f04b8 [0181.328] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x3c) returned 0x6fb0a0 [0181.328] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0xd6) returned 0x6f9e50 [0181.328] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x2e) returned 0x6f8658 [0181.328] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x1e) returned 0x6f2940 [0181.328] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x2c) returned 0x6f8540 [0181.328] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x54) returned 0x6f3de8 [0181.328] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x52) returned 0x6f4048 [0181.328] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x24) returned 0x6f3e48 [0181.328] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x42) returned 0x6f40a8 [0181.328] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x2c) returned 0x6f8578 [0181.328] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x44) returned 0x6f9f80 [0181.328] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x24) returned 0x6f3920 [0181.328] HeapFree (in: hHeap=0x6f0000, dwFlags=0x0, lpMem=0x702a00 | out: hHeap=0x6f0000) returned 1 [0181.329] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x8, Size=0x800) returned 0x701f68 [0181.329] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0181.329] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0181.329] GetStartupInfoW (in: lpStartupInfo=0x18f898 | out: lpStartupInfo=0x18f898*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0181.329] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogHook /fn_args=\"0\"" [0181.329] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogHook /fn_args=\"0\"", pNumArgs=0x18f884 | out: pNumArgs=0x18f884) returned 0x702bb8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0181.329] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0181.332] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x0, Size=0x1000) returned 0x7044a0 [0181.332] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x0, Size=0x26) returned 0x6fa6c8 [0181.332] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_setLogHook", cchWideChar=-1, lpMultiByteStr=0x6fa6c8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_setLogHook", lpUsedDefaultChar=0x0) returned 19 [0181.332] GetLastError () returned 0x0 [0181.332] SetLastError (dwErrCode=0x0) [0181.332] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setLogHookW") returned 0x0 [0181.332] GetLastError () returned 0x7f [0181.332] SetLastError (dwErrCode=0x7f) [0181.332] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setLogHookA") returned 0x0 [0181.333] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setLogHook") returned 0x647cb075 [0181.333] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0x0, Size=0x4) returned 0x6f37f8 [0181.333] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x6f37f8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0181.333] GetActiveWindow () returned 0x0 [0181.333] GetLastError () returned 0x7f [0181.333] SetLastError (dwErrCode=0x7f) Thread: id = 532 os_tid = 0xd08 Process: id = "251" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x32563000" os_pid = "0xd60" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogLevel /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 18213 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 18214 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 18215 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 18216 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 18217 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 18218 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 18219 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 18220 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 18221 start_va = 0x740000 end_va = 0x741fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 18222 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 18223 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 18224 start_va = 0x7edb0000 end_va = 0x7edd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007edb0000" filename = "" Region: id = 18225 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 18226 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 18227 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 18228 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 18235 start_va = 0x400000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 18236 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 18237 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 18238 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 18239 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 18240 start_va = 0x750000 end_va = 0x92ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 18241 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 18242 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 18246 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 18247 start_va = 0x7ecb0000 end_va = 0x7edaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ecb0000" filename = "" Region: id = 18248 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 18249 start_va = 0x530000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 18250 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 18251 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 18252 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 18253 start_va = 0x540000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 18254 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 18255 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 18256 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 18257 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 18258 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 18259 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 18260 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 18261 start_va = 0x740000 end_va = 0x743fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 18262 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 18263 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 18264 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 18290 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 18291 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 18292 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 18293 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 18294 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 18295 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 18296 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 18297 start_va = 0x750000 end_va = 0x779fff monitored = 0 entry_point = 0x755680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 18298 start_va = 0x830000 end_va = 0x92ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 18299 start_va = 0x930000 end_va = 0xab7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 18300 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 18304 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 18305 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 18306 start_va = 0xac0000 end_va = 0xc40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 18307 start_va = 0xc50000 end_va = 0xddffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 18308 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 18309 start_va = 0x750000 end_va = 0x7e0fff monitored = 0 entry_point = 0x788cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 18324 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 18325 start_va = 0x750000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 18326 start_va = 0x640000 end_va = 0x73ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 18327 start_va = 0x750000 end_va = 0x76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 18328 start_va = 0x770000 end_va = 0x775fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 18329 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18330 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18331 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18332 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18333 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18334 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18335 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18336 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18337 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18338 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18339 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18340 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18341 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18342 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18343 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18344 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18345 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18346 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18347 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18348 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18349 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18350 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18351 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18352 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18353 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18354 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18355 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18356 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18357 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18358 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18359 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18360 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18373 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18374 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18375 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18376 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18377 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18378 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18379 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18380 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18381 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18382 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18383 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18384 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18385 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18386 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18387 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18388 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18389 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18390 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18391 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18392 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18393 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18394 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18395 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18396 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18397 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18398 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18399 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18400 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18401 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18402 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18403 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18404 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18405 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18406 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18407 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18408 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18409 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18410 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18411 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18412 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18413 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18414 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18415 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18416 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18417 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18418 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18419 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18420 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18421 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18422 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18423 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18424 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18425 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18426 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18440 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18441 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18442 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18443 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18444 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18445 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18446 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18447 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18448 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18449 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18450 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18451 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18452 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18453 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18454 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18455 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18456 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18457 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18458 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18459 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18460 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18461 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18462 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18463 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18464 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18465 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18466 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18467 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18468 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18469 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18470 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18471 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18472 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18473 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18474 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18475 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18476 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18477 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18478 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18479 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18480 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18481 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18482 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18483 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18484 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18485 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18486 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18487 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18488 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18489 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18490 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18491 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18492 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18493 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18494 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18495 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18496 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18497 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18498 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18499 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18500 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18501 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18502 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18503 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18504 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18526 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18527 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18528 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18529 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18530 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18531 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18532 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18533 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18534 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18535 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18536 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18537 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18538 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18539 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18540 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18541 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18542 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18543 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18544 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18545 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18546 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18547 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18548 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18549 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18550 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18551 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18552 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18553 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18554 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18555 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18556 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18557 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18558 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18559 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18560 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18561 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18562 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18563 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18564 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18565 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18566 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18567 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18568 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18569 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18570 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18571 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18572 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18573 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18574 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18575 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18576 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18577 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18578 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18579 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18580 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18581 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18582 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18583 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18584 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18585 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18586 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18587 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18588 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18589 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18590 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18591 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18592 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18593 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18594 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18595 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18596 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18597 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18598 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18627 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18628 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18629 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18630 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18631 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18632 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18633 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18634 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18635 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18636 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18637 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18638 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18639 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18640 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18641 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18642 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18643 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18644 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18645 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18646 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18647 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18648 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18649 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18650 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18651 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 18652 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 24379 start_va = 0x750000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 24380 start_va = 0x750000 end_va = 0x76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 24381 start_va = 0x770000 end_va = 0x775fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 24382 start_va = 0x750000 end_va = 0x755fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Thread: id = 533 os_tid = 0x1394 [0181.859] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0181.859] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0181.859] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0181.859] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0181.860] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0181.860] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0181.861] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0181.862] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0181.863] GetProcessHeap () returned 0x830000 [0181.863] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0181.863] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0181.863] GetLastError () returned 0x7e [0181.863] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0181.864] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0181.864] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x364) returned 0x840a50 [0181.864] SetLastError (dwErrCode=0x7e) [0181.865] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0xe00) returned 0x840dc0 [0181.966] GetStartupInfoW (in: lpStartupInfo=0x18f9f8 | out: lpStartupInfo=0x18f9f8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0181.966] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0181.966] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0181.966] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0181.967] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogLevel /fn_args=\"0\"" [0181.967] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogLevel /fn_args=\"0\"" [0181.967] GetACP () returned 0x4e4 [0181.967] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x0, Size=0x220) returned 0x841bc8 [0181.967] IsValidCodePage (CodePage=0x4e4) returned 1 [0181.967] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fa18 | out: lpCPInfo=0x18fa18) returned 1 [0181.967] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f2e0 | out: lpCPInfo=0x18f2e0) returned 1 [0181.967] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8f4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0181.967] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8f4, cbMultiByte=256, lpWideCharStr=0x18f088, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0181.967] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f2f4 | out: lpCharType=0x18f2f4) returned 1 [0181.967] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8f4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0181.967] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8f4, cbMultiByte=256, lpWideCharStr=0x18f038, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0181.967] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0181.968] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0181.968] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0181.968] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ee28, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0181.968] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f7f4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x80±¿k0ú\x18", lpUsedDefaultChar=0x0) returned 256 [0181.968] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8f4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0181.968] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8f4, cbMultiByte=256, lpWideCharStr=0x18f058, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0181.968] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0181.968] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ee48, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0181.968] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f6f4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x80±¿k0ú\x18", lpUsedDefaultChar=0x0) returned 256 [0181.968] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x0, Size=0x80) returned 0x833858 [0181.968] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0181.968] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x17a) returned 0x841df0 [0181.968] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0181.968] GetLastError () returned 0x0 [0181.968] SetLastError (dwErrCode=0x0) [0181.968] GetEnvironmentStringsW () returned 0x841f78* [0181.969] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x0, Size=0xa8c) returned 0x842a10 [0181.969] FreeEnvironmentStringsW (penv=0x841f78) returned 1 [0181.969] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x90) returned 0x834548 [0181.969] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x3e) returned 0x83ad00 [0181.969] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x5c) returned 0x838820 [0181.969] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x6e) returned 0x834610 [0181.969] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x78) returned 0x8437d0 [0181.969] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x62) returned 0x8349e0 [0181.969] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x28) returned 0x833d78 [0181.969] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x48) returned 0x833fc8 [0181.969] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x1a) returned 0x830570 [0181.970] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x3a) returned 0x83ad90 [0181.970] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x62) returned 0x833bd8 [0181.970] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x2a) returned 0x838580 [0181.970] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x2e) returned 0x838708 [0181.970] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x1c) returned 0x833da8 [0181.970] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x144) returned 0x839c98 [0181.970] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x7c) returned 0x838080 [0181.970] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x36) returned 0x83e560 [0181.970] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x3a) returned 0x83ae68 [0181.970] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x90) returned 0x834380 [0181.970] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x24) returned 0x8338f8 [0181.970] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x30) returned 0x8385f0 [0181.970] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x36) returned 0x83e6a0 [0181.970] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x48) returned 0x8328f0 [0181.970] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x52) returned 0x8304b8 [0181.970] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x3c) returned 0x83af88 [0181.970] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0xd6) returned 0x839e58 [0181.970] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x2e) returned 0x838740 [0181.970] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x1e) returned 0x832940 [0181.970] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x2c) returned 0x8385b8 [0181.970] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x54) returned 0x833df0 [0181.970] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x52) returned 0x834050 [0181.970] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x24) returned 0x833e50 [0181.970] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x42) returned 0x8340b0 [0181.970] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x2c) returned 0x838468 [0181.970] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x44) returned 0x839f88 [0181.970] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x24) returned 0x833928 [0181.971] HeapFree (in: hHeap=0x830000, dwFlags=0x0, lpMem=0x842a10 | out: hHeap=0x830000) returned 1 [0181.971] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x8, Size=0x800) returned 0x841f78 [0181.971] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0181.971] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0181.972] GetStartupInfoW (in: lpStartupInfo=0x18fa5c | out: lpStartupInfo=0x18fa5c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0181.972] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogLevel /fn_args=\"0\"" [0181.972] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogLevel /fn_args=\"0\"", pNumArgs=0x18fa48 | out: pNumArgs=0x18fa48) returned 0x842bc8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0181.973] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0181.977] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x0, Size=0x1000) returned 0x8444b0 [0181.977] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x0, Size=0x28) returned 0x83a6d0 [0181.977] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_setLogLevel", cchWideChar=-1, lpMultiByteStr=0x83a6d0, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_setLogLevel", lpUsedDefaultChar=0x0) returned 20 [0181.977] GetLastError () returned 0x0 [0181.978] SetLastError (dwErrCode=0x0) [0181.978] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setLogLevelW") returned 0x0 [0181.978] GetLastError () returned 0x7f [0181.978] SetLastError (dwErrCode=0x7f) [0181.978] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setLogLevelA") returned 0x0 [0181.978] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setLogLevel") returned 0x647cb004 [0181.978] RtlAllocateHeap (HeapHandle=0x830000, Flags=0x0, Size=0x4) returned 0x833800 [0181.978] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x833800, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0181.978] GetActiveWindow () returned 0x0 [0181.979] HeapFree (in: hHeap=0x830000, dwFlags=0x0, lpMem=0x8444b0 | out: hHeap=0x830000) returned 1 [0181.980] HeapFree (in: hHeap=0x830000, dwFlags=0x0, lpMem=0x83a6d0 | out: hHeap=0x830000) returned 1 [0181.980] HeapFree (in: hHeap=0x830000, dwFlags=0x0, lpMem=0x833800 | out: hHeap=0x830000) returned 1 [0181.980] GetCurrentProcessId () returned 0xd60 [0181.980] GetCurrentThreadId () returned 0x1394 [0181.980] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0181.991] Thread32First (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0181.991] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0181.992] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0181.994] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0181.995] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0181.995] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0181.996] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0181.997] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0181.997] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0181.998] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0181.999] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0181.999] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.000] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.000] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.001] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.002] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.002] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.003] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.004] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.004] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.005] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.005] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.006] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.007] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.007] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.008] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.008] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.009] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.010] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.010] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.011] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.011] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.162] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.162] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.163] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.163] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.164] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.166] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.166] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.167] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.167] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.168] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.169] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.169] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.170] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.170] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.171] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.172] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.172] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.173] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.173] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.174] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.175] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.175] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.176] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.177] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.177] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.178] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.178] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.179] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.179] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.180] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.181] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.182] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.182] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.183] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.184] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.184] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.185] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.185] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.186] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.187] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.187] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.188] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.188] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.189] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.190] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.190] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.191] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.191] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.192] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.193] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.193] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.194] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.194] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.195] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.265] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.266] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.266] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.267] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.267] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.268] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.269] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.269] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.270] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.270] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.271] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.272] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.272] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.273] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.274] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.274] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.275] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.276] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.276] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.277] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.277] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.278] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.279] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.279] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.280] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.280] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.281] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.282] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.282] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.283] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.283] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.284] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.285] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.285] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.286] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.286] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.287] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.288] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.288] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.289] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.290] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.290] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.291] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.291] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.292] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.293] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.293] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.294] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.294] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.295] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.296] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.296] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.297] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.298] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.298] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.299] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.299] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.300] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.301] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.301] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.302] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.302] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.303] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.304] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.304] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.383] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.384] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.385] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.385] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.386] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.386] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.387] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.388] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.388] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.389] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.389] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.390] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.391] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.391] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.392] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.392] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.395] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.395] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.396] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.397] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.397] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.398] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.398] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.400] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.400] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.401] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.401] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.402] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.403] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.403] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.404] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.404] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.405] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.406] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.406] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.407] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.407] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.408] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.409] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.409] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.410] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.410] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.411] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.412] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.412] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.413] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.414] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.414] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.415] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.415] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.416] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.417] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.417] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.418] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.418] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.419] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.420] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.420] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.421] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.422] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.422] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.423] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.423] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.424] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.425] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.425] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.426] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.426] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.427] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.428] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.428] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.429] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.429] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.489] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.490] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.490] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.491] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.491] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.492] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.493] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.494] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.494] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.495] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.496] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.496] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.497] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.497] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.498] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.499] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.499] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.500] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.501] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.501] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.502] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.502] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.503] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.504] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.504] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0182.505] Thread32Next (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0183.355] CloseHandle (hObject=0x150) returned 1 [0183.355] OpenThread (dwDesiredAccess=0x100000, bInheritHandle=0, dwThreadId=0xd18) returned 0x150 [0183.355] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xffffffff) returned 0x0 [0241.784] CloseHandle (hObject=0x150) returned 1 [0241.785] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0241.794] Thread32First (hSnapshot=0x150, lpte=0x18fa2c) returned 1 [0242.936] CloseHandle (hObject=0x150) returned 1 [0243.043] FreeLibrary (hLibModule=0x647c0000) returned 1 [0243.045] LocalFree (hMem=0x842bc8) returned 0x0 [0243.046] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0243.046] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0243.047] HeapFree (in: hHeap=0x830000, dwFlags=0x0, lpMem=0x833858 | out: hHeap=0x830000) returned 1 [0243.047] HeapFree (in: hHeap=0x830000, dwFlags=0x0, lpMem=0x841f78 | out: hHeap=0x830000) returned 1 [0243.048] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-2", hFile=0x0, dwFlags=0x800) returned 0x772e0000 [0243.048] GetProcAddress (hModule=0x772e0000, lpProcName="AppPolicyGetProcessTerminationMethod") returned 0x0 [0243.048] GetModuleHandleExW (in: dwFlags=0x0, lpModuleName="mscoree.dll", phModule=0x18fa54 | out: phModule=0x18fa54) returned 0 [0243.048] ExitProcess (uExitCode=0x0) [0243.049] HeapFree (in: hHeap=0x830000, dwFlags=0x0, lpMem=0x840a50 | out: hHeap=0x830000) returned 1 Thread: id = 536 os_tid = 0xd18 Process: id = "252" image_name = "werfault.exe" filename = "c:\\windows\\syswow64\\werfault.exe" page_root = "0x14443000" os_pid = "0x784" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "250" os_parent_pid = "0x11e0" cmd_line = "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 4576 -s 364" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 18265 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 18266 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 18267 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 18268 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 18269 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 18270 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 18271 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 18272 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 18273 start_va = 0x850000 end_va = 0x850fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 18274 start_va = 0x10e0000 end_va = 0x1122fff monitored = 0 entry_point = 0x1100f50 region_type = mapped_file name = "werfault.exe" filename = "\\Windows\\SysWOW64\\WerFault.exe" (normalized: "c:\\windows\\syswow64\\werfault.exe") Region: id = 18275 start_va = 0x1130000 end_va = 0x512ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 18276 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 18277 start_va = 0x7ea50000 end_va = 0x7ea72fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ea50000" filename = "" Region: id = 18278 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 18279 start_va = 0x7fff0000 end_va = 0x7dfb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 18280 start_va = 0x7dfb201b0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfb201b0000" filename = "" Region: id = 18281 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 18282 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 18283 start_va = 0x100000 end_va = 0x15ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 18284 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 18285 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 18286 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 18287 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 18301 start_va = 0x860000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 18302 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 18303 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 18310 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 18311 start_va = 0x7e950000 end_va = 0x7ea4ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e950000" filename = "" Region: id = 18312 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 18313 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 18314 start_va = 0x100000 end_va = 0x13ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 18315 start_va = 0x150000 end_va = 0x15ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 18316 start_va = 0x160000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 18317 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 18318 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 18319 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 18320 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 18321 start_va = 0x850000 end_va = 0x853fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 18322 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 18323 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 18361 start_va = 0x6fb30000 end_va = 0x6fbb6fff monitored = 0 entry_point = 0x6fb9dbc0 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\SysWOW64\\wer.dll" (normalized: "c:\\windows\\syswow64\\wer.dll") Region: id = 18362 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 18363 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 18364 start_va = 0x6fbc0000 end_va = 0x6fcfefff monitored = 0 entry_point = 0x6fbed880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 18365 start_va = 0x6fb00000 end_va = 0x6fb21fff monitored = 0 entry_point = 0x6fb091f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 18366 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 18367 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 18368 start_va = 0x6faa0000 end_va = 0x6faf3fff monitored = 0 entry_point = 0x6fad10d0 region_type = mapped_file name = "faultrep.dll" filename = "\\Windows\\SysWOW64\\Faultrep.dll" (normalized: "c:\\windows\\syswow64\\faultrep.dll") Region: id = 18369 start_va = 0x6fa70000 end_va = 0x6fa90fff monitored = 0 entry_point = 0x6fa8a910 region_type = mapped_file name = "dbgcore.dll" filename = "\\Windows\\SysWOW64\\dbgcore.dll" (normalized: "c:\\windows\\syswow64\\dbgcore.dll") Region: id = 18370 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 18371 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 18372 start_va = 0xa80000 end_va = 0xbdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 18427 start_va = 0x860000 end_va = 0x863fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 18428 start_va = 0x870000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 18429 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 18430 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 18431 start_va = 0x4c0000 end_va = 0x647fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 18432 start_va = 0x880000 end_va = 0x8a9fff monitored = 0 entry_point = 0x885680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 18433 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 18434 start_va = 0x650000 end_va = 0x7d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 18435 start_va = 0x880000 end_va = 0x883fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werfault.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\WerFault.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werfault.exe.mui") Region: id = 18436 start_va = 0x5130000 end_va = 0x652ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005130000" filename = "" Region: id = 18505 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 18506 start_va = 0x140000 end_va = 0x140fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 18507 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 18508 start_va = 0x890000 end_va = 0x96ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 18653 start_va = 0x890000 end_va = 0x890fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000890000" filename = "" Region: id = 18654 start_va = 0x960000 end_va = 0x96ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Region: id = 18655 start_va = 0x8a0000 end_va = 0x8a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 18656 start_va = 0x8b0000 end_va = 0x8b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 18657 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 18658 start_va = 0x8b0000 end_va = 0x8b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 18659 start_va = 0x6530000 end_va = 0x6d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006530000" filename = "" Region: id = 18660 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 18661 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 18662 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 18663 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 18664 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 18665 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 18666 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 18667 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 18668 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 18669 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 18685 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 18686 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 18687 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 18688 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 18689 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 18690 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 18691 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 18692 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 18693 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 18694 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 18695 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 18696 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 18697 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 18698 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 18699 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 18700 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 18701 start_va = 0x8b0000 end_va = 0x8b6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 18731 start_va = 0x1a0000 end_va = 0x1dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 18732 start_va = 0x7e0000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 18733 start_va = 0x8b0000 end_va = 0x92ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 18752 start_va = 0x930000 end_va = 0x931fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "faultrep.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\faultrep.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\faultrep.dll.mui") Region: id = 18753 start_va = 0x940000 end_va = 0x940fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 18758 start_va = 0x6f010000 end_va = 0x6f42dfff monitored = 0 entry_point = 0x6f10ee80 region_type = mapped_file name = "dbgeng.dll" filename = "\\Windows\\SysWOW64\\dbgeng.dll" (normalized: "c:\\windows\\syswow64\\dbgeng.dll") Region: id = 18759 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 18762 start_va = 0x6f810000 end_va = 0x6f87ffff monitored = 0 entry_point = 0x6f864b90 region_type = mapped_file name = "dbgmodel.dll" filename = "\\Windows\\SysWOW64\\DbgModel.dll" (normalized: "c:\\windows\\syswow64\\dbgmodel.dll") Region: id = 18763 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 18764 start_va = 0xa80000 end_va = 0xb69fff monitored = 0 entry_point = 0xabd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 18765 start_va = 0xbd0000 end_va = 0xbdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bd0000" filename = "" Region: id = 18766 start_va = 0x70050000 end_va = 0x70059fff monitored = 0 entry_point = 0x70053200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 18767 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 18792 start_va = 0x6f5d0000 end_va = 0x6f5d7fff monitored = 0 entry_point = 0x6f5d17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 18793 start_va = 0xa80000 end_va = 0xb7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 18794 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 18799 start_va = 0xbe0000 end_va = 0xf16fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 18800 start_va = 0x940000 end_va = 0x941fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 18801 start_va = 0x940000 end_va = 0x943fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 18802 start_va = 0x940000 end_va = 0x945fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 18803 start_va = 0x940000 end_va = 0x947fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 18804 start_va = 0xf20000 end_va = 0x101ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f20000" filename = "" Region: id = 18805 start_va = 0x940000 end_va = 0x949fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 18806 start_va = 0x940000 end_va = 0x94bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 18807 start_va = 0x940000 end_va = 0x94dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 18810 start_va = 0x940000 end_va = 0x94ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 18811 start_va = 0x940000 end_va = 0x951fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 18812 start_va = 0x940000 end_va = 0x953fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 18813 start_va = 0x940000 end_va = 0x955fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 18814 start_va = 0x940000 end_va = 0x957fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 18815 start_va = 0x940000 end_va = 0x959fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 18816 start_va = 0x940000 end_va = 0x95bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 18817 start_va = 0x940000 end_va = 0x95dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 18818 start_va = 0x940000 end_va = 0x95ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 18819 start_va = 0x6530000 end_va = 0x660ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 18882 start_va = 0x6610000 end_va = 0x66dbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006610000" filename = "" Region: id = 18883 start_va = 0x1020000 end_va = 0x10d1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 18888 start_va = 0x66e0000 end_va = 0x6785fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000066e0000" filename = "" Region: id = 18897 start_va = 0x940000 end_va = 0x940fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 18898 start_va = 0x950000 end_va = 0x952fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wer.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wer.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wer.dll.mui") Region: id = 18899 start_va = 0x970000 end_va = 0x973fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Region: id = 18900 start_va = 0x6610000 end_va = 0x6e0ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006610000" filename = "" Region: id = 18901 start_va = 0xb80000 end_va = 0xb86fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 18902 start_va = 0xb80000 end_va = 0xb86fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 18903 start_va = 0xb80000 end_va = 0xb86fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 18904 start_va = 0xb80000 end_va = 0xb86fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 18905 start_va = 0xb80000 end_va = 0xb86fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 18906 start_va = 0xb80000 end_va = 0xb86fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 18907 start_va = 0xb80000 end_va = 0xb86fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 18908 start_va = 0xb80000 end_va = 0xb86fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 18909 start_va = 0xb80000 end_va = 0xb86fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 18926 start_va = 0xb80000 end_va = 0xb86fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 18927 start_va = 0xb80000 end_va = 0xb86fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 18928 start_va = 0xb80000 end_va = 0xb86fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 18929 start_va = 0xb80000 end_va = 0xb86fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 18930 start_va = 0xb80000 end_va = 0xb86fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 18931 start_va = 0xb80000 end_va = 0xb86fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 18932 start_va = 0xb80000 end_va = 0xb86fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 18933 start_va = 0xb80000 end_va = 0xb86fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 18934 start_va = 0xb80000 end_va = 0xb86fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 18935 start_va = 0xb80000 end_va = 0xb86fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 18936 start_va = 0xb80000 end_va = 0xb86fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 18937 start_va = 0xb80000 end_va = 0xb86fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 18938 start_va = 0xb80000 end_va = 0xb86fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 18939 start_va = 0x6610000 end_va = 0x670ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006610000" filename = "" Region: id = 18940 start_va = 0xb80000 end_va = 0xb86fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 18941 start_va = 0xb80000 end_va = 0xb86fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 18942 start_va = 0xb80000 end_va = 0xb86fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 18951 start_va = 0xb80000 end_va = 0xb86fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 18952 start_va = 0xb80000 end_va = 0xb86fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 18953 start_va = 0x6fa00000 end_va = 0x6fa63fff monitored = 0 entry_point = 0x6fa3e270 region_type = mapped_file name = "werui.dll" filename = "\\Windows\\SysWOW64\\werui.dll" (normalized: "c:\\windows\\syswow64\\werui.dll") Region: id = 18954 start_va = 0x1a0000 end_va = 0x1a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 18955 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 18956 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 18957 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 18958 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 18959 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 18976 start_va = 0x731b0000 end_va = 0x733befff monitored = 0 entry_point = 0x7325b0a0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 18977 start_va = 0x6f460000 end_va = 0x6f5c6fff monitored = 0 entry_point = 0x6f4db9d0 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\SysWOW64\\dui70.dll" (normalized: "c:\\windows\\syswow64\\dui70.dll") Region: id = 18978 start_va = 0x6f430000 end_va = 0x6f457fff monitored = 0 entry_point = 0x6f437820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 18992 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 18993 start_va = 0xb80000 end_va = 0xb80fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 18994 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 18995 start_va = 0xb80000 end_va = 0xb80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 18996 start_va = 0x759b0000 end_va = 0x75a33fff monitored = 0 entry_point = 0x759d6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 18997 start_va = 0xb90000 end_va = 0xb90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b90000" filename = "" Region: id = 18998 start_va = 0x6f7c0000 end_va = 0x6f7f3fff monitored = 0 entry_point = 0x6f7d8280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 19587 start_va = 0x1020000 end_va = 0x105ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 19588 start_va = 0x1060000 end_va = 0x109ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001060000" filename = "" Region: id = 19589 start_va = 0x10a0000 end_va = 0x10dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010a0000" filename = "" Region: id = 19590 start_va = 0x6710000 end_va = 0x674ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006710000" filename = "" Region: id = 19591 start_va = 0x6750000 end_va = 0x678ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006750000" filename = "" Region: id = 19592 start_va = 0x6790000 end_va = 0x67cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006790000" filename = "" Region: id = 19593 start_va = 0x6f830000 end_va = 0x6f838fff monitored = 0 entry_point = 0x6f833830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 19755 start_va = 0xb80000 end_va = 0xb80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 19756 start_va = 0x6f7c0000 end_va = 0x6f7f3fff monitored = 0 entry_point = 0x6f7d8280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 19917 start_va = 0x6f830000 end_va = 0x6f838fff monitored = 0 entry_point = 0x6f833830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 20112 start_va = 0xb80000 end_va = 0xb84fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werui.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\werui.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werui.dll.mui") Region: id = 20113 start_va = 0xba0000 end_va = 0xba0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 20114 start_va = 0x6f7c0000 end_va = 0x6f7f3fff monitored = 0 entry_point = 0x6f7d8280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 20246 start_va = 0x6f840000 end_va = 0x6f848fff monitored = 0 entry_point = 0x6f843830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 20490 start_va = 0x67d0000 end_va = 0x680ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000067d0000" filename = "" Region: id = 20491 start_va = 0x6810000 end_va = 0x684ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006810000" filename = "" Region: id = 20493 start_va = 0xba0000 end_va = 0xba0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 20494 start_va = 0x6f7c0000 end_va = 0x6f7f3fff monitored = 0 entry_point = 0x6f7d8280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 20644 start_va = 0x6f8b0000 end_va = 0x6f8b8fff monitored = 0 entry_point = 0x6f8b3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 20834 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 20835 start_va = 0x6f6c0000 end_va = 0x6f73afff monitored = 0 entry_point = 0x6f6e4d80 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\SysWOW64\\duser.dll" (normalized: "c:\\windows\\syswow64\\duser.dll") Region: id = 20868 start_va = 0x6850000 end_va = 0x688ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006850000" filename = "" Region: id = 20869 start_va = 0x6890000 end_va = 0x68cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006890000" filename = "" Region: id = 20870 start_va = 0x6f630000 end_va = 0x6f6b0fff monitored = 0 entry_point = 0x6f636310 region_type = mapped_file name = "riched20.dll" filename = "\\Windows\\SysWOW64\\riched20.dll" (normalized: "c:\\windows\\syswow64\\riched20.dll") Region: id = 20871 start_va = 0x6f790000 end_va = 0x6f7a5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 20872 start_va = 0x6f750000 end_va = 0x6f780fff monitored = 0 entry_point = 0x6f7622d0 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\SysWOW64\\msls31.dll" (normalized: "c:\\windows\\syswow64\\msls31.dll") Region: id = 20873 start_va = 0xba0000 end_va = 0xba0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 20874 start_va = 0x68d0000 end_va = 0x698bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000068d0000" filename = "" Region: id = 20875 start_va = 0xba0000 end_va = 0xba3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 20876 start_va = 0x74230000 end_va = 0x7424cfff monitored = 0 entry_point = 0x74233b10 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 20877 start_va = 0xbb0000 end_va = 0xbb3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bb0000" filename = "" Region: id = 20878 start_va = 0xbc0000 end_va = 0xbc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 20879 start_va = 0x6990000 end_va = 0x6990fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006990000" filename = "" Region: id = 20880 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 20881 start_va = 0x69a0000 end_va = 0x69a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "duser.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\duser.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\duser.dll.mui") Region: id = 20893 start_va = 0x6f9f0000 end_va = 0x6f9fcfff monitored = 0 entry_point = 0x6f9f7d80 region_type = mapped_file name = "atlthunk.dll" filename = "\\Windows\\SysWOW64\\atlthunk.dll" (normalized: "c:\\windows\\syswow64\\atlthunk.dll") Region: id = 20894 start_va = 0x69b0000 end_va = 0x69b2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui") Region: id = 20895 start_va = 0x1f0000 end_va = 0x1f2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 20917 start_va = 0x69c0000 end_va = 0x6eb1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000069c0000" filename = "" Region: id = 20918 start_va = 0x6ec0000 end_va = 0x7efffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 20954 start_va = 0x7e0000 end_va = 0x821fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 20986 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 20987 start_va = 0x77500000 end_va = 0x7761efff monitored = 0 entry_point = 0x77545980 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Thread: id = 535 os_tid = 0x340 Thread: id = 537 os_tid = 0x1298 Thread: id = 540 os_tid = 0x11f4 Thread: id = 561 os_tid = 0x11ec Thread: id = 562 os_tid = 0x83c Thread: id = 565 os_tid = 0x11dc Thread: id = 596 os_tid = 0x1110 Thread: id = 613 os_tid = 0x7a0 Process: id = "253" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x32540000" os_pid = "0xd44" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "250" os_parent_pid = "0x11e0" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogHook /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "254" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x21b79000" os_pid = "0x11bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setMaxLoginRetries /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 18611 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 18612 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 18613 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 18614 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 18615 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 18616 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 18617 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 18618 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 18619 start_va = 0x7eed0000 end_va = 0x7eef2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eed0000" filename = "" Region: id = 18620 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 18621 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 18622 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 18623 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 18624 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 18625 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 18626 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 18677 start_va = 0x1c0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 18678 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 18679 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 18680 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 18681 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 18682 start_va = 0x410000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 18683 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 18684 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 18712 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 18713 start_va = 0x7edd0000 end_va = 0x7eecffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007edd0000" filename = "" Region: id = 18714 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 18715 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 18716 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 18717 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 18718 start_va = 0x520000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 18719 start_va = 0x620000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 18720 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 18721 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 18722 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 18723 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 18724 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 18725 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 18726 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 18727 start_va = 0x500000 end_va = 0x503fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 18728 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 18729 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 18730 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 18734 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 18735 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 18736 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 18737 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 18738 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 18739 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 18740 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 18741 start_va = 0x720000 end_va = 0x8a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 18742 start_va = 0x8b0000 end_va = 0x8d9fff monitored = 0 entry_point = 0x8b5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 18743 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 18744 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 18745 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 18746 start_va = 0x1e0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 18747 start_va = 0x8b0000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 18748 start_va = 0xa40000 end_va = 0xb1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 18749 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 18750 start_va = 0xa40000 end_va = 0xad0fff monitored = 0 entry_point = 0xa78cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 18751 start_va = 0xb10000 end_va = 0xb1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 18754 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 18755 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 18756 start_va = 0xa40000 end_va = 0xa40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a40000" filename = "" Region: id = 18757 start_va = 0xa40000 end_va = 0xa47fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a40000" filename = "" Region: id = 18795 start_va = 0xa40000 end_va = 0xa40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 18796 start_va = 0xa50000 end_va = 0xa51fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a50000" filename = "" Region: id = 18797 start_va = 0xa40000 end_va = 0xa40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 18798 start_va = 0xa50000 end_va = 0xa50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a50000" filename = "" Region: id = 18808 start_va = 0xa40000 end_va = 0xa40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a40000" filename = "" Region: id = 18809 start_va = 0xa50000 end_va = 0xa50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Thread: id = 538 os_tid = 0xd24 [0183.073] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0183.074] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0183.074] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0183.074] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0183.074] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0183.074] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0183.075] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0183.075] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0183.076] GetProcessHeap () returned 0x520000 [0183.076] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0183.076] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0183.076] GetLastError () returned 0x7e [0183.076] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0183.076] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0183.076] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x364) returned 0x530a60 [0183.077] SetLastError (dwErrCode=0x7e) [0183.077] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0xe00) returned 0x530dd0 [0183.079] GetStartupInfoW (in: lpStartupInfo=0x18fdfc | out: lpStartupInfo=0x18fdfc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0183.079] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0183.079] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0183.079] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0183.079] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setMaxLoginRetries /fn_args=\"0\"" [0183.079] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setMaxLoginRetries /fn_args=\"0\"" [0183.079] GetACP () returned 0x4e4 [0183.079] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x220) returned 0x531bd8 [0183.079] IsValidCodePage (CodePage=0x4e4) returned 1 [0183.079] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fe1c | out: lpCPInfo=0x18fe1c) returned 1 [0183.079] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f6e4 | out: lpCPInfo=0x18f6e4) returned 1 [0183.079] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcf8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0183.079] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcf8, cbMultiByte=256, lpWideCharStr=0x18f488, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0183.080] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f6f8 | out: lpCharType=0x18f6f8) returned 1 [0183.080] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcf8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0183.080] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcf8, cbMultiByte=256, lpWideCharStr=0x18f438, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0183.080] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0183.080] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0183.080] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0183.080] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f228, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0183.080] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fbf8, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ+º\x07ô4þ\x18", lpUsedDefaultChar=0x0) returned 256 [0183.080] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcf8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0183.080] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcf8, cbMultiByte=256, lpWideCharStr=0x18f458, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0183.080] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0183.080] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f248, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0183.080] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18faf8, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ+º\x07ô4þ\x18", lpUsedDefaultChar=0x0) returned 256 [0183.081] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x80) returned 0x523868 [0183.081] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0183.081] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x188) returned 0x531e00 [0183.081] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0183.081] GetLastError () returned 0x0 [0183.081] SetLastError (dwErrCode=0x0) [0183.081] GetEnvironmentStringsW () returned 0x531f90* [0183.081] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa8c) returned 0x532a28 [0183.082] FreeEnvironmentStringsW (penv=0x531f90) returned 1 [0183.082] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x90) returned 0x524558 [0183.082] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x3e) returned 0x52ac80 [0183.082] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x5c) returned 0x528830 [0183.082] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x6e) returned 0x524620 [0183.082] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x78) returned 0x533ae8 [0183.082] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x62) returned 0x5249f0 [0183.082] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x28) returned 0x523d88 [0183.082] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x48) returned 0x523fd8 [0183.082] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x1a) returned 0x520570 [0183.082] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x3a) returned 0x52ac38 [0183.082] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x62) returned 0x523be8 [0183.082] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x2a) returned 0x5286a8 [0183.082] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x2e) returned 0x528638 [0183.082] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x1c) returned 0x523db8 [0183.082] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x144) returned 0x529ca8 [0183.082] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x7c) returned 0x528090 [0183.082] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x36) returned 0x52dfb0 [0183.082] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x3a) returned 0x52b148 [0183.083] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x90) returned 0x524390 [0183.083] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x24) returned 0x523908 [0183.083] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x30) returned 0x5284b0 [0183.083] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x36) returned 0x52e5b0 [0183.083] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x48) returned 0x522900 [0183.083] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x52) returned 0x5204b8 [0183.083] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x3c) returned 0x52b070 [0183.083] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0xd6) returned 0x529e68 [0183.083] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x2e) returned 0x5284e8 [0183.083] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x1e) returned 0x522950 [0183.083] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x2c) returned 0x528558 [0183.083] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x54) returned 0x523e00 [0183.083] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x52) returned 0x524060 [0183.083] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x24) returned 0x523e60 [0183.083] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x42) returned 0x5240c0 [0183.083] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x2c) returned 0x528670 [0183.083] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x44) returned 0x529f98 [0183.083] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x24) returned 0x523938 [0183.084] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x532a28 | out: hHeap=0x520000) returned 1 [0183.084] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x800) returned 0x531f90 [0183.084] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0183.084] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0183.084] GetStartupInfoW (in: lpStartupInfo=0x18fe60 | out: lpStartupInfo=0x18fe60*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0183.084] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setMaxLoginRetries /fn_args=\"0\"" [0183.085] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setMaxLoginRetries /fn_args=\"0\"", pNumArgs=0x18fe4c | out: pNumArgs=0x18fe4c) returned 0x532be0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0183.085] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0183.098] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x1000) returned 0x5344c8 [0183.098] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x36) returned 0x52e0f0 [0183.098] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_setMaxLoginRetries", cchWideChar=-1, lpMultiByteStr=0x52e0f0, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_setMaxLoginRetries", lpUsedDefaultChar=0x0) returned 27 [0183.098] GetLastError () returned 0x0 [0183.098] SetLastError (dwErrCode=0x0) [0183.099] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setMaxLoginRetriesW") returned 0x0 [0183.099] GetLastError () returned 0x7f [0183.099] SetLastError (dwErrCode=0x7f) [0183.099] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setMaxLoginRetriesA") returned 0x0 [0183.099] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setMaxLoginRetries") returned 0x647cb31d [0183.099] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x4) returned 0x523810 [0183.099] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x523810, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0183.099] GetActiveWindow () returned 0x0 [0183.100] GetLastError () returned 0x7f [0183.100] SetLastError (dwErrCode=0x7f) Thread: id = 541 os_tid = 0xa88 Process: id = "255" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6c979000" os_pid = "0x59c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "254" os_parent_pid = "0x11bc" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setMaxLoginRetries /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "256" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x32190000" os_pid = "0x1200" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINCachePeriod /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 18821 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 18822 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 18823 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 18824 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 18825 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 18826 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 18827 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 18828 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 18829 start_va = 0x870000 end_va = 0x871fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 18830 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 18831 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 18832 start_va = 0x7f7d0000 end_va = 0x7f7f2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f7d0000" filename = "" Region: id = 18833 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 18834 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 18835 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 18836 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 18837 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 18838 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 18839 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 18840 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 18841 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 18842 start_va = 0x880000 end_va = 0xb2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 18843 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 18844 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 18845 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 18846 start_va = 0x7f6d0000 end_va = 0x7f7cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6d0000" filename = "" Region: id = 18847 start_va = 0x480000 end_va = 0x53dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 18848 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 18849 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 18850 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 18851 start_va = 0x540000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 18852 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 18853 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 18854 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 18855 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 18856 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 18857 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 18858 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 18859 start_va = 0x870000 end_va = 0x873fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 18860 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 18861 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 18862 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 18863 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 18864 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 18865 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 18866 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 18867 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 18868 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 18869 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 18870 start_va = 0x640000 end_va = 0x7c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 18871 start_va = 0x880000 end_va = 0x8a9fff monitored = 0 entry_point = 0x885680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 18872 start_va = 0xa30000 end_va = 0xb2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 18873 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 18874 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 18875 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 18876 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 18877 start_va = 0x880000 end_va = 0xa00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 18878 start_va = 0xb30000 end_va = 0xc8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 18879 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 18880 start_va = 0xb30000 end_va = 0xbc0fff monitored = 0 entry_point = 0xb68cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 18881 start_va = 0xc80000 end_va = 0xc8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 18884 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 18885 start_va = 0xa10000 end_va = 0xa10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 18886 start_va = 0xa20000 end_va = 0xa20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a20000" filename = "" Region: id = 18887 start_va = 0xa20000 end_va = 0xa27fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a20000" filename = "" Region: id = 18891 start_va = 0xa20000 end_va = 0xa20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Region: id = 18892 start_va = 0xb30000 end_va = 0xb31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 18893 start_va = 0xa20000 end_va = 0xa20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Region: id = 18894 start_va = 0xb30000 end_va = 0xb30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 18895 start_va = 0xa20000 end_va = 0xa20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a20000" filename = "" Region: id = 18896 start_va = 0xb30000 end_va = 0xb30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Thread: id = 542 os_tid = 0x714 [0183.950] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0183.951] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0183.951] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0183.951] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0183.951] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0183.951] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0183.952] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0183.952] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0183.952] GetProcessHeap () returned 0xa30000 [0183.952] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0183.953] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0183.953] GetLastError () returned 0x7e [0183.953] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0183.953] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0183.953] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x364) returned 0xa40a60 [0183.953] SetLastError (dwErrCode=0x7e) [0183.953] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0xe00) returned 0xa40dd0 [0183.955] GetStartupInfoW (in: lpStartupInfo=0x18f8a0 | out: lpStartupInfo=0x18f8a0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0183.956] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0183.956] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0183.956] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0183.956] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINCachePeriod /fn_args=\"0\"" [0183.956] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINCachePeriod /fn_args=\"0\"" [0183.956] GetACP () returned 0x4e4 [0183.956] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x0, Size=0x220) returned 0xa41bd8 [0183.956] IsValidCodePage (CodePage=0x4e4) returned 1 [0183.956] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f8c0 | out: lpCPInfo=0x18f8c0) returned 1 [0183.956] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f188 | out: lpCPInfo=0x18f188) returned 1 [0183.956] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f79c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0183.956] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f79c, cbMultiByte=256, lpWideCharStr=0x18ef28, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0183.956] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f19c | out: lpCharType=0x18f19c) returned 1 [0183.956] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f79c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0183.956] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f79c, cbMultiByte=256, lpWideCharStr=0x18eed8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0183.956] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0183.957] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0183.957] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0183.957] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ecc8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0183.957] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f69c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ­\x1aSÚØø\x18", lpUsedDefaultChar=0x0) returned 256 [0183.957] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f79c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0183.957] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f79c, cbMultiByte=256, lpWideCharStr=0x18eef8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0183.957] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0183.957] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ece8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0183.957] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f59c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ­\x1aSÚØø\x18", lpUsedDefaultChar=0x0) returned 256 [0183.957] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x0, Size=0x80) returned 0xa33868 [0183.957] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0183.957] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x186) returned 0xa41e00 [0183.957] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0183.957] GetLastError () returned 0x0 [0183.957] SetLastError (dwErrCode=0x0) [0183.957] GetEnvironmentStringsW () returned 0xa41f90* [0183.958] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x0, Size=0xa8c) returned 0xa42a28 [0183.958] FreeEnvironmentStringsW (penv=0xa41f90) returned 1 [0183.958] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x90) returned 0xa347b8 [0183.958] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x3e) returned 0xa3b070 [0183.958] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x5c) returned 0xa38a90 [0183.958] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x6e) returned 0xa34880 [0183.958] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x78) returned 0xa43c68 [0183.958] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x62) returned 0xa34c50 [0183.958] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x28) returned 0xa33d88 [0183.958] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x48) returned 0xa33fd8 [0183.958] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x1a) returned 0xa30570 [0183.958] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x3a) returned 0xa3ada0 [0183.958] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x62) returned 0xa33be8 [0183.958] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x2a) returned 0xa386d8 [0183.959] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x2e) returned 0xa38978 [0183.959] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x1c) returned 0xa33db8 [0183.959] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x144) returned 0xa39ca8 [0183.959] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x7c) returned 0xa382f0 [0183.959] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x36) returned 0xa3e530 [0183.959] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x3a) returned 0xa3aba8 [0183.959] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x90) returned 0xa345f0 [0183.959] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x24) returned 0xa33908 [0183.959] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x30) returned 0xa387b8 [0183.959] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x36) returned 0xa3e6f0 [0183.959] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x48) returned 0xa32900 [0183.959] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x52) returned 0xa304b8 [0183.959] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x3c) returned 0xa3af98 [0183.959] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0xd6) returned 0xa39e68 [0183.959] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x2e) returned 0xa386a0 [0183.959] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x1e) returned 0xa32950 [0183.959] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x2c) returned 0xa38908 [0183.959] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x54) returned 0xa33e00 [0183.959] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x52) returned 0xa34060 [0183.959] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x24) returned 0xa33e60 [0183.959] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x42) returned 0xa340c0 [0183.959] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x2c) returned 0xa38940 [0183.959] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x44) returned 0xa39f98 [0183.959] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x24) returned 0xa33938 [0183.960] HeapFree (in: hHeap=0xa30000, dwFlags=0x0, lpMem=0xa42a28 | out: hHeap=0xa30000) returned 1 [0183.960] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x8, Size=0x800) returned 0xa41f90 [0183.960] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0183.960] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0183.960] GetStartupInfoW (in: lpStartupInfo=0x18f904 | out: lpStartupInfo=0x18f904*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0183.961] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINCachePeriod /fn_args=\"0\"" [0183.961] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINCachePeriod /fn_args=\"0\"", pNumArgs=0x18f8f0 | out: pNumArgs=0x18f8f0) returned 0xa42be0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0183.962] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0183.964] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x0, Size=0x1000) returned 0xa444c8 [0183.964] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x0, Size=0x34) returned 0xa3e2b0 [0183.964] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_setPINCachePeriod", cchWideChar=-1, lpMultiByteStr=0xa3e2b0, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_setPINCachePeriod", lpUsedDefaultChar=0x0) returned 26 [0183.965] GetLastError () returned 0x0 [0183.965] SetLastError (dwErrCode=0x0) [0183.965] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setPINCachePeriodW") returned 0x0 [0183.965] GetLastError () returned 0x7f [0183.965] SetLastError (dwErrCode=0x7f) [0183.965] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setPINCachePeriodA") returned 0x0 [0183.965] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setPINCachePeriod") returned 0x647cb2b9 [0183.965] RtlAllocateHeap (HeapHandle=0xa30000, Flags=0x0, Size=0x4) returned 0xa33810 [0183.965] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0xa33810, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0183.965] GetActiveWindow () returned 0x0 [0183.966] GetLastError () returned 0x7f [0183.966] SetLastError (dwErrCode=0x7f) Thread: id = 544 os_tid = 0x864 Process: id = "257" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6c598000" os_pid = "0x12c4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "256" os_parent_pid = "0x1200" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINCachePeriod /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "258" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x323a8000" os_pid = "0x13e0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINPromptHook /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 18910 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 18911 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 18912 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 18913 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 18914 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 18915 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 18916 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 18917 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 18918 start_va = 0x550000 end_va = 0x551fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 18919 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 18920 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 18921 start_va = 0x7f560000 end_va = 0x7f582fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f560000" filename = "" Region: id = 18922 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 18923 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 18924 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 18925 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 18943 start_va = 0x560000 end_va = 0x72ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 18944 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 18945 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 18946 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 18947 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 18948 start_va = 0x730000 end_va = 0x93ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 18949 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 18950 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 18960 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 18961 start_va = 0x7f460000 end_va = 0x7f55ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f460000" filename = "" Region: id = 18962 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 18963 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 18964 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 18965 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 18966 start_va = 0x4c0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 18967 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 18968 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 18969 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 18970 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 18971 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 18972 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 18973 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 18974 start_va = 0x5c0000 end_va = 0x5c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 18975 start_va = 0x720000 end_va = 0x72ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 18979 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 18980 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 18981 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 18982 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 18983 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 18984 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 18985 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 18986 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 18987 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 18988 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 18989 start_va = 0x5d0000 end_va = 0x5f9fff monitored = 0 entry_point = 0x5d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 18990 start_va = 0x940000 end_va = 0xac7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 18991 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 18999 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 19000 start_va = 0x5d0000 end_va = 0x5d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 19001 start_va = 0x5e0000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 19002 start_va = 0xad0000 end_va = 0xc50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ad0000" filename = "" Region: id = 19003 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 19004 start_va = 0x5e0000 end_va = 0x670fff monitored = 0 entry_point = 0x618cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 19005 start_va = 0x710000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 19008 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 19009 start_va = 0x5e0000 end_va = 0x5e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 19010 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 19011 start_va = 0x5f0000 end_va = 0x5f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 19015 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 19016 start_va = 0x600000 end_va = 0x601fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 19017 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 19018 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 19019 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 19020 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Thread: id = 545 os_tid = 0x1188 [0185.189] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0185.189] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0185.189] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0185.189] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0185.189] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0185.189] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0185.190] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0185.190] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0185.191] GetProcessHeap () returned 0x840000 [0185.191] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0185.191] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0185.191] GetLastError () returned 0x7e [0185.191] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0185.191] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0185.191] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x364) returned 0x850a68 [0185.191] SetLastError (dwErrCode=0x7e) [0185.192] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0xe00) returned 0x850dd8 [0185.193] GetStartupInfoW (in: lpStartupInfo=0x18f754 | out: lpStartupInfo=0x18f754*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0185.193] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0185.193] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0185.193] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0185.193] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINPromptHook /fn_args=\"0\"" [0185.193] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINPromptHook /fn_args=\"0\"" [0185.194] GetACP () returned 0x4e4 [0185.194] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x0, Size=0x220) returned 0x851be0 [0185.194] IsValidCodePage (CodePage=0x4e4) returned 1 [0185.194] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f774 | out: lpCPInfo=0x18f774) returned 1 [0185.194] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f03c | out: lpCPInfo=0x18f03c) returned 1 [0185.194] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f650, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0185.194] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f650, cbMultiByte=256, lpWideCharStr=0x18edd8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0185.194] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f050 | out: lpCharType=0x18f050) returned 1 [0185.194] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f650, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0185.194] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f650, cbMultiByte=256, lpWideCharStr=0x18ed98, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0185.194] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0185.194] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0185.194] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0185.194] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18eb88, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0185.194] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f550, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿKÊÏ\x13\x8c÷\x18", lpUsedDefaultChar=0x0) returned 256 [0185.194] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f650, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0185.194] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f650, cbMultiByte=256, lpWideCharStr=0x18eda8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0185.194] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0185.194] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18eb98, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0185.195] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f450, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿKÊÏ\x13\x8c÷\x18", lpUsedDefaultChar=0x0) returned 256 [0185.195] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x0, Size=0x80) returned 0x843868 [0185.195] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0185.195] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x184) returned 0x851e08 [0185.195] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0185.195] GetLastError () returned 0x0 [0185.195] SetLastError (dwErrCode=0x0) [0185.195] GetEnvironmentStringsW () returned 0x851f98* [0185.195] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x0, Size=0xa8c) returned 0x852a30 [0185.201] FreeEnvironmentStringsW (penv=0x851f98) returned 1 [0185.201] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x90) returned 0x844558 [0185.201] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x3e) returned 0x84ada8 [0185.201] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x5c) returned 0x848a98 [0185.201] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x6e) returned 0x844850 [0185.201] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x78) returned 0x853ff0 [0185.202] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x62) returned 0x8449f0 [0185.202] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x28) returned 0x843d88 [0185.202] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x48) returned 0x843fd8 [0185.202] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x1a) returned 0x843db8 [0185.202] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x3a) returned 0x84af10 [0185.202] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x62) returned 0x844620 [0185.202] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x2a) returned 0x848788 [0185.202] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x2e) returned 0x8487c0 [0185.202] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x1c) returned 0x8447c0 [0185.202] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x144) returned 0x849cb0 [0185.202] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x7c) returned 0x844390 [0185.202] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x36) returned 0x84e5f8 [0185.202] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x3a) returned 0x84abb0 [0185.202] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x90) returned 0x843e00 [0185.202] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x24) returned 0x8447e8 [0185.202] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x30) returned 0x8486e0 [0185.202] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x36) returned 0x84e538 [0185.202] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x48) returned 0x843be8 [0185.202] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x52) returned 0x843908 [0185.202] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x3c) returned 0x84afa0 [0185.202] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0xd6) returned 0x849e70 [0185.202] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x2e) returned 0x8487f8 [0185.202] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x1e) returned 0x843c38 [0185.203] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x2c) returned 0x848830 [0185.203] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x54) returned 0x842900 [0185.203] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x52) returned 0x8404b8 [0185.203] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x24) returned 0x844060 [0185.203] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x42) returned 0x844090 [0185.203] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x2c) returned 0x848980 [0185.203] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x44) returned 0x849fa0 [0185.203] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x24) returned 0x8440e0 [0185.203] HeapFree (in: hHeap=0x840000, dwFlags=0x0, lpMem=0x852a30 | out: hHeap=0x840000) returned 1 [0185.203] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x800) returned 0x851f98 [0185.204] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0185.204] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0185.204] GetStartupInfoW (in: lpStartupInfo=0x18f7b8 | out: lpStartupInfo=0x18f7b8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0185.204] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINPromptHook /fn_args=\"0\"" [0185.204] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINPromptHook /fn_args=\"0\"", pNumArgs=0x18f7a4 | out: pNumArgs=0x18f7a4) returned 0x852be8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0185.204] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0185.207] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x0, Size=0x1000) returned 0x8544d0 [0185.207] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x0, Size=0x32) returned 0x84dfb8 [0185.207] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_setPINPromptHook", cchWideChar=-1, lpMultiByteStr=0x84dfb8, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_setPINPromptHook", lpUsedDefaultChar=0x0) returned 25 [0185.207] GetLastError () returned 0x0 [0185.207] SetLastError (dwErrCode=0x0) [0185.207] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setPINPromptHookW") returned 0x0 [0185.207] GetLastError () returned 0x7f [0185.208] SetLastError (dwErrCode=0x7f) [0185.208] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setPINPromptHookA") returned 0x0 [0185.208] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setPINPromptHook") returned 0x647cb197 [0185.208] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x0, Size=0x4) returned 0x843e98 [0185.208] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x843e98, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0185.208] GetActiveWindow () returned 0x0 [0185.209] GetLastError () returned 0x7f [0185.209] SetLastError (dwErrCode=0x7f) Thread: id = 547 os_tid = 0x136c Process: id = "259" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x31a40000" os_pid = "0x137c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "258" os_parent_pid = "0x13e0" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINPromptHook /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "260" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x319bf000" os_pid = "0x11e4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setProtectedAuthentication /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 19021 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 19022 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 19023 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 19024 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 19025 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 19026 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 19027 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 19028 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 19029 start_va = 0xe90000 end_va = 0xe91fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e90000" filename = "" Region: id = 19030 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 19031 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 19032 start_va = 0x7eec0000 end_va = 0x7eee2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eec0000" filename = "" Region: id = 19033 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 19034 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 19035 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 19036 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 19037 start_va = 0x400000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 19038 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 19039 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 19040 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 19041 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 19042 start_va = 0xea0000 end_va = 0x109ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 19043 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 19044 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 19045 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 19046 start_va = 0x7edc0000 end_va = 0x7eebffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007edc0000" filename = "" Region: id = 19047 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 19048 start_va = 0x580000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 19049 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 19050 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 19051 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 19052 start_va = 0x590000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 19053 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 19054 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 19055 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 19056 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 19057 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 19058 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 19059 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 19060 start_va = 0xe90000 end_va = 0xe93fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e90000" filename = "" Region: id = 19061 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 19062 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 19063 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 19064 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 19065 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 19066 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 19067 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 19068 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 19069 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 19070 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 19071 start_va = 0x690000 end_va = 0x817fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 19072 start_va = 0xea0000 end_va = 0xec9fff monitored = 0 entry_point = 0xea5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 19073 start_va = 0xfa0000 end_va = 0x109ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fa0000" filename = "" Region: id = 19074 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 19075 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 19076 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 19077 start_va = 0x820000 end_va = 0x9a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 19078 start_va = 0xea0000 end_va = 0xedffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 19079 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 19080 start_va = 0xee0000 end_va = 0xf70fff monitored = 0 entry_point = 0xf18cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 19081 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 19082 start_va = 0xea0000 end_va = 0xea0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 19083 start_va = 0xed0000 end_va = 0xedffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ed0000" filename = "" Region: id = 19084 start_va = 0xeb0000 end_va = 0xeb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000eb0000" filename = "" Region: id = 19085 start_va = 0xeb0000 end_va = 0xeb7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000eb0000" filename = "" Region: id = 19086 start_va = 0xeb0000 end_va = 0xeb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 19087 start_va = 0xec0000 end_va = 0xec1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ec0000" filename = "" Region: id = 19088 start_va = 0xeb0000 end_va = 0xeb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 19089 start_va = 0xec0000 end_va = 0xec0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ec0000" filename = "" Region: id = 19090 start_va = 0xeb0000 end_va = 0xeb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000eb0000" filename = "" Region: id = 19091 start_va = 0xec0000 end_va = 0xec0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ec0000" filename = "" Thread: id = 548 os_tid = 0x13e4 [0185.679] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0185.679] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0185.680] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0185.680] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0185.680] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0185.681] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0185.682] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0185.682] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0185.682] GetProcessHeap () returned 0xfa0000 [0185.682] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0185.682] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0185.682] GetLastError () returned 0x7e [0185.683] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0185.683] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0185.683] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x364) returned 0xfb09a8 [0185.683] SetLastError (dwErrCode=0x7e) [0185.683] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0xe00) returned 0xfb0d18 [0185.685] GetStartupInfoW (in: lpStartupInfo=0x18fdbc | out: lpStartupInfo=0x18fdbc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0185.685] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0185.685] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0185.685] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0185.685] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setProtectedAuthentication /fn_args=\"0\"" [0185.685] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setProtectedAuthentication /fn_args=\"0\"" [0185.685] GetACP () returned 0x4e4 [0185.685] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x0, Size=0x220) returned 0xfb1b20 [0185.685] IsValidCodePage (CodePage=0x4e4) returned 1 [0185.685] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fddc | out: lpCPInfo=0x18fddc) returned 1 [0185.685] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f6a4 | out: lpCPInfo=0x18f6a4) returned 1 [0185.685] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcb8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0185.685] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcb8, cbMultiByte=256, lpWideCharStr=0x18f448, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0185.685] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f6b8 | out: lpCharType=0x18f6b8) returned 1 [0185.685] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcb8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0185.685] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcb8, cbMultiByte=256, lpWideCharStr=0x18f3f8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0185.685] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0185.686] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0185.686] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0185.686] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f1e8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0185.686] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fbb8, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x9d^yãôý\x18", lpUsedDefaultChar=0x0) returned 256 [0185.686] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcb8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0185.686] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcb8, cbMultiByte=256, lpWideCharStr=0x18f418, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0185.686] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0185.686] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f208, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0185.686] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fab8, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x9d^yãôý\x18", lpUsedDefaultChar=0x0) returned 256 [0185.686] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x0, Size=0x80) returned 0xfa3880 [0185.686] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0185.686] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x198) returned 0xfb1d48 [0185.686] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0185.686] GetLastError () returned 0x0 [0185.686] SetLastError (dwErrCode=0x0) [0185.686] GetEnvironmentStringsW () returned 0xfb1ee8* [0185.687] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x0, Size=0xa8c) returned 0xfb2980 [0185.687] FreeEnvironmentStringsW (penv=0xfb1ee8) returned 1 [0185.687] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x90) returned 0xfa4570 [0185.687] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x3e) returned 0xfaadb8 [0185.687] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x5c) returned 0xfa8aa8 [0185.687] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x6e) returned 0xfa4638 [0185.687] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x78) returned 0xfb3440 [0185.687] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x62) returned 0xfa4a08 [0185.687] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x28) returned 0xfa3da0 [0185.687] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x48) returned 0xfa3ff0 [0185.687] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x1a) returned 0xfa0570 [0185.687] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x3a) returned 0xfab160 [0185.687] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x62) returned 0xfa3c00 [0185.687] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x2a) returned 0xfa8570 [0185.687] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x2e) returned 0xfa8768 [0185.687] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x1c) returned 0xfa3dd0 [0185.687] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x144) returned 0xfa9cc0 [0185.687] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x7c) returned 0xfa80a8 [0185.687] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x36) returned 0xfae538 [0185.688] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x3a) returned 0xfaab78 [0185.688] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x90) returned 0xfa43a8 [0185.688] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x24) returned 0xfa3920 [0185.688] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x30) returned 0xfa8420 [0185.688] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x36) returned 0xfae278 [0185.688] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x48) returned 0xfa2910 [0185.688] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x52) returned 0xfa04b8 [0185.688] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x3c) returned 0xfaaa10 [0185.688] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0xd6) returned 0xfa9e80 [0185.688] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x2e) returned 0xfa85a8 [0185.688] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x1e) returned 0xfa2960 [0185.688] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x2c) returned 0xfa8458 [0185.688] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x54) returned 0xfa3e18 [0185.688] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x52) returned 0xfa4078 [0185.688] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x24) returned 0xfa3e78 [0185.688] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x42) returned 0xfa40d8 [0185.688] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x2c) returned 0xfa8490 [0185.688] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x44) returned 0xfa9fb0 [0185.688] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x24) returned 0xfa3950 [0185.689] HeapFree (in: hHeap=0xfa0000, dwFlags=0x0, lpMem=0xfb2980 | out: hHeap=0xfa0000) returned 1 [0185.689] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x8, Size=0x800) returned 0xfb1ee8 [0185.689] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0185.689] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0185.689] GetStartupInfoW (in: lpStartupInfo=0x18fe20 | out: lpStartupInfo=0x18fe20*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0185.689] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setProtectedAuthentication /fn_args=\"0\"" [0185.689] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setProtectedAuthentication /fn_args=\"0\"", pNumArgs=0x18fe0c | out: pNumArgs=0x18fe0c) returned 0xfb2b38*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0185.689] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0185.702] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x0, Size=0x1000) returned 0xfb4420 [0185.702] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x0, Size=0x46) returned 0xfaa6f8 [0185.702] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_setProtectedAuthentication", cchWideChar=-1, lpMultiByteStr=0xfaa6f8, cbMultiByte=70, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_setProtectedAuthentication", lpUsedDefaultChar=0x0) returned 35 [0185.703] GetLastError () returned 0x0 [0185.703] SetLastError (dwErrCode=0x0) [0185.703] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setProtectedAuthenticationW") returned 0x0 [0185.703] GetLastError () returned 0x7f [0185.703] SetLastError (dwErrCode=0x7f) [0185.703] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setProtectedAuthenticationA") returned 0x0 [0185.703] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setProtectedAuthentication") returned 0x647cb381 [0185.703] RtlAllocateHeap (HeapHandle=0xfa0000, Flags=0x0, Size=0x4) returned 0xfa3828 [0185.703] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0xfa3828, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0185.703] GetActiveWindow () returned 0x0 [0185.704] GetLastError () returned 0x7f [0185.704] SetLastError (dwErrCode=0x7f) Thread: id = 550 os_tid = 0x12d8 Process: id = "261" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x321ea000" os_pid = "0xc98" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "260" os_parent_pid = "0x11e4" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setProtectedAuthentication /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "262" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x318d7000" os_pid = "0x12d0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setSlotEventHook /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 19094 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 19095 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 19096 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 19097 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 19098 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 19099 start_va = 0xdd0000 end_va = 0xdd1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 19100 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 19101 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 19102 start_va = 0x7f120000 end_va = 0x7f142fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f120000" filename = "" Region: id = 19103 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 19104 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 19105 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 19106 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 19107 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 19108 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 19109 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 19111 start_va = 0x400000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 19112 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 19113 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 19114 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 19115 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 19116 start_va = 0xde0000 end_va = 0xf3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 19117 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 19118 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 19119 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 19120 start_va = 0x7f020000 end_va = 0x7f11ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f020000" filename = "" Region: id = 19121 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 19122 start_va = 0x540000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 19123 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 19124 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 19125 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 19126 start_va = 0x550000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 19127 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 19128 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 19129 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 19130 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 19131 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 19132 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 19133 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 19134 start_va = 0xdd0000 end_va = 0xdd3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 19135 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 19136 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 19137 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 19138 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 19139 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 19140 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 19141 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 19142 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 19143 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 19144 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 19145 start_va = 0x650000 end_va = 0x7d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 19146 start_va = 0xde0000 end_va = 0xe09fff monitored = 0 entry_point = 0xde5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 19147 start_va = 0xe40000 end_va = 0xf3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e40000" filename = "" Region: id = 19148 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 19149 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 19150 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 19151 start_va = 0x7e0000 end_va = 0x960fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 19152 start_va = 0xf40000 end_va = 0xfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 19153 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 19154 start_va = 0xfb0000 end_va = 0x1040fff monitored = 0 entry_point = 0xfe8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 19157 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 19158 start_va = 0xde0000 end_va = 0xde0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 19159 start_va = 0xdf0000 end_va = 0xdf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000df0000" filename = "" Region: id = 19160 start_va = 0xdf0000 end_va = 0xdf7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000df0000" filename = "" Region: id = 19161 start_va = 0xdf0000 end_va = 0xdf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000df0000" filename = "" Region: id = 19162 start_va = 0xe00000 end_va = 0xe01fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e00000" filename = "" Region: id = 19163 start_va = 0xdf0000 end_va = 0xdf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000df0000" filename = "" Region: id = 19164 start_va = 0xe00000 end_va = 0xe00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e00000" filename = "" Region: id = 19165 start_va = 0xdf0000 end_va = 0xdf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000df0000" filename = "" Region: id = 19166 start_va = 0xe00000 end_va = 0xe00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Thread: id = 554 os_tid = 0xc90 [0186.269] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0186.269] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0186.269] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0186.269] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0186.269] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0186.269] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0186.270] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0186.270] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0186.271] GetProcessHeap () returned 0xe40000 [0186.271] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0186.271] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0186.272] GetLastError () returned 0x7e [0186.272] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0186.272] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0186.272] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x364) returned 0xe50a60 [0186.273] SetLastError (dwErrCode=0x7e) [0186.273] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0xe00) returned 0xe50dd0 [0186.276] GetStartupInfoW (in: lpStartupInfo=0x18fd00 | out: lpStartupInfo=0x18fd00*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0186.276] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0186.277] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0186.277] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0186.277] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setSlotEventHook /fn_args=\"0\"" [0186.277] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setSlotEventHook /fn_args=\"0\"" [0186.277] GetACP () returned 0x4e4 [0186.277] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x0, Size=0x220) returned 0xe51bd8 [0186.277] IsValidCodePage (CodePage=0x4e4) returned 1 [0186.277] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fd20 | out: lpCPInfo=0x18fd20) returned 1 [0186.277] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f5e8 | out: lpCPInfo=0x18f5e8) returned 1 [0186.277] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fbfc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0186.277] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fbfc, cbMultiByte=256, lpWideCharStr=0x18f388, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0186.277] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f5fc | out: lpCharType=0x18f5fc) returned 1 [0186.278] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fbfc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0186.278] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fbfc, cbMultiByte=256, lpWideCharStr=0x18f338, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0186.278] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0186.278] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0186.278] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0186.278] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f128, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0186.278] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fafc, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ{ \x10\x068ý\x18", lpUsedDefaultChar=0x0) returned 256 [0186.278] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fbfc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0186.278] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fbfc, cbMultiByte=256, lpWideCharStr=0x18f358, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0186.278] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0186.278] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f148, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0186.278] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f9fc, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ{ \x10\x068ý\x18", lpUsedDefaultChar=0x0) returned 256 [0186.278] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x0, Size=0x80) returned 0xe43868 [0186.279] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0186.279] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x184) returned 0xe51e00 [0186.279] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0186.279] GetLastError () returned 0x0 [0186.279] SetLastError (dwErrCode=0x0) [0186.279] GetEnvironmentStringsW () returned 0xe51f90* [0186.279] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x0, Size=0xa8c) returned 0xe52a28 [0186.279] FreeEnvironmentStringsW (penv=0xe51f90) returned 1 [0186.279] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x90) returned 0xe447b8 [0186.279] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x3e) returned 0xe4ac80 [0186.279] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x5c) returned 0xe48a90 [0186.279] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x6e) returned 0xe44880 [0186.279] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x78) returned 0xe53c68 [0186.280] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x62) returned 0xe44c50 [0186.280] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x28) returned 0xe43d88 [0186.280] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x48) returned 0xe43fd8 [0186.280] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x1a) returned 0xe40570 [0186.280] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x3a) returned 0xe4a9f8 [0186.280] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x62) returned 0xe43be8 [0186.280] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x2a) returned 0xe486d8 [0186.280] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x2e) returned 0xe489b0 [0186.280] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x1c) returned 0xe43db8 [0186.280] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x144) returned 0xe49ca8 [0186.280] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x7c) returned 0xe482f0 [0186.280] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x36) returned 0xe4e630 [0186.280] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x3a) returned 0xe4aba8 [0186.280] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x90) returned 0xe445f0 [0186.280] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x24) returned 0xe43908 [0186.280] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x30) returned 0xe48748 [0186.280] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x36) returned 0xe4e370 [0186.280] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x48) returned 0xe42900 [0186.280] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x52) returned 0xe404b8 [0186.280] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x3c) returned 0xe4ade8 [0186.280] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0xd6) returned 0xe49e68 [0186.280] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x2e) returned 0xe487b8 [0186.281] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x1e) returned 0xe42950 [0186.281] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x2c) returned 0xe489e8 [0186.281] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x54) returned 0xe43e00 [0186.281] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x52) returned 0xe44060 [0186.281] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x24) returned 0xe43e60 [0186.281] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x42) returned 0xe440c0 [0186.281] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x2c) returned 0xe48940 [0186.281] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x44) returned 0xe49f98 [0186.281] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x24) returned 0xe43938 [0186.282] HeapFree (in: hHeap=0xe40000, dwFlags=0x0, lpMem=0xe52a28 | out: hHeap=0xe40000) returned 1 [0186.282] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x800) returned 0xe51f90 [0186.282] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0186.282] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0186.282] GetStartupInfoW (in: lpStartupInfo=0x18fd64 | out: lpStartupInfo=0x18fd64*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0186.282] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setSlotEventHook /fn_args=\"0\"" [0186.282] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setSlotEventHook /fn_args=\"0\"", pNumArgs=0x18fd50 | out: pNumArgs=0x18fd50) returned 0xe52be0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0186.283] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0186.285] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x0, Size=0x1000) returned 0xe544c8 [0186.285] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x0, Size=0x32) returned 0xe4e270 [0186.285] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_setSlotEventHook", cchWideChar=-1, lpMultiByteStr=0xe4e270, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_setSlotEventHook", lpUsedDefaultChar=0x0) returned 25 [0186.285] GetLastError () returned 0x0 [0186.285] SetLastError (dwErrCode=0x0) [0186.286] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setSlotEventHookW") returned 0x0 [0186.286] GetLastError () returned 0x7f [0186.286] SetLastError (dwErrCode=0x7f) [0186.286] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setSlotEventHookA") returned 0x0 [0186.286] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setSlotEventHook") returned 0x647cb106 [0186.286] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x0, Size=0x4) returned 0xe43810 [0186.286] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0xe43810, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0186.286] GetActiveWindow () returned 0x0 [0186.287] GetLastError () returned 0x7f [0186.287] SetLastError (dwErrCode=0x7f) Thread: id = 556 os_tid = 0x134c Process: id = "263" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x2bb04000" os_pid = "0xcec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "262" os_parent_pid = "0x12d0" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setSlotEventHook /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "264" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x41cef000" os_pid = "0xb58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setTokenPromptHook /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 19174 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 19175 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 19176 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 19177 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 19178 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 19179 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 19180 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 19181 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 19182 start_va = 0x720000 end_va = 0x721fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 19183 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 19184 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 19185 start_va = 0x7eea0000 end_va = 0x7eec2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eea0000" filename = "" Region: id = 19186 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 19187 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 19188 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 19189 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 19190 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 19191 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 19192 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 19193 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 19194 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 19195 start_va = 0x730000 end_va = 0x89ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 19196 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 19197 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 19198 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 19199 start_va = 0x7eda0000 end_va = 0x7ee9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eda0000" filename = "" Region: id = 19200 start_va = 0x480000 end_va = 0x53dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 19201 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 19202 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 19203 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 19204 start_va = 0x540000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 19205 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 19206 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 19207 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 19208 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 19209 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 19210 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 19211 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 19212 start_va = 0x720000 end_va = 0x723fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 19213 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 19214 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 19215 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 19216 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 19217 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 19218 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 19219 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 19220 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 19221 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 19222 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 19223 start_va = 0x730000 end_va = 0x759fff monitored = 0 entry_point = 0x735680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 19224 start_va = 0x7a0000 end_va = 0x89ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 19225 start_va = 0x8a0000 end_va = 0xa27fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 19226 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 19227 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 19228 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 19229 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 19230 start_va = 0x730000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 19231 start_va = 0xa30000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 19232 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 19233 start_va = 0xbc0000 end_va = 0xc50fff monitored = 0 entry_point = 0xbf8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 19234 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 19235 start_va = 0x730000 end_va = 0x730fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 19236 start_va = 0x790000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 19237 start_va = 0x740000 end_va = 0x740fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 19238 start_va = 0x740000 end_va = 0x747fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 19239 start_va = 0x740000 end_va = 0x740fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 19240 start_va = 0x750000 end_va = 0x751fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 19241 start_va = 0x740000 end_va = 0x740fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 19242 start_va = 0x750000 end_va = 0x750fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 19243 start_va = 0x740000 end_va = 0x740fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 19244 start_va = 0x750000 end_va = 0x750fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Thread: id = 557 os_tid = 0x79c [0186.675] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0186.675] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0186.676] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0186.676] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0186.676] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0186.676] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0186.678] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0186.678] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0186.678] GetProcessHeap () returned 0x7a0000 [0186.678] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0186.679] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0186.679] GetLastError () returned 0x7e [0186.679] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0186.679] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0186.679] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x364) returned 0x7b0a60 [0186.679] SetLastError (dwErrCode=0x7e) [0186.679] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0xe00) returned 0x7b0dd0 [0186.681] GetStartupInfoW (in: lpStartupInfo=0x18fb34 | out: lpStartupInfo=0x18fb34*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0186.682] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0186.682] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0186.682] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0186.682] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setTokenPromptHook /fn_args=\"0\"" [0186.682] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setTokenPromptHook /fn_args=\"0\"" [0186.682] GetACP () returned 0x4e4 [0186.682] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x0, Size=0x220) returned 0x7b1bd8 [0186.682] IsValidCodePage (CodePage=0x4e4) returned 1 [0186.682] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fb54 | out: lpCPInfo=0x18fb54) returned 1 [0186.682] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f41c | out: lpCPInfo=0x18f41c) returned 1 [0186.682] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa30, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0186.682] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa30, cbMultiByte=256, lpWideCharStr=0x18f1b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0186.682] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f430 | out: lpCharType=0x18f430) returned 1 [0186.682] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa30, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0186.682] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa30, cbMultiByte=256, lpWideCharStr=0x18f178, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0186.682] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0186.683] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0186.683] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0186.683] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ef68, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0186.683] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f930, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x05S|9lû\x18", lpUsedDefaultChar=0x0) returned 256 [0186.683] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa30, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0186.683] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa30, cbMultiByte=256, lpWideCharStr=0x18f188, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0186.683] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0186.683] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ef78, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0186.683] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f830, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x05S|9lû\x18", lpUsedDefaultChar=0x0) returned 256 [0186.683] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x0, Size=0x80) returned 0x7a3868 [0186.683] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0186.683] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x188) returned 0x7b1e00 [0186.683] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0186.683] GetLastError () returned 0x0 [0186.683] SetLastError (dwErrCode=0x0) [0186.684] GetEnvironmentStringsW () returned 0x7b1f90* [0186.684] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x0, Size=0xa8c) returned 0x7b2a28 [0186.684] FreeEnvironmentStringsW (penv=0x7b1f90) returned 1 [0186.684] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x90) returned 0x7a4558 [0186.684] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x3e) returned 0x7aaad0 [0186.684] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x5c) returned 0x7a8a90 [0186.684] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x6e) returned 0x7a4620 [0186.684] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x78) returned 0x7b3f68 [0186.685] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x62) returned 0x7a4c50 [0186.685] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x28) returned 0x7a3d88 [0186.685] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x48) returned 0x7a3fd8 [0186.685] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x1a) returned 0x7a0570 [0186.685] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x3a) returned 0x7aaf98 [0186.685] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x62) returned 0x7a3be8 [0186.685] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x2a) returned 0x7a8710 [0186.685] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x2e) returned 0x7a8940 [0186.685] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x1c) returned 0x7a3db8 [0186.685] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x144) returned 0x7a9ca8 [0186.685] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x7c) returned 0x7a82f0 [0186.685] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x36) returned 0x7ae6b0 [0186.685] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x3a) returned 0x7aab18 [0186.685] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x90) returned 0x7a4390 [0186.685] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x24) returned 0x7a3908 [0186.685] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x30) returned 0x7a87b8 [0186.685] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x36) returned 0x7ae1b0 [0186.685] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x48) returned 0x7a2900 [0186.685] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x52) returned 0x7a04b8 [0186.685] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x3c) returned 0x7aaec0 [0186.685] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0xd6) returned 0x7a9e68 [0186.685] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x2e) returned 0x7a8908 [0186.685] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x1e) returned 0x7a2950 [0186.685] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x2c) returned 0x7a89e8 [0186.686] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x54) returned 0x7a3e00 [0186.686] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x52) returned 0x7a4060 [0186.686] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x24) returned 0x7a3e60 [0186.686] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x42) returned 0x7a40c0 [0186.686] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x2c) returned 0x7a89b0 [0186.686] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x44) returned 0x7a9f98 [0186.686] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x24) returned 0x7a3938 [0186.686] HeapFree (in: hHeap=0x7a0000, dwFlags=0x0, lpMem=0x7b2a28 | out: hHeap=0x7a0000) returned 1 [0186.686] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x8, Size=0x800) returned 0x7b1f90 [0186.687] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0186.687] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0186.687] GetStartupInfoW (in: lpStartupInfo=0x18fb98 | out: lpStartupInfo=0x18fb98*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0186.687] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setTokenPromptHook /fn_args=\"0\"" [0186.687] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setTokenPromptHook /fn_args=\"0\"", pNumArgs=0x18fb84 | out: pNumArgs=0x18fb84) returned 0x7b2be0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0186.688] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0186.701] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x0, Size=0x1000) returned 0x7b44c8 [0186.701] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x0, Size=0x36) returned 0x7ae030 [0186.701] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_setTokenPromptHook", cchWideChar=-1, lpMultiByteStr=0x7ae030, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_setTokenPromptHook", lpUsedDefaultChar=0x0) returned 27 [0186.702] GetLastError () returned 0x0 [0186.702] SetLastError (dwErrCode=0x0) [0186.702] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setTokenPromptHookW") returned 0x0 [0186.702] GetLastError () returned 0x7f [0186.702] SetLastError (dwErrCode=0x7f) [0186.702] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setTokenPromptHookA") returned 0x0 [0186.702] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setTokenPromptHook") returned 0x647cb228 [0186.703] RtlAllocateHeap (HeapHandle=0x7a0000, Flags=0x0, Size=0x4) returned 0x7a3810 [0186.703] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x7a3810, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0186.703] GetActiveWindow () returned 0x0 [0186.704] GetLastError () returned 0x7f [0186.704] SetLastError (dwErrCode=0x7f) Thread: id = 559 os_tid = 0x11b8 Process: id = "265" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x3173b000" os_pid = "0x12f0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "264" os_parent_pid = "0xb58" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setTokenPromptHook /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "266" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x14d06000" os_pid = "0x11d0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_terminate /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 19249 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 19250 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 19251 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 19252 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 19253 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 19254 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 19255 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 19256 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 19257 start_va = 0xda0000 end_va = 0xda1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 19258 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 19259 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 19260 start_va = 0x7f050000 end_va = 0x7f072fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f050000" filename = "" Region: id = 19261 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 19262 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 19263 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 19264 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 19269 start_va = 0x400000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 19270 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 19271 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 19272 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 19273 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 19274 start_va = 0xdb0000 end_va = 0xecffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 19275 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 19276 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 19277 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 19278 start_va = 0x7ef50000 end_va = 0x7f04ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ef50000" filename = "" Region: id = 19279 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 19280 start_va = 0x5e0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 19281 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 19282 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 19283 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 19284 start_va = 0x4c0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 19285 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 19288 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 19289 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 19290 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 19291 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 19292 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 19293 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 19294 start_va = 0xda0000 end_va = 0xda3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 19295 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 19296 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 19297 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 19298 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 19299 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 19300 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 19301 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 19302 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 19303 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 19304 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 19305 start_va = 0x5f0000 end_va = 0x777fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 19306 start_va = 0xed0000 end_va = 0xef9fff monitored = 0 entry_point = 0xed5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 19307 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 19308 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 19309 start_va = 0x5c0000 end_va = 0x5c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 19310 start_va = 0x780000 end_va = 0x900fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 19311 start_va = 0xed0000 end_va = 0x100ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ed0000" filename = "" Region: id = 19312 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 19313 start_va = 0xed0000 end_va = 0xf60fff monitored = 0 entry_point = 0xf08cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 19314 start_va = 0x1000000 end_va = 0x100ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 19315 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 19316 start_va = 0xdb0000 end_va = 0xdbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 19317 start_va = 0xdd0000 end_va = 0xecffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 19318 start_va = 0x910000 end_va = 0xa0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000910000" filename = "" Region: id = 19319 start_va = 0xdb0000 end_va = 0xdcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 19320 start_va = 0xed0000 end_va = 0xed5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ed0000" filename = "" Region: id = 19321 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19322 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19323 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19324 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19325 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19326 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19327 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19328 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19329 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19330 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19331 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19332 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19333 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19334 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19335 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19336 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19337 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19338 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19339 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19340 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19341 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19342 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19343 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19344 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19345 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19346 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19347 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19348 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19349 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19350 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19351 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19352 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19353 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19354 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19355 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19356 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19357 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19358 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19359 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19360 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19361 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19362 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19363 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19364 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19365 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19366 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19367 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19368 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19369 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19370 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19371 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19372 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19373 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19374 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19375 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19376 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19377 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19378 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19379 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19380 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19381 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19382 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19383 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19384 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19385 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19386 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19387 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19388 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19389 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19390 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19391 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19392 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19393 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19394 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19395 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19396 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19397 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19398 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19399 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19400 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19401 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19402 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19403 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19404 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19405 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19406 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19407 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19408 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19409 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19410 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19411 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19412 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19413 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19414 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19415 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19416 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19417 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19418 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19419 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19420 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19421 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19422 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19423 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19424 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19425 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19426 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19427 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19428 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19429 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19430 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19431 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19432 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19433 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19434 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19435 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19436 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19437 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19438 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19439 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19440 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19441 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19442 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19443 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19444 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19445 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19446 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19447 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19448 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19449 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19450 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19451 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19452 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19453 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19454 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19455 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19456 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19457 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19458 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19459 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19460 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19461 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19462 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19463 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19464 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19465 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19466 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19467 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19468 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19469 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19470 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19471 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19472 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19473 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19474 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19475 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19476 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19477 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19478 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19479 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19480 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19481 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19482 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19483 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19484 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19485 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19486 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19487 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19488 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19489 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19490 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19491 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19492 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19493 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19494 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19495 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19496 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19497 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19498 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19499 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19500 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19501 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19502 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19503 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19504 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19505 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19506 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19507 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19508 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19509 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19510 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19511 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19512 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19513 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19514 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19515 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19516 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19517 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19518 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19519 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19520 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19521 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19522 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19523 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19524 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19525 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19526 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19527 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19528 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19529 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19530 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19531 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19532 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19533 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19534 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19535 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19536 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19537 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19538 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19539 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19540 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19541 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19542 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19543 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19544 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19545 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19546 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19547 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19548 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19549 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19550 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19551 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19552 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19553 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19554 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19555 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19556 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19557 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19558 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19559 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19560 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19561 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19562 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19563 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19564 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19565 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19566 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19567 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19568 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19569 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 19570 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 24757 start_va = 0xdb0000 end_va = 0xdbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 24758 start_va = 0xdb0000 end_va = 0xdcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 24759 start_va = 0xed0000 end_va = 0xed5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ed0000" filename = "" Region: id = 24760 start_va = 0xdb0000 end_va = 0xdb5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Thread: id = 563 os_tid = 0xcac [0187.227] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0187.227] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0187.227] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0187.227] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0187.228] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0187.228] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0187.228] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0187.228] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0187.229] GetProcessHeap () returned 0xdd0000 [0187.229] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0187.229] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0187.229] GetLastError () returned 0x7e [0187.229] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0187.229] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0187.229] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x364) returned 0xde0a48 [0187.230] SetLastError (dwErrCode=0x7e) [0187.230] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0xe00) returned 0xde0db8 [0187.232] GetStartupInfoW (in: lpStartupInfo=0x18fdb8 | out: lpStartupInfo=0x18fdb8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0187.232] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0187.232] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0187.232] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0187.232] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_terminate /fn_args=\"0\"" [0187.232] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_terminate /fn_args=\"0\"" [0187.232] GetACP () returned 0x4e4 [0187.232] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x0, Size=0x220) returned 0xde1bc0 [0187.232] IsValidCodePage (CodePage=0x4e4) returned 1 [0187.232] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fdd8 | out: lpCPInfo=0x18fdd8) returned 1 [0187.232] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f6a0 | out: lpCPInfo=0x18f6a0) returned 1 [0187.232] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcb4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0187.232] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcb4, cbMultiByte=256, lpWideCharStr=0x18f448, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0187.232] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f6b4 | out: lpCharType=0x18f6b4) returned 1 [0187.232] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcb4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0187.232] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcb4, cbMultiByte=256, lpWideCharStr=0x18f3f8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0187.232] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0187.233] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0187.233] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0187.233] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f1e8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0187.233] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fbb4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ®7¿&ðý\x18", lpUsedDefaultChar=0x0) returned 256 [0187.233] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcb4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0187.233] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcb4, cbMultiByte=256, lpWideCharStr=0x18f418, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0187.233] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0187.233] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f208, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0187.233] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fab4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ®7¿&ðý\x18", lpUsedDefaultChar=0x0) returned 256 [0187.233] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x0, Size=0x80) returned 0xdd3850 [0187.233] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0187.233] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x176) returned 0xde1de8 [0187.233] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0187.233] GetLastError () returned 0x0 [0187.233] SetLastError (dwErrCode=0x0) [0187.233] GetEnvironmentStringsW () returned 0xde1f68* [0187.233] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x0, Size=0xa8c) returned 0xde2a00 [0187.234] FreeEnvironmentStringsW (penv=0xde1f68) returned 1 [0187.234] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x90) returned 0xdd47a0 [0187.234] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x3e) returned 0xddac68 [0187.234] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x5c) returned 0xdd8a78 [0187.234] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x6e) returned 0xdd4868 [0187.234] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x78) returned 0xde3640 [0187.234] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x62) returned 0xdd4c38 [0187.234] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x28) returned 0xdd3fd0 [0187.234] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x48) returned 0xdd4220 [0187.234] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x1a) returned 0xdd0570 [0187.234] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x3a) returned 0xddacb0 [0187.234] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x62) returned 0xdd3bd0 [0187.234] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x2a) returned 0xdd89d0 [0187.234] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x2e) returned 0xdd8880 [0187.234] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x1c) returned 0xdd4000 [0187.234] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x144) returned 0xdd9c90 [0187.234] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x7c) returned 0xdd82d8 [0187.234] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x36) returned 0xdddf58 [0187.234] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x3a) returned 0xdda9e0 [0187.234] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x90) returned 0xdd45d8 [0187.234] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x24) returned 0xdd38f0 [0187.234] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x30) returned 0xdd87d8 [0187.234] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x36) returned 0xdde618 [0187.235] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x48) returned 0xdd28f0 [0187.235] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x52) returned 0xdd04b8 [0187.235] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x3c) returned 0xddb010 [0187.235] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0xd6) returned 0xdd9e50 [0187.235] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x2e) returned 0xdd8960 [0187.235] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x1e) returned 0xdd2940 [0187.235] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x2c) returned 0xdd8998 [0187.235] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x54) returned 0xdd4048 [0187.235] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x52) returned 0xdd42a8 [0187.235] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x24) returned 0xdd40a8 [0187.235] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x42) returned 0xdd4308 [0187.235] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x2c) returned 0xdd8650 [0187.235] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x44) returned 0xdd9f80 [0187.235] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x24) returned 0xdd3920 [0187.236] HeapFree (in: hHeap=0xdd0000, dwFlags=0x0, lpMem=0xde2a00 | out: hHeap=0xdd0000) returned 1 [0187.236] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x8, Size=0x800) returned 0xde1f68 [0187.236] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0187.236] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0187.236] GetStartupInfoW (in: lpStartupInfo=0x18fe1c | out: lpStartupInfo=0x18fe1c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0187.236] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_terminate /fn_args=\"0\"" [0187.236] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_terminate /fn_args=\"0\"", pNumArgs=0x18fe08 | out: pNumArgs=0x18fe08) returned 0xde2bb8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0187.237] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0187.239] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x0, Size=0x1000) returned 0xde44a0 [0187.239] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x0, Size=0x24) returned 0xdda6c8 [0187.239] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_terminate", cchWideChar=-1, lpMultiByteStr=0xdda6c8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_terminate", lpUsedDefaultChar=0x0) returned 18 [0187.239] GetLastError () returned 0x0 [0187.239] SetLastError (dwErrCode=0x0) [0187.240] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_terminateW") returned 0x0 [0187.240] GetLastError () returned 0x7f [0187.240] SetLastError (dwErrCode=0x7f) [0187.240] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_terminateA") returned 0x0 [0187.240] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_terminate") returned 0x647cad58 [0187.240] RtlAllocateHeap (HeapHandle=0xdd0000, Flags=0x0, Size=0x4) returned 0xdd37f8 [0187.240] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0xdd37f8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0187.240] GetActiveWindow () returned 0x0 [0187.242] HeapFree (in: hHeap=0xdd0000, dwFlags=0x0, lpMem=0xde44a0 | out: hHeap=0xdd0000) returned 1 [0187.242] HeapFree (in: hHeap=0xdd0000, dwFlags=0x0, lpMem=0xdda6c8 | out: hHeap=0xdd0000) returned 1 [0187.242] HeapFree (in: hHeap=0xdd0000, dwFlags=0x0, lpMem=0xdd37f8 | out: hHeap=0xdd0000) returned 1 [0187.242] GetCurrentProcessId () returned 0x11d0 [0187.242] GetCurrentThreadId () returned 0xcac [0187.243] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0187.258] Thread32First (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.259] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.260] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.260] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.261] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.261] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.262] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.263] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.263] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.264] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.264] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.265] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.266] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.266] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.267] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.267] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.268] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.269] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.269] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.270] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.270] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.271] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.271] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.272] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.273] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.273] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.274] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.274] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.275] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.275] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.276] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.277] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.277] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.279] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.280] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.280] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.281] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.282] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.282] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.283] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.283] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.284] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.284] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.285] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.286] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.286] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.287] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.287] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.288] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.289] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.289] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.290] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.290] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.291] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.291] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.292] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.293] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.293] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.295] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.295] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.296] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.297] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.297] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.298] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.298] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.299] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.300] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.300] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.301] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.301] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.302] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.303] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.303] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.304] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.304] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.305] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.305] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.306] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.307] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.307] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.308] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.308] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.309] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.310] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.311] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.311] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.312] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.313] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.313] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.314] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.315] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.315] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.316] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.316] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.317] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.318] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.318] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.319] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.319] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.320] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.321] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.321] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.322] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.322] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.323] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.324] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.324] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.325] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.325] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.326] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.327] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.327] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.328] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.328] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.329] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.330] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.330] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.331] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.332] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.332] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.333] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.334] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.334] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.335] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.336] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.336] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.337] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.337] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.338] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.339] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.339] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.340] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.343] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.343] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.344] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.344] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.345] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.346] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.346] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.347] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.347] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.348] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.349] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.349] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.350] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.350] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.351] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.351] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.352] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.353] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.353] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.354] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.354] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.355] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.356] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.356] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.357] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.358] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.358] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.359] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.359] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.360] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.360] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.361] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.362] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.362] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.363] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.363] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.364] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.365] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.365] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.366] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.366] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.367] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.368] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.368] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.369] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.369] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.370] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.370] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.371] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.372] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.373] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.373] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.374] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.375] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.375] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.376] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.376] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.377] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.378] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.378] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.379] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.379] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.380] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.381] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.381] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.382] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.382] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.383] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.383] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.384] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.385] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.385] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.386] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.386] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.387] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.392] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.393] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.393] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.394] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.394] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.395] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.396] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.397] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.397] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.398] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.399] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.400] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.400] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.401] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.402] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.403] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.404] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.404] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.405] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.406] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.406] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.407] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.408] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.408] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.409] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.409] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.410] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.410] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.411] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.412] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.413] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.413] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.414] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.415] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.415] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.416] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.417] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.417] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.418] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.419] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.419] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.420] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.420] Thread32Next (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0187.791] CloseHandle (hObject=0x150) returned 1 [0187.791] OpenThread (dwDesiredAccess=0x100000, bInheritHandle=0, dwThreadId=0xd00) returned 0x150 [0187.791] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xffffffff) returned 0x0 [0247.277] CloseHandle (hObject=0x150) returned 1 [0247.277] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0247.296] Thread32First (hSnapshot=0x150, lpte=0x18fdec) returned 1 [0248.225] CloseHandle (hObject=0x150) returned 1 [0248.225] FreeLibrary (hLibModule=0x647c0000) returned 1 [0248.227] LocalFree (hMem=0xde2bb8) returned 0x0 [0248.228] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0248.228] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0248.228] HeapFree (in: hHeap=0xdd0000, dwFlags=0x0, lpMem=0xdd3850 | out: hHeap=0xdd0000) returned 1 [0248.229] HeapFree (in: hHeap=0xdd0000, dwFlags=0x0, lpMem=0xde1f68 | out: hHeap=0xdd0000) returned 1 [0248.229] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-2", hFile=0x0, dwFlags=0x800) returned 0x772e0000 [0248.230] GetProcAddress (hModule=0x772e0000, lpProcName="AppPolicyGetProcessTerminationMethod") returned 0x0 [0248.230] GetModuleHandleExW (in: dwFlags=0x0, lpModuleName="mscoree.dll", phModule=0x18fe14 | out: phModule=0x18fe14) returned 0 [0248.230] ExitProcess (uExitCode=0x0) [0248.230] HeapFree (in: hHeap=0xdd0000, dwFlags=0x0, lpMem=0xde0a48 | out: hHeap=0xdd0000) returned 1 Thread: id = 566 os_tid = 0xd00 Process: id = "267" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x3141b000" os_pid = "0xd10" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_deserializeTokenId /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 19571 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 19572 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 19573 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 19574 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 19575 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 19576 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 19577 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 19578 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 19579 start_va = 0xb80000 end_va = 0xb81fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 19580 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 19581 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 19582 start_va = 0x7f330000 end_va = 0x7f352fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f330000" filename = "" Region: id = 19583 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 19584 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 19585 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 19586 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 19594 start_va = 0x400000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 19595 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 19596 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 19597 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 19598 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 19599 start_va = 0xb90000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 19600 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 19601 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 19602 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 19603 start_va = 0x7f230000 end_va = 0x7f32ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f230000" filename = "" Region: id = 19604 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 19605 start_va = 0x520000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 19606 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 19607 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 19608 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 19609 start_va = 0x530000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 19610 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 19611 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 19612 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 19613 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 19614 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 19615 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 19616 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 19617 start_va = 0xb80000 end_va = 0xb83fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 19618 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 19619 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 19620 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 19621 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 19622 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 19623 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 19624 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 19625 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 19626 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 19627 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 19628 start_va = 0x630000 end_va = 0x7b7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 19629 start_va = 0xb90000 end_va = 0xbb9fff monitored = 0 entry_point = 0xb95680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 19630 start_va = 0xbf0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bf0000" filename = "" Region: id = 19631 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 19633 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 19634 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 19635 start_va = 0x7c0000 end_va = 0x940fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 19636 start_va = 0xcf0000 end_va = 0xdfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 19637 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 19638 start_va = 0xcf0000 end_va = 0xd80fff monitored = 0 entry_point = 0xd28cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 19639 start_va = 0xdf0000 end_va = 0xdfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000df0000" filename = "" Region: id = 19642 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 19643 start_va = 0xb90000 end_va = 0xb90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 19644 start_va = 0xba0000 end_va = 0xba0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 19645 start_va = 0xba0000 end_va = 0xba7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 19646 start_va = 0xba0000 end_va = 0xba0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 19647 start_va = 0xbb0000 end_va = 0xbb1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bb0000" filename = "" Region: id = 19648 start_va = 0xba0000 end_va = 0xba0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 19649 start_va = 0xbb0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bb0000" filename = "" Region: id = 19650 start_va = 0xba0000 end_va = 0xba0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 19651 start_va = 0xbb0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bb0000" filename = "" Thread: id = 567 os_tid = 0x1374 [0187.890] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0187.891] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0187.891] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0187.891] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0187.891] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0187.891] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0187.892] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0187.892] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0187.893] GetProcessHeap () returned 0xbf0000 [0187.893] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0187.893] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0187.893] GetLastError () returned 0x7e [0187.893] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0187.893] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0187.893] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x364) returned 0xc009a8 [0187.893] SetLastError (dwErrCode=0x7e) [0187.894] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0xe00) returned 0xc00d18 [0187.895] GetStartupInfoW (in: lpStartupInfo=0x18fe7c | out: lpStartupInfo=0x18fe7c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0187.896] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0187.896] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0187.896] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0187.896] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_deserializeTokenId /fn_args=\"0\"" [0187.896] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_deserializeTokenId /fn_args=\"0\"" [0187.896] GetACP () returned 0x4e4 [0187.896] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x0, Size=0x220) returned 0xc01b20 [0187.896] IsValidCodePage (CodePage=0x4e4) returned 1 [0187.896] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fe9c | out: lpCPInfo=0x18fe9c) returned 1 [0187.896] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f764 | out: lpCPInfo=0x18f764) returned 1 [0187.896] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd78, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0187.896] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd78, cbMultiByte=256, lpWideCharStr=0x18f508, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0187.896] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f778 | out: lpCharType=0x18f778) returned 1 [0187.896] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd78, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0187.896] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd78, cbMultiByte=256, lpWideCharStr=0x18f4b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0187.896] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0187.897] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0187.897] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0187.897] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f2a8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0187.897] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fc78, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x08Çz$´þ\x18", lpUsedDefaultChar=0x0) returned 256 [0187.897] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd78, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0187.897] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd78, cbMultiByte=256, lpWideCharStr=0x18f4d8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0187.897] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0187.897] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f2c8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0187.897] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fb78, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x08Çz$´þ\x18", lpUsedDefaultChar=0x0) returned 256 [0187.897] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x0, Size=0x80) returned 0xbf3880 [0187.897] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0187.897] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x194) returned 0xc01d48 [0187.897] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0187.897] GetLastError () returned 0x0 [0187.897] SetLastError (dwErrCode=0x0) [0187.897] GetEnvironmentStringsW () returned 0xc01ee8* [0187.898] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x0, Size=0xa8c) returned 0xc02980 [0187.898] FreeEnvironmentStringsW (penv=0xc01ee8) returned 1 [0187.898] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x90) returned 0xbf4570 [0187.898] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x3e) returned 0xbfae00 [0187.898] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x5c) returned 0xbf8aa8 [0187.898] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x6e) returned 0xbf4638 [0187.898] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x78) returned 0xc03f40 [0187.898] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x62) returned 0xbf4c68 [0187.898] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x28) returned 0xbf3da0 [0187.898] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x48) returned 0xbf3ff0 [0187.899] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x1a) returned 0xbf0570 [0187.899] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x3a) returned 0xbfac50 [0187.899] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x62) returned 0xbf3c00 [0187.899] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x2a) returned 0xbf8728 [0187.899] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x2e) returned 0xbf88b0 [0187.899] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x1c) returned 0xbf3dd0 [0187.899] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x144) returned 0xbf9cc0 [0187.899] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x7c) returned 0xbf8308 [0187.899] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x36) returned 0xbfe178 [0187.899] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x3a) returned 0xbfb0d0 [0187.899] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x90) returned 0xbf43a8 [0187.899] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x24) returned 0xbf3920 [0187.899] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x30) returned 0xbf87d0 [0187.899] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x36) returned 0xbfe5f8 [0187.899] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x48) returned 0xbf2910 [0187.899] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x52) returned 0xbf04b8 [0187.899] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x3c) returned 0xbfb160 [0187.899] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0xd6) returned 0xbf9e80 [0187.899] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x2e) returned 0xbf8760 [0187.899] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x1e) returned 0xbf2960 [0187.899] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x2c) returned 0xbf88e8 [0187.899] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x54) returned 0xbf3e18 [0187.899] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x52) returned 0xbf4078 [0187.899] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x24) returned 0xbf3e78 [0187.899] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x42) returned 0xbf40d8 [0187.899] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x2c) returned 0xbf8990 [0187.899] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x44) returned 0xbf9fb0 [0187.900] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x24) returned 0xbf3950 [0187.900] HeapFree (in: hHeap=0xbf0000, dwFlags=0x0, lpMem=0xc02980 | out: hHeap=0xbf0000) returned 1 [0187.900] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x8, Size=0x800) returned 0xc01ee8 [0187.900] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0187.900] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0187.900] GetStartupInfoW (in: lpStartupInfo=0x18fee0 | out: lpStartupInfo=0x18fee0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0187.900] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_deserializeTokenId /fn_args=\"0\"" [0187.901] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_deserializeTokenId /fn_args=\"0\"", pNumArgs=0x18fecc | out: pNumArgs=0x18fecc) returned 0xc02b38*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0187.901] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0187.906] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x0, Size=0x1000) returned 0xc04420 [0187.906] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x0, Size=0x42) returned 0xbfa6f8 [0187.906] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_token_deserializeTokenId", cchWideChar=-1, lpMultiByteStr=0xbfa6f8, cbMultiByte=66, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_token_deserializeTokenId", lpUsedDefaultChar=0x0) returned 33 [0187.906] GetLastError () returned 0x0 [0187.906] SetLastError (dwErrCode=0x0) [0187.906] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_deserializeTokenIdW") returned 0x0 [0187.906] GetLastError () returned 0x7f [0187.906] SetLastError (dwErrCode=0x7f) [0187.906] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_deserializeTokenIdA") returned 0x0 [0187.907] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_deserializeTokenId") returned 0x647cd9f5 [0187.907] RtlAllocateHeap (HeapHandle=0xbf0000, Flags=0x0, Size=0x4) returned 0xbf3828 [0187.907] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0xbf3828, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0187.907] GetActiveWindow () returned 0x0 [0187.908] GetLastError () returned 0x7f [0187.908] SetLastError (dwErrCode=0x7f) Thread: id = 569 os_tid = 0xce0 Process: id = "268" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x59472000" os_pid = "0x358" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "267" os_parent_pid = "0xd10" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_deserializeTokenId /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "269" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x59d32000" os_pid = "0x12cc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_duplicateTokenId /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 19682 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 19683 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 19684 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 19685 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 19686 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 19687 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 19688 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 19689 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 19690 start_va = 0xec0000 end_va = 0xec1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ec0000" filename = "" Region: id = 19691 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 19692 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 19693 start_va = 0x7e9c0000 end_va = 0x7e9e2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e9c0000" filename = "" Region: id = 19694 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 19695 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 19696 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 19697 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 19700 start_va = 0x400000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 19701 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 19702 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 19703 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 19704 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 19705 start_va = 0xed0000 end_va = 0x116ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ed0000" filename = "" Region: id = 19706 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 19707 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 19708 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 19709 start_va = 0x7e8c0000 end_va = 0x7e9bffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e8c0000" filename = "" Region: id = 19710 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 19711 start_va = 0x520000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 19712 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 19713 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 19714 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 19715 start_va = 0x530000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 19716 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 19717 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 19718 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 19719 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 19720 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 19721 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 19722 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 19723 start_va = 0xec0000 end_va = 0xec3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ec0000" filename = "" Region: id = 19724 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 19725 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 19726 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 19727 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 19728 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 19729 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 19730 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 19731 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 19732 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 19733 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 19734 start_va = 0x630000 end_va = 0x7b7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 19735 start_va = 0xed0000 end_va = 0xef9fff monitored = 0 entry_point = 0xed5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 19736 start_va = 0x1070000 end_va = 0x116ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001070000" filename = "" Region: id = 19737 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 19738 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 19739 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 19740 start_va = 0x7c0000 end_va = 0x940fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 19741 start_va = 0xed0000 end_va = 0x101ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ed0000" filename = "" Region: id = 19742 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 19743 start_va = 0xed0000 end_va = 0xf60fff monitored = 0 entry_point = 0xf08cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 19744 start_va = 0x1010000 end_va = 0x101ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001010000" filename = "" Region: id = 19745 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 19746 start_va = 0xed0000 end_va = 0xed0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ed0000" filename = "" Region: id = 19747 start_va = 0xee0000 end_va = 0xee0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ee0000" filename = "" Region: id = 19748 start_va = 0xee0000 end_va = 0xee7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ee0000" filename = "" Region: id = 19749 start_va = 0xee0000 end_va = 0xee0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 19750 start_va = 0xef0000 end_va = 0xef1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ef0000" filename = "" Region: id = 19751 start_va = 0xee0000 end_va = 0xee0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 19752 start_va = 0xef0000 end_va = 0xef0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ef0000" filename = "" Region: id = 19753 start_va = 0xee0000 end_va = 0xee0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ee0000" filename = "" Region: id = 19754 start_va = 0xef0000 end_va = 0xef0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Thread: id = 570 os_tid = 0xce4 [0188.388] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0188.388] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0188.388] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0188.388] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0188.389] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0188.389] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0188.389] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0188.390] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0188.390] GetProcessHeap () returned 0x1070000 [0188.390] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0188.390] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0188.390] GetLastError () returned 0x7e [0188.391] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0188.391] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0188.391] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x364) returned 0x10809a0 [0188.391] SetLastError (dwErrCode=0x7e) [0188.391] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0xe00) returned 0x1080d10 [0188.393] GetStartupInfoW (in: lpStartupInfo=0x18f95c | out: lpStartupInfo=0x18f95c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0188.393] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0188.393] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0188.393] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0188.393] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_duplicateTokenId /fn_args=\"0\"" [0188.393] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_duplicateTokenId /fn_args=\"0\"" [0188.393] GetACP () returned 0x4e4 [0188.393] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x0, Size=0x220) returned 0x1081b18 [0188.393] IsValidCodePage (CodePage=0x4e4) returned 1 [0188.394] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f97c | out: lpCPInfo=0x18f97c) returned 1 [0188.394] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f244 | out: lpCPInfo=0x18f244) returned 1 [0188.394] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f858, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0188.394] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f858, cbMultiByte=256, lpWideCharStr=0x18efe8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0188.394] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f258 | out: lpCharType=0x18f258) returned 1 [0188.394] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f858, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0188.394] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f858, cbMultiByte=256, lpWideCharStr=0x18ef98, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0188.394] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0188.394] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0188.394] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0188.394] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ed88, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0188.394] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f758, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÍÎÀþ\x94ù\x18", lpUsedDefaultChar=0x0) returned 256 [0188.394] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f858, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0188.394] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f858, cbMultiByte=256, lpWideCharStr=0x18efb8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0188.395] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0188.395] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18eda8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0188.395] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f658, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÍÎÀþ\x94ù\x18", lpUsedDefaultChar=0x0) returned 256 [0188.395] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x0, Size=0x80) returned 0x1073878 [0188.395] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0188.395] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x190) returned 0x1081d40 [0188.395] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0188.395] GetLastError () returned 0x0 [0188.395] SetLastError (dwErrCode=0x0) [0188.395] GetEnvironmentStringsW () returned 0x1081ed8* [0188.395] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x0, Size=0xa8c) returned 0x1082970 [0188.396] FreeEnvironmentStringsW (penv=0x1081ed8) returned 1 [0188.396] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x90) returned 0x1074568 [0188.396] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x3e) returned 0x107b080 [0188.396] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x5c) returned 0x1078aa0 [0188.396] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x6e) returned 0x1074630 [0188.396] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x78) returned 0x10842b0 [0188.396] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x62) returned 0x1074c60 [0188.396] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x28) returned 0x1073d98 [0188.396] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x48) returned 0x1073fe8 [0188.396] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x1a) returned 0x1070570 [0188.396] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x3a) returned 0x107ab28 [0188.396] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x62) returned 0x1073bf8 [0188.396] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x2a) returned 0x10786e8 [0188.397] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x2e) returned 0x1078918 [0188.397] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x1c) returned 0x1073dc8 [0188.397] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x144) returned 0x1079cb8 [0188.397] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x7c) returned 0x1078300 [0188.397] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x36) returned 0x107e1f0 [0188.397] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x3a) returned 0x107ae40 [0188.397] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x90) returned 0x10743a0 [0188.397] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x24) returned 0x1073918 [0188.397] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x30) returned 0x10786b0 [0188.397] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x36) returned 0x107dff0 [0188.397] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x48) returned 0x1072908 [0188.397] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x52) returned 0x10704b8 [0188.397] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x3c) returned 0x107aa08 [0188.397] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0xd6) returned 0x1079e78 [0188.397] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x2e) returned 0x1078800 [0188.397] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x1e) returned 0x1072958 [0188.397] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x2c) returned 0x10788e0 [0188.397] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x54) returned 0x1073e10 [0188.397] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x52) returned 0x1074070 [0188.397] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x24) returned 0x1073e70 [0188.397] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x42) returned 0x10740d0 [0188.397] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x2c) returned 0x10787c8 [0188.397] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x44) returned 0x1079fa8 [0188.397] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x24) returned 0x1073948 [0188.398] HeapFree (in: hHeap=0x1070000, dwFlags=0x0, lpMem=0x1082970 | out: hHeap=0x1070000) returned 1 [0188.398] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x800) returned 0x1081ed8 [0188.398] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0188.398] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0188.399] GetStartupInfoW (in: lpStartupInfo=0x18f9c0 | out: lpStartupInfo=0x18f9c0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0188.399] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_duplicateTokenId /fn_args=\"0\"" [0188.399] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_duplicateTokenId /fn_args=\"0\"", pNumArgs=0x18f9ac | out: pNumArgs=0x18f9ac) returned 0x1082b28*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0188.399] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0188.402] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x0, Size=0x1000) returned 0x1084410 [0188.402] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x0, Size=0x3e) returned 0x107acd8 [0188.402] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_token_duplicateTokenId", cchWideChar=-1, lpMultiByteStr=0x107acd8, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_token_duplicateTokenId", lpUsedDefaultChar=0x0) returned 31 [0188.403] GetLastError () returned 0x0 [0188.403] SetLastError (dwErrCode=0x0) [0188.403] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_duplicateTokenIdW") returned 0x0 [0188.403] GetLastError () returned 0x7f [0188.403] SetLastError (dwErrCode=0x7f) [0188.404] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_duplicateTokenIdA") returned 0x0 [0188.404] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_duplicateTokenId") returned 0x647c4602 [0188.404] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x0, Size=0x4) returned 0x1073820 [0188.404] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x1073820, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0188.404] GetActiveWindow () returned 0x0 [0188.406] GetLastError () returned 0x7f [0188.406] SetLastError (dwErrCode=0x7f) Thread: id = 572 os_tid = 0x110c Process: id = "270" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x3158c000" os_pid = "0x12b4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "269" os_parent_pid = "0x12cc" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_duplicateTokenId /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "271" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x3149b000" os_pid = "0x12bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_ensureAccess /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 19759 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 19760 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 19761 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 19762 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 19763 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 19764 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 19765 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 19766 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 19767 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 19768 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 19769 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 19770 start_va = 0x7f080000 end_va = 0x7f0a2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f080000" filename = "" Region: id = 19771 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 19772 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 19773 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 19774 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 19787 start_va = 0x410000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 19795 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 19796 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 19797 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 19798 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 19799 start_va = 0x4e0000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 19800 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 19801 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 19803 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 19804 start_va = 0x7ef80000 end_va = 0x7f07ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ef80000" filename = "" Region: id = 19805 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 19806 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 19807 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 19808 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 19809 start_va = 0x4e0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 19810 start_va = 0x620000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 19811 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 19812 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 19813 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 19814 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 19815 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 19816 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 19817 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 19818 start_va = 0x4c0000 end_va = 0x4c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 19819 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 19823 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 19824 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 19825 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 19826 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 19827 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 19828 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 19829 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 19830 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 19831 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 19832 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 19833 start_va = 0x5e0000 end_va = 0x609fff monitored = 0 entry_point = 0x5e5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 19834 start_va = 0x720000 end_va = 0x8a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 19835 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 19838 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 19839 start_va = 0x5e0000 end_va = 0x5e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 19840 start_va = 0x8b0000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 19841 start_va = 0xa40000 end_va = 0xbaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 19842 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 19843 start_va = 0xa40000 end_va = 0xad0fff monitored = 0 entry_point = 0xa78cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 19844 start_va = 0xba0000 end_va = 0xbaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 19845 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 19846 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 19847 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 19848 start_va = 0x600000 end_va = 0x607fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 19849 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 19850 start_va = 0x610000 end_va = 0x611fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 19851 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 19852 start_va = 0x610000 end_va = 0x610fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 19853 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 19854 start_va = 0x610000 end_va = 0x610fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Thread: id = 574 os_tid = 0x7e8 [0189.220] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0189.220] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0189.220] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0189.220] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0189.221] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0189.221] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0189.221] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0189.222] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0189.222] GetProcessHeap () returned 0x620000 [0189.222] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0189.222] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0189.222] GetLastError () returned 0x7e [0189.222] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0189.223] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0189.223] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x364) returned 0x630a68 [0189.223] SetLastError (dwErrCode=0x7e) [0189.223] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0xe00) returned 0x630dd8 [0189.242] GetStartupInfoW (in: lpStartupInfo=0x18f81c | out: lpStartupInfo=0x18f81c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0189.242] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0189.242] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0189.242] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0189.242] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_ensureAccess /fn_args=\"0\"" [0189.242] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_ensureAccess /fn_args=\"0\"" [0189.242] GetACP () returned 0x4e4 [0189.243] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x0, Size=0x220) returned 0x631be0 [0189.243] IsValidCodePage (CodePage=0x4e4) returned 1 [0189.243] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f83c | out: lpCPInfo=0x18f83c) returned 1 [0189.243] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f104 | out: lpCPInfo=0x18f104) returned 1 [0189.243] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f718, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0189.243] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f718, cbMultiByte=256, lpWideCharStr=0x18eea8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0189.243] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f118 | out: lpCharType=0x18f118) returned 1 [0189.243] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f718, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0189.243] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f718, cbMultiByte=256, lpWideCharStr=0x18ee58, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0189.243] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0189.243] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0189.243] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0189.243] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ec48, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0189.243] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f618, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ~ÚY[Tø\x18", lpUsedDefaultChar=0x0) returned 256 [0189.244] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f718, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0189.244] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f718, cbMultiByte=256, lpWideCharStr=0x18ee78, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0189.244] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0189.244] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ec68, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0189.244] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f518, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ~ÚY[Tø\x18", lpUsedDefaultChar=0x0) returned 256 [0189.244] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x0, Size=0x80) returned 0x623868 [0189.244] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0189.244] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x188) returned 0x631e08 [0189.244] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0189.244] GetLastError () returned 0x0 [0189.244] SetLastError (dwErrCode=0x0) [0189.244] GetEnvironmentStringsW () returned 0x631f98* [0189.244] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x0, Size=0xa8c) returned 0x632a30 [0189.245] FreeEnvironmentStringsW (penv=0x631f98) returned 1 [0189.245] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x90) returned 0x624558 [0189.245] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x3e) returned 0x62abf8 [0189.245] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x5c) returned 0x628a98 [0189.245] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x6e) returned 0x624850 [0189.245] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x78) returned 0x633870 [0189.245] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x62) returned 0x6249f0 [0189.245] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x28) returned 0x623d88 [0189.245] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x48) returned 0x623fd8 [0189.245] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x1a) returned 0x623db8 [0189.245] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x3a) returned 0x62aec8 [0189.245] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x62) returned 0x624620 [0189.245] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x2a) returned 0x6289f0 [0189.245] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x2e) returned 0x6287f8 [0189.246] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x1c) returned 0x6247c0 [0189.246] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x144) returned 0x629cb0 [0189.246] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x7c) returned 0x624390 [0189.246] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x36) returned 0x62e378 [0189.246] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x3a) returned 0x62ac88 [0189.246] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x90) returned 0x623e00 [0189.246] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x24) returned 0x6247e8 [0189.246] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x30) returned 0x6286e0 [0189.246] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x36) returned 0x62e4f8 [0189.246] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x48) returned 0x623be8 [0189.246] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x52) returned 0x623908 [0189.246] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x3c) returned 0x62aa00 [0189.246] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0xd6) returned 0x629e70 [0189.246] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x2e) returned 0x628670 [0189.246] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x1e) returned 0x623c38 [0189.246] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x2c) returned 0x628868 [0189.246] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x54) returned 0x622900 [0189.246] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x52) returned 0x6204b8 [0189.246] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x24) returned 0x624060 [0189.246] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x42) returned 0x624090 [0189.246] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x2c) returned 0x6286a8 [0189.246] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x44) returned 0x629fa0 [0189.246] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x24) returned 0x6240e0 [0189.247] HeapFree (in: hHeap=0x620000, dwFlags=0x0, lpMem=0x632a30 | out: hHeap=0x620000) returned 1 [0189.247] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x800) returned 0x631f98 [0189.247] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0189.247] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0189.247] GetStartupInfoW (in: lpStartupInfo=0x18f880 | out: lpStartupInfo=0x18f880*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0189.247] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_ensureAccess /fn_args=\"0\"" [0189.247] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_ensureAccess /fn_args=\"0\"", pNumArgs=0x18f86c | out: pNumArgs=0x18f86c) returned 0x632be8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0189.248] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0189.251] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x0, Size=0x1000) returned 0x6344d0 [0189.251] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x0, Size=0x36) returned 0x62e1b8 [0189.251] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_token_ensureAccess", cchWideChar=-1, lpMultiByteStr=0x62e1b8, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_token_ensureAccess", lpUsedDefaultChar=0x0) returned 27 [0189.251] GetLastError () returned 0x0 [0189.251] SetLastError (dwErrCode=0x0) [0189.251] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_ensureAccessW") returned 0x0 [0189.251] GetLastError () returned 0x7f [0189.251] SetLastError (dwErrCode=0x7f) [0189.251] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_ensureAccessA") returned 0x0 [0189.252] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_ensureAccess") returned 0x647cd3d9 [0189.252] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x0, Size=0x4) returned 0x623e98 [0189.252] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x623e98, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0189.252] GetActiveWindow () returned 0x0 [0189.253] GetLastError () returned 0x7f [0189.253] SetLastError (dwErrCode=0x7f) Thread: id = 576 os_tid = 0xdc4 Process: id = "272" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x5774d000" os_pid = "0xc74" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "271" os_parent_pid = "0x12bc" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_ensureAccess /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "273" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x3115e000" os_pid = "0xc64" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_enumTokenIds /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 19855 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 19856 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 19857 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 19858 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 19859 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 19860 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 19861 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 19862 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 19863 start_va = 0x980000 end_va = 0x981fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 19864 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 19865 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 19866 start_va = 0x7f6f0000 end_va = 0x7f712fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 19867 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 19868 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 19869 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 19870 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 19873 start_va = 0x400000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 19874 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 19875 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 19876 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 19877 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 19878 start_va = 0x990000 end_va = 0xbcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 19879 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 19880 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 19881 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 19882 start_va = 0x7f5f0000 end_va = 0x7f6effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f5f0000" filename = "" Region: id = 19883 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 19884 start_va = 0x580000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 19885 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 19886 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 19887 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 19888 start_va = 0x590000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 19889 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 19890 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 19891 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 19892 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 19893 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 19894 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 19895 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 19896 start_va = 0x980000 end_va = 0x983fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 19897 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 19898 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 19899 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 19900 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 19901 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 19902 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 19903 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 19904 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 19905 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 19906 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 19907 start_va = 0x690000 end_va = 0x817fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 19908 start_va = 0x990000 end_va = 0x9b9fff monitored = 0 entry_point = 0x995680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 19909 start_va = 0xad0000 end_va = 0xbcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 19910 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 19911 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 19912 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 19913 start_va = 0xbd0000 end_va = 0xd50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bd0000" filename = "" Region: id = 19914 start_va = 0xd60000 end_va = 0xf3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d60000" filename = "" Region: id = 19915 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 19916 start_va = 0x990000 end_va = 0xa20fff monitored = 0 entry_point = 0x9c8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 19918 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 19921 start_va = 0x990000 end_va = 0x990fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 19922 start_va = 0x9a0000 end_va = 0x9a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009a0000" filename = "" Region: id = 19923 start_va = 0x9a0000 end_va = 0x9a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009a0000" filename = "" Region: id = 19924 start_va = 0x9a0000 end_va = 0x9a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 19925 start_va = 0x9b0000 end_va = 0x9b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009b0000" filename = "" Region: id = 19926 start_va = 0x9a0000 end_va = 0x9a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 19927 start_va = 0x9b0000 end_va = 0x9b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009b0000" filename = "" Region: id = 19928 start_va = 0x9a0000 end_va = 0x9a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009a0000" filename = "" Region: id = 19929 start_va = 0x9b0000 end_va = 0x9b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Thread: id = 577 os_tid = 0xb30 [0189.908] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0189.909] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0189.909] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0189.909] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0189.909] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0189.910] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0189.911] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0189.911] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0189.914] GetProcessHeap () returned 0xad0000 [0189.914] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0189.914] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0189.914] GetLastError () returned 0x7e [0189.914] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0189.915] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0189.915] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x364) returned 0xae0a60 [0189.915] SetLastError (dwErrCode=0x7e) [0189.916] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0xe00) returned 0xae0dd0 [0189.918] GetStartupInfoW (in: lpStartupInfo=0x18f998 | out: lpStartupInfo=0x18f998*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0189.918] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0189.918] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0189.918] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0189.918] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_enumTokenIds /fn_args=\"0\"" [0189.918] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_enumTokenIds /fn_args=\"0\"" [0189.918] GetACP () returned 0x4e4 [0189.918] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x0, Size=0x220) returned 0xae1bd8 [0189.918] IsValidCodePage (CodePage=0x4e4) returned 1 [0189.918] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f9b8 | out: lpCPInfo=0x18f9b8) returned 1 [0189.919] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f280 | out: lpCPInfo=0x18f280) returned 1 [0189.919] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f894, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0189.919] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f894, cbMultiByte=256, lpWideCharStr=0x18f028, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0189.919] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f294 | out: lpCharType=0x18f294) returned 1 [0189.919] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f894, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0189.919] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f894, cbMultiByte=256, lpWideCharStr=0x18efd8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0189.919] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0189.919] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0189.919] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0189.919] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18edc8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0189.919] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f794, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿQ5\x9fWÐù\x18", lpUsedDefaultChar=0x0) returned 256 [0189.919] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f894, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0189.919] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f894, cbMultiByte=256, lpWideCharStr=0x18eff8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0189.919] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0189.919] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ede8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0189.919] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f694, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿQ5\x9fWÐù\x18", lpUsedDefaultChar=0x0) returned 256 [0189.920] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x0, Size=0x80) returned 0xad3868 [0189.920] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0189.920] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x188) returned 0xae1e00 [0189.920] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0189.920] GetLastError () returned 0x0 [0189.920] SetLastError (dwErrCode=0x0) [0189.920] GetEnvironmentStringsW () returned 0xae1f90* [0189.920] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x0, Size=0xa8c) returned 0xae2a28 [0189.920] FreeEnvironmentStringsW (penv=0xae1f90) returned 1 [0189.920] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x90) returned 0xad4558 [0189.920] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x3e) returned 0xadaf98 [0189.920] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x5c) returned 0xad8830 [0189.920] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x6e) returned 0xad4620 [0189.920] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x78) returned 0xae43e8 [0189.921] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x62) returned 0xad49f0 [0189.921] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x28) returned 0xad3d88 [0189.921] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x48) returned 0xad3fd8 [0189.921] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x1a) returned 0xad0570 [0189.921] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x3a) returned 0xadad10 [0189.921] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x62) returned 0xad3be8 [0189.921] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x2a) returned 0xad8670 [0189.921] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x2e) returned 0xad8638 [0189.921] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x1c) returned 0xad3db8 [0189.921] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x144) returned 0xad9ca8 [0189.921] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x7c) returned 0xad8090 [0189.921] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x36) returned 0xade0f0 [0189.921] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x3a) returned 0xadad58 [0189.921] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x90) returned 0xad4390 [0189.921] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x24) returned 0xad3908 [0189.921] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x30) returned 0xad84b0 [0189.921] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x36) returned 0xade6f0 [0189.921] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x48) returned 0xad2900 [0189.921] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x52) returned 0xad04b8 [0189.921] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x3c) returned 0xadada0 [0189.921] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0xd6) returned 0xad9e68 [0189.921] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x2e) returned 0xad84e8 [0189.921] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x1e) returned 0xad2950 [0189.921] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x2c) returned 0xad86a8 [0189.921] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x54) returned 0xad3e00 [0189.921] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x52) returned 0xad4060 [0189.921] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x24) returned 0xad3e60 [0189.921] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x42) returned 0xad40c0 [0189.922] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x2c) returned 0xad86e0 [0189.922] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x44) returned 0xad9f98 [0189.922] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x24) returned 0xad3938 [0189.922] HeapFree (in: hHeap=0xad0000, dwFlags=0x0, lpMem=0xae2a28 | out: hHeap=0xad0000) returned 1 [0189.922] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x8, Size=0x800) returned 0xae1f90 [0189.922] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0189.922] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0189.922] GetStartupInfoW (in: lpStartupInfo=0x18f9fc | out: lpStartupInfo=0x18f9fc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0189.922] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_enumTokenIds /fn_args=\"0\"" [0189.923] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_enumTokenIds /fn_args=\"0\"", pNumArgs=0x18f9e8 | out: pNumArgs=0x18f9e8) returned 0xae2be0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0189.923] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0189.925] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x0, Size=0x1000) returned 0xae44c8 [0189.925] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x0, Size=0x36) returned 0xade1b0 [0189.926] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_token_enumTokenIds", cchWideChar=-1, lpMultiByteStr=0xade1b0, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_token_enumTokenIds", lpUsedDefaultChar=0x0) returned 27 [0189.926] GetLastError () returned 0x0 [0189.926] SetLastError (dwErrCode=0x0) [0189.926] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_enumTokenIdsW") returned 0x0 [0189.926] GetLastError () returned 0x7f [0189.926] SetLastError (dwErrCode=0x7f) [0189.926] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_enumTokenIdsA") returned 0x0 [0189.926] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_enumTokenIds") returned 0x647c5113 [0189.926] RtlAllocateHeap (HeapHandle=0xad0000, Flags=0x0, Size=0x4) returned 0xad3810 [0189.926] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0xad3810, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0189.926] GetActiveWindow () returned 0x0 [0189.955] GetLastError () returned 0x7f [0189.955] SetLastError (dwErrCode=0x7f) Thread: id = 579 os_tid = 0x10c0 Process: id = "274" image_name = "werfault.exe" filename = "c:\\windows\\syswow64\\werfault.exe" page_root = "0x5ec51000" os_pid = "0x10d4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "273" os_parent_pid = "0xc64" cmd_line = "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 3172 -s 364" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 19931 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 19932 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 19933 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 19934 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 19935 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 19936 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 19937 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 19938 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 19939 start_va = 0xae0000 end_va = 0xae0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 19940 start_va = 0x10e0000 end_va = 0x1122fff monitored = 0 entry_point = 0x1100f50 region_type = mapped_file name = "werfault.exe" filename = "\\Windows\\SysWOW64\\WerFault.exe" (normalized: "c:\\windows\\syswow64\\werfault.exe") Region: id = 19941 start_va = 0x1130000 end_va = 0x512ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 19942 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 19943 start_va = 0x7f500000 end_va = 0x7f522fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f500000" filename = "" Region: id = 19944 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 19945 start_va = 0x7fff0000 end_va = 0x7dfb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 19946 start_va = 0x7dfb201b0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfb201b0000" filename = "" Region: id = 19947 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 19948 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 19949 start_va = 0x400000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 19950 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 19951 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 19952 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 19953 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 19954 start_va = 0xaf0000 end_va = 0xcdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 19955 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 19956 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 19957 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 19958 start_va = 0x7f400000 end_va = 0x7f4fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f400000" filename = "" Region: id = 19959 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 19960 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 19961 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 19962 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 19963 start_va = 0x590000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 19964 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 19965 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 19966 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 19967 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 19968 start_va = 0xae0000 end_va = 0xae3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 19969 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 19970 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 19971 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 19972 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 19973 start_va = 0x6fb30000 end_va = 0x6fbb6fff monitored = 0 entry_point = 0x6fb9dbc0 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\SysWOW64\\wer.dll" (normalized: "c:\\windows\\syswow64\\wer.dll") Region: id = 19974 start_va = 0x6fbc0000 end_va = 0x6fcfefff monitored = 0 entry_point = 0x6fbed880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 19975 start_va = 0x6fb00000 end_va = 0x6fb21fff monitored = 0 entry_point = 0x6fb091f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 19976 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 19977 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 19978 start_va = 0x6faa0000 end_va = 0x6faf3fff monitored = 0 entry_point = 0x6fad10d0 region_type = mapped_file name = "faultrep.dll" filename = "\\Windows\\SysWOW64\\Faultrep.dll" (normalized: "c:\\windows\\syswow64\\faultrep.dll") Region: id = 19979 start_va = 0x6fa70000 end_va = 0x6fa90fff monitored = 0 entry_point = 0x6fa8a910 region_type = mapped_file name = "dbgcore.dll" filename = "\\Windows\\SysWOW64\\dbgcore.dll" (normalized: "c:\\windows\\syswow64\\dbgcore.dll") Region: id = 19980 start_va = 0xce0000 end_va = 0xe0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 19981 start_va = 0xe10000 end_va = 0xf3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Region: id = 19982 start_va = 0xaf0000 end_va = 0xaf3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 19983 start_va = 0xbe0000 end_va = 0xcdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000be0000" filename = "" Region: id = 19984 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 19985 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 19986 start_va = 0x5a0000 end_va = 0x727fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 19987 start_va = 0xb00000 end_va = 0xb29fff monitored = 0 entry_point = 0xb05680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 19988 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 19989 start_va = 0x730000 end_va = 0x8b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000730000" filename = "" Region: id = 19990 start_va = 0x5130000 end_va = 0x652ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005130000" filename = "" Region: id = 19991 start_va = 0xb00000 end_va = 0xb03fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werfault.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\WerFault.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werfault.exe.mui") Region: id = 20008 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 20009 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 20010 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 20011 start_va = 0xb10000 end_va = 0xbbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 20056 start_va = 0xb10000 end_va = 0xb10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b10000" filename = "" Region: id = 20057 start_va = 0xbb0000 end_va = 0xbbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bb0000" filename = "" Region: id = 20058 start_va = 0xb20000 end_va = 0xb20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 20059 start_va = 0xb30000 end_va = 0xb30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 20060 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 20061 start_va = 0xb30000 end_va = 0xb30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 20062 start_va = 0x6530000 end_va = 0x6d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006530000" filename = "" Region: id = 20063 start_va = 0xb30000 end_va = 0xb36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 20064 start_va = 0xb30000 end_va = 0xb36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 20065 start_va = 0xb30000 end_va = 0xb36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 20066 start_va = 0xb30000 end_va = 0xb36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 20067 start_va = 0xb30000 end_va = 0xb36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 20068 start_va = 0xb30000 end_va = 0xb36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 20069 start_va = 0xb30000 end_va = 0xb36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 20070 start_va = 0xb30000 end_va = 0xb36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 20075 start_va = 0xb30000 end_va = 0xb36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 20076 start_va = 0xb30000 end_va = 0xb36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 20077 start_va = 0xb30000 end_va = 0xb36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 20078 start_va = 0xb30000 end_va = 0xb36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 20079 start_va = 0xb30000 end_va = 0xb36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 20080 start_va = 0xb30000 end_va = 0xb36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 20081 start_va = 0xb30000 end_va = 0xb36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 20082 start_va = 0xb30000 end_va = 0xb36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 20083 start_va = 0xb30000 end_va = 0xb36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 20084 start_va = 0xb30000 end_va = 0xb36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 20085 start_va = 0xb30000 end_va = 0xb36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 20086 start_va = 0xb30000 end_va = 0xb36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 20087 start_va = 0xb30000 end_va = 0xb36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 20088 start_va = 0xb30000 end_va = 0xb36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 20089 start_va = 0xb30000 end_va = 0xb36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 20090 start_va = 0xb30000 end_va = 0xb36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 20091 start_va = 0xb30000 end_va = 0xb36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 20092 start_va = 0xb30000 end_va = 0xb36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 20093 start_va = 0xb30000 end_va = 0xb6dfff monitored = 1 entry_point = 0xb31400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 20094 start_va = 0x6530000 end_va = 0x6866fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 20095 start_va = 0xb70000 end_va = 0xb76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b70000" filename = "" Region: id = 20104 start_va = 0x450000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 20105 start_va = 0x490000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 20106 start_va = 0xce0000 end_va = 0xd5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 20107 start_va = 0xe00000 end_va = 0xe0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Region: id = 20108 start_va = 0xb70000 end_va = 0xb71fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "faultrep.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\faultrep.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\faultrep.dll.mui") Region: id = 20109 start_va = 0xb80000 end_va = 0xb80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 20116 start_va = 0x6ee90000 end_va = 0x6f2adfff monitored = 0 entry_point = 0x6ef8ee80 region_type = mapped_file name = "dbgeng.dll" filename = "\\Windows\\SysWOW64\\dbgeng.dll" (normalized: "c:\\windows\\syswow64\\dbgeng.dll") Region: id = 20117 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 20118 start_va = 0x6f850000 end_va = 0x6f8bffff monitored = 0 entry_point = 0x6f8a4b90 region_type = mapped_file name = "dbgmodel.dll" filename = "\\Windows\\SysWOW64\\DbgModel.dll" (normalized: "c:\\windows\\syswow64\\dbgmodel.dll") Region: id = 20119 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 20120 start_va = 0xe10000 end_va = 0xef9fff monitored = 0 entry_point = 0xe4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 20121 start_va = 0xf30000 end_va = 0xf3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 20122 start_va = 0x70050000 end_va = 0x70059fff monitored = 0 entry_point = 0x70053200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 20123 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 20124 start_va = 0x6f5d0000 end_va = 0x6f5d7fff monitored = 0 entry_point = 0x6f5d17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 20125 start_va = 0xe10000 end_va = 0xf0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Region: id = 20126 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 20143 start_va = 0xb80000 end_va = 0xb81fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 20144 start_va = 0xb80000 end_va = 0xb83fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 20145 start_va = 0xb80000 end_va = 0xb85fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 20146 start_va = 0xb80000 end_va = 0xb87fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 20147 start_va = 0x450000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 20148 start_va = 0xb80000 end_va = 0xb89fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 20149 start_va = 0xb80000 end_va = 0xb8bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 20150 start_va = 0xb80000 end_va = 0xb8dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 20151 start_va = 0xb80000 end_va = 0xb8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 20152 start_va = 0xb80000 end_va = 0xb91fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 20153 start_va = 0xb80000 end_va = 0xb93fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 20154 start_va = 0xb80000 end_va = 0xb95fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 20155 start_va = 0xb80000 end_va = 0xb97fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 20156 start_va = 0xb80000 end_va = 0xb99fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 20157 start_va = 0xb80000 end_va = 0xb9bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 20158 start_va = 0xb80000 end_va = 0xb9dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 20159 start_va = 0xb80000 end_va = 0xb9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 20185 start_va = 0xf40000 end_va = 0x101ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 20219 start_va = 0x6870000 end_va = 0x693ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006870000" filename = "" Region: id = 20220 start_va = 0x1020000 end_va = 0x10cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 20221 start_va = 0x6940000 end_va = 0x69e3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006940000" filename = "" Region: id = 20310 start_va = 0xb80000 end_va = 0xb80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 20311 start_va = 0xb90000 end_va = 0xb92fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wer.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wer.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wer.dll.mui") Region: id = 20312 start_va = 0xba0000 end_va = 0xba3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 20313 start_va = 0x6870000 end_va = 0x706ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006870000" filename = "" Region: id = 20314 start_va = 0xbc0000 end_va = 0xbc6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 20315 start_va = 0xbc0000 end_va = 0xbc6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 20316 start_va = 0xbc0000 end_va = 0xbc6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 20317 start_va = 0xbc0000 end_va = 0xbc6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 20318 start_va = 0xbc0000 end_va = 0xbc6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 20319 start_va = 0xbc0000 end_va = 0xbc6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 20320 start_va = 0xbc0000 end_va = 0xbc6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 20321 start_va = 0xbc0000 end_va = 0xbc6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 20322 start_va = 0xbc0000 end_va = 0xbc6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 20323 start_va = 0xbc0000 end_va = 0xbc6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 20324 start_va = 0xbc0000 end_va = 0xbc6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 20325 start_va = 0xbc0000 end_va = 0xbc6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 20326 start_va = 0xbc0000 end_va = 0xbc6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 20327 start_va = 0xbc0000 end_va = 0xbc6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 20343 start_va = 0xbc0000 end_va = 0xbc6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 20344 start_va = 0xbc0000 end_va = 0xbc6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 20345 start_va = 0xbc0000 end_va = 0xbc6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 20346 start_va = 0xbc0000 end_va = 0xbc6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 20347 start_va = 0xbc0000 end_va = 0xbc6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 20348 start_va = 0xbc0000 end_va = 0xbc6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 20349 start_va = 0xbc0000 end_va = 0xbc6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 20350 start_va = 0xbc0000 end_va = 0xbc6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 20351 start_va = 0x6870000 end_va = 0x696ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006870000" filename = "" Region: id = 20352 start_va = 0xbc0000 end_va = 0xbc6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 20353 start_va = 0xbc0000 end_va = 0xbc6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 20354 start_va = 0xbc0000 end_va = 0xbc6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 20355 start_va = 0xbc0000 end_va = 0xbc6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 20356 start_va = 0xbc0000 end_va = 0xbc6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 20365 start_va = 0x6fa00000 end_va = 0x6fa63fff monitored = 0 entry_point = 0x6fa3e270 region_type = mapped_file name = "werui.dll" filename = "\\Windows\\SysWOW64\\werui.dll" (normalized: "c:\\windows\\syswow64\\werui.dll") Region: id = 20366 start_va = 0x550000 end_va = 0x551fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 20367 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 20368 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 20369 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 20370 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 20371 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 20379 start_va = 0x731b0000 end_va = 0x733befff monitored = 0 entry_point = 0x7325b0a0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 20380 start_va = 0x6f460000 end_va = 0x6f5c6fff monitored = 0 entry_point = 0x6f4db9d0 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\SysWOW64\\dui70.dll" (normalized: "c:\\windows\\syswow64\\dui70.dll") Region: id = 20381 start_va = 0x560000 end_va = 0x561fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 20382 start_va = 0x6f430000 end_va = 0x6f457fff monitored = 0 entry_point = 0x6f437820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 20383 start_va = 0xbc0000 end_va = 0xbc0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 20384 start_va = 0x570000 end_va = 0x571fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 20385 start_va = 0xbc0000 end_va = 0xbc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 20386 start_va = 0x759b0000 end_va = 0x75a33fff monitored = 0 entry_point = 0x759d6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 20387 start_va = 0xbd0000 end_va = 0xbd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bd0000" filename = "" Region: id = 20391 start_va = 0x6f7c0000 end_va = 0x6f7f3fff monitored = 0 entry_point = 0x6f7d8280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 20807 start_va = 0x8c0000 end_va = 0x8fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 20808 start_va = 0x900000 end_va = 0x93ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 20809 start_va = 0x940000 end_va = 0x97ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 20810 start_va = 0x980000 end_va = 0x9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 20811 start_va = 0x9c0000 end_va = 0x9fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 20812 start_va = 0xa00000 end_va = 0xa3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Region: id = 20946 start_va = 0x6f8b0000 end_va = 0x6f8b8fff monitored = 0 entry_point = 0x6f8b3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 21238 start_va = 0xbc0000 end_va = 0xbc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 21239 start_va = 0x6f800000 end_va = 0x6f833fff monitored = 0 entry_point = 0x6f818280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 21501 start_va = 0x6f840000 end_va = 0x6f848fff monitored = 0 entry_point = 0x6f843830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 21705 start_va = 0xbc0000 end_va = 0xbc4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werui.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\werui.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werui.dll.mui") Region: id = 21706 start_va = 0xd60000 end_va = 0xd60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d60000" filename = "" Region: id = 21707 start_va = 0x6f800000 end_va = 0x6f833fff monitored = 0 entry_point = 0x6f818280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 21865 start_va = 0x6f8b0000 end_va = 0x6f8b8fff monitored = 0 entry_point = 0x6f8b3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 22039 start_va = 0xa40000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 22040 start_va = 0xa80000 end_va = 0xabffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 22042 start_va = 0xd60000 end_va = 0xd60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d60000" filename = "" Region: id = 22043 start_va = 0x6f800000 end_va = 0x6f833fff monitored = 0 entry_point = 0x6f818280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 22161 start_va = 0x6f8b0000 end_va = 0x6f8b8fff monitored = 0 entry_point = 0x6f8b3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 22379 start_va = 0x580000 end_va = 0x581fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 22380 start_va = 0x6f6c0000 end_va = 0x6f73afff monitored = 0 entry_point = 0x6f6e4d80 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\SysWOW64\\duser.dll" (normalized: "c:\\windows\\syswow64\\duser.dll") Region: id = 22382 start_va = 0xd60000 end_va = 0xd9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d60000" filename = "" Region: id = 22383 start_va = 0xda0000 end_va = 0xddffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 22384 start_va = 0x6f630000 end_va = 0x6f6b0fff monitored = 0 entry_point = 0x6f636310 region_type = mapped_file name = "riched20.dll" filename = "\\Windows\\SysWOW64\\riched20.dll" (normalized: "c:\\windows\\syswow64\\riched20.dll") Region: id = 22385 start_va = 0x6f790000 end_va = 0x6f7a5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 22386 start_va = 0x6f750000 end_va = 0x6f780fff monitored = 0 entry_point = 0x6f7622d0 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\SysWOW64\\msls31.dll" (normalized: "c:\\windows\\syswow64\\msls31.dll") Region: id = 22387 start_va = 0xde0000 end_va = 0xde0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000de0000" filename = "" Region: id = 22388 start_va = 0x1020000 end_va = 0x10dbfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001020000" filename = "" Region: id = 22389 start_va = 0xde0000 end_va = 0xde3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000de0000" filename = "" Region: id = 22390 start_va = 0x74230000 end_va = 0x7424cfff monitored = 0 entry_point = 0x74233b10 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 22391 start_va = 0xdf0000 end_va = 0xdf3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000df0000" filename = "" Region: id = 22392 start_va = 0xf10000 end_va = 0xf10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f10000" filename = "" Region: id = 22393 start_va = 0xf20000 end_va = 0xf20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f20000" filename = "" Region: id = 22395 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 22396 start_va = 0x6970000 end_va = 0x6970fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "duser.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\duser.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\duser.dll.mui") Region: id = 22397 start_va = 0x6f9f0000 end_va = 0x6f9fcfff monitored = 0 entry_point = 0x6f9f7d80 region_type = mapped_file name = "atlthunk.dll" filename = "\\Windows\\SysWOW64\\atlthunk.dll" (normalized: "c:\\windows\\syswow64\\atlthunk.dll") Region: id = 22398 start_va = 0x6980000 end_va = 0x6982fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui") Region: id = 22399 start_va = 0xad0000 end_va = 0xad2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 22402 start_va = 0x6990000 end_va = 0x6e81fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006990000" filename = "" Region: id = 22403 start_va = 0x6e90000 end_va = 0x7ecffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 22405 start_va = 0x7ed0000 end_va = 0x7f11fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007ed0000" filename = "" Region: id = 22477 start_va = 0xac0000 end_va = 0xac0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 22478 start_va = 0x77500000 end_va = 0x7761efff monitored = 0 entry_point = 0x77545980 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Thread: id = 580 os_tid = 0x1078 Thread: id = 581 os_tid = 0x1074 Thread: id = 585 os_tid = 0xcd8 Thread: id = 606 os_tid = 0x1300 Thread: id = 607 os_tid = 0x8e4 Thread: id = 609 os_tid = 0x123c Thread: id = 644 os_tid = 0xf18 Thread: id = 658 os_tid = 0xc1c Process: id = "275" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x315f4000" os_pid = "0x10b8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "273" os_parent_pid = "0xc64" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_enumTokenIds /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "276" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x31076000" os_pid = "0x11a4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenId /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 19992 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 19993 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 19994 start_va = 0x40000 end_va = 0x41fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000040000" filename = "" Region: id = 19995 start_va = 0x50000 end_va = 0x64fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 19996 start_va = 0x70000 end_va = 0xaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 19997 start_va = 0xb0000 end_va = 0x1affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 19998 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 19999 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 20000 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 20001 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 20002 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 20003 start_va = 0x7ecb0000 end_va = 0x7ecd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ecb0000" filename = "" Region: id = 20004 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 20005 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 20006 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 20007 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 20012 start_va = 0x1d0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 20013 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 20014 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 20015 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 20016 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 20017 start_va = 0x400000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 20018 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 20019 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 20020 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 20021 start_va = 0x7ebb0000 end_va = 0x7ecaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ebb0000" filename = "" Region: id = 20022 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 20023 start_va = 0x4d0000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 20024 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 20025 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 20026 start_va = 0x5d0000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 20027 start_va = 0x610000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 20028 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 20029 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 20030 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 20031 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 20032 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 20033 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 20034 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 20035 start_va = 0x40000 end_va = 0x43fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000040000" filename = "" Region: id = 20036 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 20037 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 20038 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 20039 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 20040 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 20041 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 20042 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 20043 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 20044 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 20045 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 20046 start_va = 0x710000 end_va = 0x897fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 20047 start_va = 0x8a0000 end_va = 0x8c9fff monitored = 0 entry_point = 0x8a5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 20048 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 20049 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 20050 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 20051 start_va = 0x1e0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 20052 start_va = 0x1f0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 20053 start_va = 0x8a0000 end_va = 0xa20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 20054 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 20055 start_va = 0xa30000 end_va = 0xac0fff monitored = 0 entry_point = 0xa68cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 20071 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 20072 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 20073 start_va = 0xa30000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 20074 start_va = 0xa30000 end_va = 0xa37fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 20098 start_va = 0xa30000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 20099 start_va = 0xa40000 end_va = 0xa41fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a40000" filename = "" Region: id = 20100 start_va = 0xa30000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 20101 start_va = 0xa40000 end_va = 0xa40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a40000" filename = "" Region: id = 20102 start_va = 0xa30000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 20103 start_va = 0xa40000 end_va = 0xa40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Thread: id = 582 os_tid = 0xcfc [0190.427] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0190.428] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0190.428] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0190.428] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0190.428] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0190.428] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0190.429] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0190.429] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0190.429] GetProcessHeap () returned 0x4d0000 [0190.429] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0190.430] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0190.430] GetLastError () returned 0x7e [0190.430] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0190.430] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0190.430] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x364) returned 0x4e0a60 [0190.430] SetLastError (dwErrCode=0x7e) [0190.430] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xe00) returned 0x4e0dd0 [0190.432] GetStartupInfoW (in: lpStartupInfo=0x1afe98 | out: lpStartupInfo=0x1afe98*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0190.432] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0190.432] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0190.432] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0190.432] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenId /fn_args=\"0\"" [0190.432] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenId /fn_args=\"0\"" [0190.432] GetACP () returned 0x4e4 [0190.432] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x0, Size=0x220) returned 0x4e1bd8 [0190.432] IsValidCodePage (CodePage=0x4e4) returned 1 [0190.432] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1afeb8 | out: lpCPInfo=0x1afeb8) returned 1 [0190.432] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1af780 | out: lpCPInfo=0x1af780) returned 1 [0190.432] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1afd94, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0190.432] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1afd94, cbMultiByte=256, lpWideCharStr=0x1af528, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0190.432] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x1af794 | out: lpCharType=0x1af794) returned 1 [0190.433] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1afd94, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0190.433] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1afd94, cbMultiByte=256, lpWideCharStr=0x1af4d8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0190.433] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0190.433] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0190.433] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0190.433] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x1af2c8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0190.433] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x1afc94, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÞl\x09ÐÐþ\x1a", lpUsedDefaultChar=0x0) returned 256 [0190.433] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1afd94, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0190.433] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1afd94, cbMultiByte=256, lpWideCharStr=0x1af4f8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0190.433] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0190.433] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x1af2e8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0190.433] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x1afb94, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÞl\x09ÐÐþ\x1a", lpUsedDefaultChar=0x0) returned 256 [0190.433] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x0, Size=0x80) returned 0x4d3868 [0190.433] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0190.433] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x186) returned 0x4e1e00 [0190.433] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0190.433] GetLastError () returned 0x0 [0190.433] SetLastError (dwErrCode=0x0) [0190.433] GetEnvironmentStringsW () returned 0x4e1f90* [0190.434] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x0, Size=0xa8c) returned 0x4e2a28 [0190.434] FreeEnvironmentStringsW (penv=0x4e1f90) returned 1 [0190.434] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x90) returned 0x4d4558 [0190.434] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x3e) returned 0x4dafe0 [0190.434] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x5c) returned 0x4d8830 [0190.434] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x6e) returned 0x4d4620 [0190.434] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x78) returned 0x4e40e8 [0190.434] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x62) returned 0x4d49f0 [0190.434] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x28) returned 0x4d3d88 [0190.434] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x48) returned 0x4d3fd8 [0190.435] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x1a) returned 0x4d0570 [0190.435] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x3a) returned 0x4dacc8 [0190.435] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x62) returned 0x4d3be8 [0190.435] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x2a) returned 0x4d8408 [0190.435] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x2e) returned 0x4d86a8 [0190.435] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x1c) returned 0x4d3db8 [0190.435] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x144) returned 0x4d9ca8 [0190.435] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x7c) returned 0x4d8090 [0190.435] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x36) returned 0x4de4b0 [0190.435] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x3a) returned 0x4dad58 [0190.435] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x90) returned 0x4d4390 [0190.435] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x24) returned 0x4d3908 [0190.435] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x30) returned 0x4d8440 [0190.435] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x36) returned 0x4de330 [0190.435] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x48) returned 0x4d2900 [0190.435] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x52) returned 0x4d04b8 [0190.435] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x3c) returned 0x4daf98 [0190.435] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xd6) returned 0x4d9e68 [0190.435] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x2e) returned 0x4d8590 [0190.435] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x1e) returned 0x4d2950 [0190.435] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x2c) returned 0x4d8750 [0190.435] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x54) returned 0x4d3e00 [0190.435] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x52) returned 0x4d4060 [0190.435] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x24) returned 0x4d3e60 [0190.435] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x42) returned 0x4d40c0 [0190.435] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x2c) returned 0x4d85c8 [0190.435] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x44) returned 0x4d9f98 [0190.435] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x24) returned 0x4d3938 [0190.436] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4e2a28 | out: hHeap=0x4d0000) returned 1 [0190.436] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x800) returned 0x4e1f90 [0190.436] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0190.436] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0190.436] GetStartupInfoW (in: lpStartupInfo=0x1afefc | out: lpStartupInfo=0x1afefc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0190.436] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenId /fn_args=\"0\"" [0190.437] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenId /fn_args=\"0\"", pNumArgs=0x1afee8 | out: pNumArgs=0x1afee8) returned 0x4e2be0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0190.437] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0190.482] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x0, Size=0x1000) returned 0x4e44c8 [0190.482] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x0, Size=0x34) returned 0x4de4f0 [0190.482] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_token_freeTokenId", cchWideChar=-1, lpMultiByteStr=0x4de4f0, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_token_freeTokenId", lpUsedDefaultChar=0x0) returned 26 [0190.483] GetLastError () returned 0x0 [0190.483] SetLastError (dwErrCode=0x0) [0190.483] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_freeTokenIdW") returned 0x0 [0190.483] GetLastError () returned 0x7f [0190.483] SetLastError (dwErrCode=0x7f) [0190.483] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_freeTokenIdA") returned 0x0 [0190.483] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_freeTokenId") returned 0x647c4538 [0190.483] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x0, Size=0x4) returned 0x4d3810 [0190.483] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x4d3810, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0190.483] GetActiveWindow () returned 0x0 [0190.484] GetLastError () returned 0x7f [0190.484] SetLastError (dwErrCode=0x7f) Thread: id = 584 os_tid = 0x1274 Process: id = "277" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x30b7a000" os_pid = "0xbbc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "276" os_parent_pid = "0x11a4" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenId /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "278" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x2f98e000" os_pid = "0xca8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenIdList /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 20127 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 20128 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 20129 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 20130 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 20131 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 20132 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 20133 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 20134 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 20135 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 20136 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 20137 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 20138 start_va = 0x7f130000 end_va = 0x7f152fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f130000" filename = "" Region: id = 20139 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 20140 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 20141 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 20142 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 20162 start_va = 0x410000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 20163 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 20164 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 20165 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 20166 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 20167 start_va = 0x5c0000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 20168 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 20169 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 20172 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 20173 start_va = 0x7f030000 end_va = 0x7f12ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f030000" filename = "" Region: id = 20174 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 20175 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 20176 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 20177 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 20178 start_va = 0x5c0000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 20179 start_va = 0x700000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 20180 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 20181 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 20182 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 20183 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 20184 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 20186 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 20187 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 20188 start_va = 0x4c0000 end_va = 0x4c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 20189 start_va = 0x5b0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 20190 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 20191 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 20192 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 20193 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 20194 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 20195 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 20196 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 20197 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 20198 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 20199 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 20200 start_va = 0x4d0000 end_va = 0x4f9fff monitored = 0 entry_point = 0x4d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 20201 start_va = 0x800000 end_va = 0x987fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 20202 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 20203 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 20204 start_va = 0x4d0000 end_va = 0x4d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 20205 start_va = 0x990000 end_va = 0xb10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 20206 start_va = 0xb20000 end_va = 0xc5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 20207 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 20208 start_va = 0x4e0000 end_va = 0x570fff monitored = 0 entry_point = 0x518cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 20209 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 20210 start_va = 0x4e0000 end_va = 0x4e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 20211 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 20212 start_va = 0x4f0000 end_va = 0x4f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 20213 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 20214 start_va = 0x500000 end_va = 0x501fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 20215 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 20216 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 20217 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 20218 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Thread: id = 586 os_tid = 0x13dc [0192.050] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0192.050] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0192.050] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0192.050] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0192.050] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0192.051] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0192.051] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0192.052] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0192.052] GetProcessHeap () returned 0x700000 [0192.052] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0192.052] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0192.053] GetLastError () returned 0x7e [0192.053] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0192.053] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0192.053] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x364) returned 0x7109a0 [0192.053] SetLastError (dwErrCode=0x7e) [0192.054] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0xe00) returned 0x710d10 [0192.056] GetStartupInfoW (in: lpStartupInfo=0x18f714 | out: lpStartupInfo=0x18f714*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0192.056] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0192.056] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0192.056] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0192.056] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenIdList /fn_args=\"0\"" [0192.056] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenIdList /fn_args=\"0\"" [0192.056] GetACP () returned 0x4e4 [0192.056] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x0, Size=0x220) returned 0x711b18 [0192.056] IsValidCodePage (CodePage=0x4e4) returned 1 [0192.056] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f734 | out: lpCPInfo=0x18f734) returned 1 [0192.056] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18effc | out: lpCPInfo=0x18effc) returned 1 [0192.056] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f610, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0192.056] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f610, cbMultiByte=256, lpWideCharStr=0x18ed98, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0192.056] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f010 | out: lpCharType=0x18f010) returned 1 [0192.057] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f610, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0192.057] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f610, cbMultiByte=256, lpWideCharStr=0x18ed58, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0192.057] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0192.057] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0192.057] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0192.057] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18eb48, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0192.057] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f510, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿQÁ\x1ajL÷\x18", lpUsedDefaultChar=0x0) returned 256 [0192.057] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f610, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0192.057] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f610, cbMultiByte=256, lpWideCharStr=0x18ed68, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0192.057] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0192.057] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18eb58, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0192.057] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f410, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿQÁ\x1ajL÷\x18", lpUsedDefaultChar=0x0) returned 256 [0192.058] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x0, Size=0x80) returned 0x703878 [0192.058] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0192.058] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x18e) returned 0x711d40 [0192.058] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0192.058] GetLastError () returned 0x0 [0192.058] SetLastError (dwErrCode=0x0) [0192.058] GetEnvironmentStringsW () returned 0x711ed8* [0192.058] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x0, Size=0xa8c) returned 0x712970 [0192.058] FreeEnvironmentStringsW (penv=0x711ed8) returned 1 [0192.058] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x90) returned 0x704568 [0192.058] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x3e) returned 0x70b158 [0192.058] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x5c) returned 0x708aa0 [0192.058] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x6e) returned 0x704630 [0192.058] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x78) returned 0x7137b0 [0192.059] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x62) returned 0x704c60 [0192.059] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x28) returned 0x703d98 [0192.059] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x48) returned 0x703fe8 [0192.059] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x1a) returned 0x700570 [0192.059] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x3a) returned 0x70ab70 [0192.059] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x62) returned 0x703bf8 [0192.059] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x2a) returned 0x708838 [0192.059] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x2e) returned 0x708950 [0192.059] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x1c) returned 0x703dc8 [0192.059] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x144) returned 0x709cb8 [0192.059] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x7c) returned 0x708300 [0192.059] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x36) returned 0x70e330 [0192.059] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x3a) returned 0x70adb0 [0192.059] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x90) returned 0x7043a0 [0192.059] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x24) returned 0x703918 [0192.059] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x30) returned 0x7088e0 [0192.059] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x36) returned 0x70e1b0 [0192.059] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x48) returned 0x702908 [0192.059] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x52) returned 0x7004b8 [0192.059] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x3c) returned 0x70ae40 [0192.059] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0xd6) returned 0x709e78 [0192.059] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x2e) returned 0x708720 [0192.059] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x1e) returned 0x702958 [0192.059] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x2c) returned 0x708800 [0192.059] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x54) returned 0x703e10 [0192.059] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x52) returned 0x704070 [0192.059] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x24) returned 0x703e70 [0192.059] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x42) returned 0x7040d0 [0192.060] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x2c) returned 0x7089f8 [0192.060] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x44) returned 0x709fa8 [0192.060] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x24) returned 0x703948 [0192.060] HeapFree (in: hHeap=0x700000, dwFlags=0x0, lpMem=0x712970 | out: hHeap=0x700000) returned 1 [0192.060] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x8, Size=0x800) returned 0x711ed8 [0192.060] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0192.060] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0192.060] GetStartupInfoW (in: lpStartupInfo=0x18f778 | out: lpStartupInfo=0x18f778*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0192.061] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenIdList /fn_args=\"0\"" [0192.061] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenIdList /fn_args=\"0\"", pNumArgs=0x18f764 | out: pNumArgs=0x18f764) returned 0x712b28*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0192.062] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0192.064] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x0, Size=0x1000) returned 0x714410 [0192.064] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x0, Size=0x3c) returned 0x70ac48 [0192.064] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_token_freeTokenIdList", cchWideChar=-1, lpMultiByteStr=0x70ac48, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_token_freeTokenIdList", lpUsedDefaultChar=0x0) returned 30 [0192.064] GetLastError () returned 0x0 [0192.064] SetLastError (dwErrCode=0x0) [0192.064] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_freeTokenIdListW") returned 0x0 [0192.064] GetLastError () returned 0x7f [0192.065] SetLastError (dwErrCode=0x7f) [0192.065] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_freeTokenIdListA") returned 0x0 [0192.065] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_freeTokenIdList") returned 0x647c502f [0192.065] RtlAllocateHeap (HeapHandle=0x700000, Flags=0x0, Size=0x4) returned 0x703820 [0192.065] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x703820, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0192.065] GetActiveWindow () returned 0x0 [0192.066] GetLastError () returned 0x7f [0192.066] SetLastError (dwErrCode=0x7f) Thread: id = 589 os_tid = 0x98c Process: id = "279" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x5789d000" os_pid = "0x1328" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "278" os_parent_pid = "0xca8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenIdList /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "280" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x2f2a6000" os_pid = "0x11c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_login /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 20228 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 20229 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 20230 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 20231 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 20232 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 20233 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 20234 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 20235 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 20236 start_va = 0x880000 end_va = 0x881fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 20237 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 20238 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 20239 start_va = 0x7fe20000 end_va = 0x7fe42fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fe20000" filename = "" Region: id = 20240 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 20241 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 20242 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 20243 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 20247 start_va = 0x400000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 20248 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 20249 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 20250 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 20251 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 20252 start_va = 0x890000 end_va = 0x9affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 20292 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 20293 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 20294 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 20295 start_va = 0x7fd20000 end_va = 0x7fe1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fd20000" filename = "" Region: id = 20296 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 20297 start_va = 0x520000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 20298 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 20299 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 20300 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 20301 start_va = 0x530000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 20302 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 20303 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 20304 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 20305 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 20306 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 20307 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 20308 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 20309 start_va = 0x880000 end_va = 0x883fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 20330 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 20331 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 20332 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 20333 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 20334 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 20335 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 20336 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 20337 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 20338 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 20339 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 20340 start_va = 0x630000 end_va = 0x7b7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 20341 start_va = 0x9b0000 end_va = 0x9d9fff monitored = 0 entry_point = 0x9b5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 20342 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 20358 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 20359 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 20360 start_va = 0x9b0000 end_va = 0xb30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009b0000" filename = "" Region: id = 20361 start_va = 0xb40000 end_va = 0xcaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b40000" filename = "" Region: id = 20362 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 20363 start_va = 0xb40000 end_va = 0xbd0fff monitored = 0 entry_point = 0xb78cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 20364 start_va = 0xca0000 end_va = 0xcaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ca0000" filename = "" Region: id = 20374 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 20375 start_va = 0x890000 end_va = 0x890fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 20376 start_va = 0x8b0000 end_va = 0x9affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 20377 start_va = 0x8a0000 end_va = 0x8a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 20378 start_va = 0x8a0000 end_va = 0x8a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 20389 start_va = 0x8a0000 end_va = 0x8a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 20390 start_va = 0xb40000 end_va = 0xb41fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b40000" filename = "" Region: id = 20394 start_va = 0x8a0000 end_va = 0x8a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 20395 start_va = 0xb40000 end_va = 0xb40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b40000" filename = "" Region: id = 20396 start_va = 0x8a0000 end_va = 0x8a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 20397 start_va = 0xb40000 end_va = 0xb40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b40000" filename = "" Thread: id = 590 os_tid = 0x960 [0193.388] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0193.388] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0193.388] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0193.389] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0193.389] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0193.389] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0193.389] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0193.390] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0193.390] GetProcessHeap () returned 0x8b0000 [0193.390] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0193.390] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0193.390] GetLastError () returned 0x7e [0193.390] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0193.390] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0193.390] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x364) returned 0x8c0a58 [0193.391] SetLastError (dwErrCode=0x7e) [0193.391] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0xe00) returned 0x8c0dc8 [0193.392] GetStartupInfoW (in: lpStartupInfo=0x18fbf4 | out: lpStartupInfo=0x18fbf4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0193.392] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0193.392] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0193.392] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0193.393] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_login /fn_args=\"0\"" [0193.393] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_login /fn_args=\"0\"" [0193.393] GetACP () returned 0x4e4 [0193.393] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x0, Size=0x220) returned 0x8c1bd0 [0193.393] IsValidCodePage (CodePage=0x4e4) returned 1 [0193.393] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fc14 | out: lpCPInfo=0x18fc14) returned 1 [0193.393] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f4dc | out: lpCPInfo=0x18f4dc) returned 1 [0193.393] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18faf0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0193.393] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18faf0, cbMultiByte=256, lpWideCharStr=0x18f278, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0193.393] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f4f0 | out: lpCharType=0x18f4f0) returned 1 [0193.393] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18faf0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0193.393] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18faf0, cbMultiByte=256, lpWideCharStr=0x18f238, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0193.393] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0193.393] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0193.393] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0193.393] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f028, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0193.393] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f9f0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿA\x9aBÃ,ü\x18", lpUsedDefaultChar=0x0) returned 256 [0193.394] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18faf0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0193.394] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18faf0, cbMultiByte=256, lpWideCharStr=0x18f248, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0193.394] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0193.394] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f038, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0193.394] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f8f0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿA\x9aBÃ,ü\x18", lpUsedDefaultChar=0x0) returned 256 [0193.394] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x0, Size=0x80) returned 0x8b3858 [0193.394] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0193.394] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x17a) returned 0x8c1df8 [0193.394] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0193.394] GetLastError () returned 0x0 [0193.394] SetLastError (dwErrCode=0x0) [0193.394] GetEnvironmentStringsW () returned 0x8c1f80* [0193.394] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x0, Size=0xa8c) returned 0x8c2a18 [0193.394] FreeEnvironmentStringsW (penv=0x8c1f80) returned 1 [0193.395] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x90) returned 0x8b4548 [0193.395] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x3e) returned 0x8baac8 [0193.395] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x5c) returned 0x8b8a88 [0193.395] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x6e) returned 0x8b4840 [0193.395] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x78) returned 0x8c42d8 [0193.395] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x62) returned 0x8b49e0 [0193.395] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x28) returned 0x8b3d78 [0193.395] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x48) returned 0x8b3fc8 [0193.395] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x1a) returned 0x8b3da8 [0193.395] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x3a) returned 0x8babe8 [0193.395] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x62) returned 0x8b4610 [0193.395] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x2a) returned 0x8b8778 [0193.395] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x2e) returned 0x8b87b0 [0193.395] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x1c) returned 0x8b47b0 [0193.395] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x144) returned 0x8b9ca0 [0193.395] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x7c) returned 0x8b4380 [0193.395] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x36) returned 0x8be2a8 [0193.395] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x3a) returned 0x8bab10 [0193.395] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x90) returned 0x8b3df0 [0193.395] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x24) returned 0x8b47d8 [0193.395] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x30) returned 0x8b8660 [0193.395] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x36) returned 0x8be3a8 [0193.395] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x48) returned 0x8b3bd8 [0193.395] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x52) returned 0x8b38f8 [0193.395] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x3c) returned 0x8bab58 [0193.395] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0xd6) returned 0x8b9e60 [0193.396] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x2e) returned 0x8b8970 [0193.396] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x1e) returned 0x8b3c28 [0193.396] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x2c) returned 0x8b8698 [0193.396] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x54) returned 0x8b28f0 [0193.396] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x52) returned 0x8b04b8 [0193.396] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x24) returned 0x8b4050 [0193.396] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x42) returned 0x8b4080 [0193.396] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x2c) returned 0x8b89a8 [0193.396] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x44) returned 0x8b9f90 [0193.396] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x24) returned 0x8b40d0 [0193.396] HeapFree (in: hHeap=0x8b0000, dwFlags=0x0, lpMem=0x8c2a18 | out: hHeap=0x8b0000) returned 1 [0193.397] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x8, Size=0x800) returned 0x8c1f80 [0193.397] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0193.397] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0193.397] GetStartupInfoW (in: lpStartupInfo=0x18fc58 | out: lpStartupInfo=0x18fc58*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0193.397] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_login /fn_args=\"0\"" [0193.397] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_login /fn_args=\"0\"", pNumArgs=0x18fc44 | out: pNumArgs=0x18fc44) returned 0x8c2bd0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0193.398] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0193.400] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x0, Size=0x1000) returned 0x8c44b8 [0193.400] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x0, Size=0x28) returned 0x8b82c0 [0193.400] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_token_login", cchWideChar=-1, lpMultiByteStr=0x8b82c0, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_token_login", lpUsedDefaultChar=0x0) returned 20 [0193.400] GetLastError () returned 0x0 [0193.400] SetLastError (dwErrCode=0x0) [0193.401] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_loginW") returned 0x0 [0193.401] GetLastError () returned 0x7f [0193.401] SetLastError (dwErrCode=0x7f) [0193.401] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_loginA") returned 0x0 [0193.401] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_login") returned 0x647c4c4b [0193.401] RtlAllocateHeap (HeapHandle=0x8b0000, Flags=0x0, Size=0x4) returned 0x8b3e88 [0193.401] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x8b3e88, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0193.401] GetActiveWindow () returned 0x0 [0193.402] GetLastError () returned 0x7f [0193.402] SetLastError (dwErrCode=0x7f) Thread: id = 592 os_tid = 0x11cc Process: id = "281" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x37587000" os_pid = "0x4ec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "280" os_parent_pid = "0x11c8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_login /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "282" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x2f6be000" os_pid = "0x13d4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_logout /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 20404 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 20405 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 20406 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 20407 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 20408 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 20409 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 20410 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 20411 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 20412 start_va = 0xec0000 end_va = 0xec1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ec0000" filename = "" Region: id = 20413 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 20414 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 20415 start_va = 0x7f320000 end_va = 0x7f342fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f320000" filename = "" Region: id = 20416 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 20417 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 20418 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 20419 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 20421 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 20422 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 20423 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 20424 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 20425 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 20426 start_va = 0xed0000 end_va = 0x117ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ed0000" filename = "" Region: id = 20428 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 20429 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 20430 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 20431 start_va = 0x7f220000 end_va = 0x7f31ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f220000" filename = "" Region: id = 20432 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 20433 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 20434 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 20435 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 20436 start_va = 0x500000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 20437 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 20438 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 20439 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 20440 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 20442 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 20443 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 20444 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 20445 start_va = 0xec0000 end_va = 0xec3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ec0000" filename = "" Region: id = 20446 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 20447 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 20448 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 20449 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 20450 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 20451 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 20452 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 20453 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 20454 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 20455 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 20456 start_va = 0x600000 end_va = 0x787fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 20457 start_va = 0xed0000 end_va = 0xef9fff monitored = 0 entry_point = 0xed5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 20458 start_va = 0x1080000 end_va = 0x117ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001080000" filename = "" Region: id = 20459 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 20461 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 20462 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 20463 start_va = 0x1f0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 20464 start_va = 0x790000 end_va = 0x910fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 20465 start_va = 0xed0000 end_va = 0xf0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ed0000" filename = "" Region: id = 20466 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 20467 start_va = 0xf10000 end_va = 0xfa0fff monitored = 0 entry_point = 0xf48cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 20469 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 20470 start_va = 0xed0000 end_va = 0xed0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ed0000" filename = "" Region: id = 20471 start_va = 0xf00000 end_va = 0xf0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 20472 start_va = 0xee0000 end_va = 0xee0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ee0000" filename = "" Region: id = 20473 start_va = 0xee0000 end_va = 0xee7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ee0000" filename = "" Region: id = 20475 start_va = 0xee0000 end_va = 0xee0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 20476 start_va = 0xef0000 end_va = 0xef1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ef0000" filename = "" Region: id = 20477 start_va = 0xee0000 end_va = 0xee0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 20478 start_va = 0xef0000 end_va = 0xef0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ef0000" filename = "" Region: id = 20480 start_va = 0xee0000 end_va = 0xee0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ee0000" filename = "" Region: id = 20481 start_va = 0xef0000 end_va = 0xef0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Thread: id = 593 os_tid = 0x13cc [0194.311] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0194.311] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0194.311] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0194.311] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0194.311] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0194.311] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0194.312] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0194.312] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0194.313] GetProcessHeap () returned 0x1080000 [0194.313] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0194.313] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0194.313] GetLastError () returned 0x7e [0194.313] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0194.313] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0194.313] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x364) returned 0x1090a58 [0194.314] SetLastError (dwErrCode=0x7e) [0194.314] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0xe00) returned 0x1090dc8 [0194.316] GetStartupInfoW (in: lpStartupInfo=0x18fb2c | out: lpStartupInfo=0x18fb2c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0194.316] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0194.316] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0194.316] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0194.316] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_logout /fn_args=\"0\"" [0194.316] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_logout /fn_args=\"0\"" [0194.316] GetACP () returned 0x4e4 [0194.316] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x0, Size=0x220) returned 0x1091bd0 [0194.316] IsValidCodePage (CodePage=0x4e4) returned 1 [0194.316] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fb4c | out: lpCPInfo=0x18fb4c) returned 1 [0194.316] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f414 | out: lpCPInfo=0x18f414) returned 1 [0194.316] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa28, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0194.316] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa28, cbMultiByte=256, lpWideCharStr=0x18f1b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0194.316] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f428 | out: lpCharType=0x18f428) returned 1 [0194.317] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa28, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0194.317] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa28, cbMultiByte=256, lpWideCharStr=0x18f168, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0194.317] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0194.317] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0194.317] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0194.317] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ef58, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0194.317] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f928, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿgÝ\x89}dû\x18", lpUsedDefaultChar=0x0) returned 256 [0194.317] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa28, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0194.317] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa28, cbMultiByte=256, lpWideCharStr=0x18f188, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0194.317] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0194.317] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ef78, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0194.317] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f828, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿgÝ\x89}dû\x18", lpUsedDefaultChar=0x0) returned 256 [0194.317] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x0, Size=0x80) returned 0x1083860 [0194.318] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0194.318] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x17c) returned 0x1091df8 [0194.318] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0194.318] GetLastError () returned 0x0 [0194.318] SetLastError (dwErrCode=0x0) [0194.318] GetEnvironmentStringsW () returned 0x1091f80* [0194.318] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x0, Size=0xa8c) returned 0x1092a18 [0194.318] FreeEnvironmentStringsW (penv=0x1091f80) returned 1 [0194.318] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x90) returned 0x10847b0 [0194.318] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x3e) returned 0x108ad98 [0194.318] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x5c) returned 0x1088a88 [0194.318] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x6e) returned 0x1084878 [0194.318] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x78) returned 0x10942d8 [0194.319] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x62) returned 0x1084c48 [0194.319] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x28) returned 0x1083d80 [0194.319] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x48) returned 0x1083fd0 [0194.319] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x1a) returned 0x1080570 [0194.319] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x3a) returned 0x108a9f0 [0194.319] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x62) returned 0x1083be0 [0194.319] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x2a) returned 0x10887b0 [0194.319] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x2e) returned 0x1088890 [0194.319] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x1c) returned 0x1083db0 [0194.319] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x144) returned 0x1089ca0 [0194.319] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x7c) returned 0x10882e8 [0194.319] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x36) returned 0x108e2a8 [0194.319] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x3a) returned 0x108abe8 [0194.319] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x90) returned 0x10845e8 [0194.319] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x24) returned 0x1083900 [0194.319] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x30) returned 0x1088660 [0194.319] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x36) returned 0x108e528 [0194.319] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x48) returned 0x10828f8 [0194.319] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x52) returned 0x10804b8 [0194.319] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x3c) returned 0x108aa38 [0194.320] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0xd6) returned 0x1089e60 [0194.320] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x2e) returned 0x1088698 [0194.320] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x1e) returned 0x1082948 [0194.320] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x2c) returned 0x10886d0 [0194.320] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x54) returned 0x1083df8 [0194.320] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x52) returned 0x1084058 [0194.320] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x24) returned 0x1083e58 [0194.320] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x42) returned 0x10840b8 [0194.320] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x2c) returned 0x10887e8 [0194.320] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x44) returned 0x1089f90 [0194.320] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x24) returned 0x1083930 [0194.321] HeapFree (in: hHeap=0x1080000, dwFlags=0x0, lpMem=0x1092a18 | out: hHeap=0x1080000) returned 1 [0194.322] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x800) returned 0x1091f80 [0194.322] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0194.322] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0194.322] GetStartupInfoW (in: lpStartupInfo=0x18fb90 | out: lpStartupInfo=0x18fb90*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0194.322] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_logout /fn_args=\"0\"" [0194.322] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_logout /fn_args=\"0\"", pNumArgs=0x18fb7c | out: pNumArgs=0x18fb7c) returned 0x1092bd0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0194.323] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0194.325] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x0, Size=0x1000) returned 0x10944b8 [0194.325] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x0, Size=0x2a) returned 0x1088858 [0194.325] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_token_logout", cchWideChar=-1, lpMultiByteStr=0x1088858, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_token_logout", lpUsedDefaultChar=0x0) returned 21 [0194.325] GetLastError () returned 0x0 [0194.325] SetLastError (dwErrCode=0x0) [0194.325] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_logoutW") returned 0x0 [0194.326] GetLastError () returned 0x7f [0194.326] SetLastError (dwErrCode=0x7f) [0194.326] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_logoutA") returned 0x0 [0194.326] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_logout") returned 0x647c4b1f [0194.326] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x0, Size=0x4) returned 0x1083808 [0194.326] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x1083808, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0194.326] GetActiveWindow () returned 0x0 [0194.327] GetLastError () returned 0x7f [0194.327] SetLastError (dwErrCode=0x7f) Thread: id = 595 os_tid = 0x1214 Process: id = "283" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x385ee000" os_pid = "0x13ec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "282" os_parent_pid = "0x13d4" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_logout /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "284" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x2e8d5000" os_pid = "0x1338" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_sameTokenId /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 20498 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 20499 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 20500 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 20501 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 20502 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 20503 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 20504 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 20505 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 20506 start_va = 0x740000 end_va = 0x741fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 20507 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 20508 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 20509 start_va = 0x7ea10000 end_va = 0x7ea32fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ea10000" filename = "" Region: id = 20510 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 20511 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 20512 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 20513 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 20515 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 20516 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 20517 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 20518 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 20519 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 20520 start_va = 0x750000 end_va = 0x93ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 20521 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 20523 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 20524 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 20525 start_va = 0x7e910000 end_va = 0x7ea0ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e910000" filename = "" Region: id = 20526 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 20527 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 20528 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 20529 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 20530 start_va = 0x500000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 20531 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 20532 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 20533 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 20534 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 20535 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 20536 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 20538 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 20539 start_va = 0x740000 end_va = 0x743fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 20540 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 20541 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 20542 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 20543 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 20544 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 20545 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 20546 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 20547 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 20548 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 20549 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 20550 start_va = 0x750000 end_va = 0x779fff monitored = 0 entry_point = 0x755680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 20551 start_va = 0x840000 end_va = 0x93ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 20552 start_va = 0x940000 end_va = 0xac7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 20553 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 20569 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 20570 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 20571 start_va = 0x1f0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 20572 start_va = 0xad0000 end_va = 0xc50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ad0000" filename = "" Region: id = 20573 start_va = 0xc60000 end_va = 0xdcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 20574 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 20575 start_va = 0x750000 end_va = 0x7e0fff monitored = 0 entry_point = 0x788cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 20583 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 20584 start_va = 0x750000 end_va = 0x750fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 20585 start_va = 0x760000 end_va = 0x760fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 20586 start_va = 0x760000 end_va = 0x767fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 20590 start_va = 0x760000 end_va = 0x760fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 20591 start_va = 0x770000 end_va = 0x771fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 20592 start_va = 0x760000 end_va = 0x760fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 20593 start_va = 0x770000 end_va = 0x770fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 20594 start_va = 0x760000 end_va = 0x760fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 20595 start_va = 0x770000 end_va = 0x770fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Thread: id = 597 os_tid = 0x1150 [0195.607] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0195.608] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0195.608] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0195.608] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0195.608] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0195.608] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0195.609] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0195.609] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0195.609] GetProcessHeap () returned 0x840000 [0195.609] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0195.610] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0195.610] GetLastError () returned 0x7e [0195.610] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0195.610] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0195.610] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x364) returned 0x850a28 [0195.610] SetLastError (dwErrCode=0x7e) [0195.610] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0xe00) returned 0x850d98 [0195.612] GetStartupInfoW (in: lpStartupInfo=0x18f9f0 | out: lpStartupInfo=0x18f9f0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0195.612] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0195.612] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0195.612] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0195.612] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_sameTokenId /fn_args=\"0\"" [0195.612] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_sameTokenId /fn_args=\"0\"" [0195.612] GetACP () returned 0x4e4 [0195.612] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x0, Size=0x220) returned 0x851ba0 [0195.612] IsValidCodePage (CodePage=0x4e4) returned 1 [0195.612] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fa10 | out: lpCPInfo=0x18fa10) returned 1 [0195.612] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f2d8 | out: lpCPInfo=0x18f2d8) returned 1 [0195.612] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8ec, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0195.612] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8ec, cbMultiByte=256, lpWideCharStr=0x18f078, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0195.612] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f2ec | out: lpCharType=0x18f2ec) returned 1 [0195.613] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8ec, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0195.613] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8ec, cbMultiByte=256, lpWideCharStr=0x18f028, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0195.613] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0195.613] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0195.613] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0195.613] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ee18, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0195.613] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f7ec, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ'XÈ\x94(ú\x18", lpUsedDefaultChar=0x0) returned 256 [0195.613] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8ec, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0195.613] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8ec, cbMultiByte=256, lpWideCharStr=0x18f048, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0195.613] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0195.613] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ee38, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0195.613] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f6ec, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ'XÈ\x94(ú\x18", lpUsedDefaultChar=0x0) returned 256 [0195.613] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x0, Size=0x80) returned 0x843868 [0195.613] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0195.613] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x186) returned 0x851dc8 [0195.613] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0195.613] GetLastError () returned 0x0 [0195.614] SetLastError (dwErrCode=0x0) [0195.614] GetEnvironmentStringsW () returned 0x851f58* [0195.614] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x0, Size=0xa8c) returned 0x8529f0 [0195.614] FreeEnvironmentStringsW (penv=0x851f58) returned 1 [0195.614] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x90) returned 0x844558 [0195.614] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x3e) returned 0x84af18 [0195.614] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x5c) returned 0x848a58 [0195.614] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x6e) returned 0x844850 [0195.614] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x78) returned 0x853c30 [0195.614] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x62) returned 0x843fd8 [0195.614] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x28) returned 0x849e30 [0195.614] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x48) returned 0x843d88 [0195.615] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x1a) returned 0x844620 [0195.615] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x3a) returned 0x84b110 [0195.615] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x62) returned 0x8447c0 [0195.615] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x2a) returned 0x848908 [0195.615] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x2e) returned 0x848630 [0195.615] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x1c) returned 0x844648 [0195.615] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x144) returned 0x849c70 [0195.615] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x7c) returned 0x8482b8 [0195.615] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x36) returned 0x84e238 [0195.615] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x3a) returned 0x84ab70 [0195.615] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x90) returned 0x84a280 [0195.615] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x24) returned 0x843be8 [0195.615] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x30) returned 0x848898 [0195.615] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x36) returned 0x84e078 [0195.615] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x48) returned 0x843908 [0195.615] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x52) returned 0x842900 [0195.615] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x3c) returned 0x84a9c0 [0195.615] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0xd6) returned 0x8404a0 [0195.615] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x2e) returned 0x8486a0 [0195.615] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x1e) returned 0x840580 [0195.615] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x2c) returned 0x8486d8 [0195.615] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x54) returned 0x844390 [0195.615] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x52) returned 0x843e00 [0195.615] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x24) returned 0x8443f0 [0195.615] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x42) returned 0x844060 [0195.615] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x2c) returned 0x848780 [0195.778] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x44) returned 0x8440b0 [0195.778] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x24) returned 0x843e60 [0195.778] HeapFree (in: hHeap=0x840000, dwFlags=0x0, lpMem=0x8529f0 | out: hHeap=0x840000) returned 1 [0195.778] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x8, Size=0x800) returned 0x851f58 [0195.778] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0195.778] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0195.779] GetStartupInfoW (in: lpStartupInfo=0x18fa54 | out: lpStartupInfo=0x18fa54*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0195.779] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_sameTokenId /fn_args=\"0\"" [0195.779] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_sameTokenId /fn_args=\"0\"", pNumArgs=0x18fa40 | out: pNumArgs=0x18fa40) returned 0x852ba8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0195.779] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0195.782] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x0, Size=0x1000) returned 0x854490 [0195.782] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x0, Size=0x34) returned 0x84e5f8 [0195.782] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_token_sameTokenId", cchWideChar=-1, lpMultiByteStr=0x84e5f8, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_token_sameTokenId", lpUsedDefaultChar=0x0) returned 26 [0195.782] GetLastError () returned 0x0 [0195.782] SetLastError (dwErrCode=0x0) [0195.782] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_sameTokenIdW") returned 0x0 [0195.782] GetLastError () returned 0x7f [0195.782] SetLastError (dwErrCode=0x7f) [0195.783] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_sameTokenIdA") returned 0x0 [0195.783] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_sameTokenId") returned 0x647c4750 [0195.783] RtlAllocateHeap (HeapHandle=0x840000, Flags=0x0, Size=0x4) returned 0x844100 [0195.783] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x844100, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0195.783] GetActiveWindow () returned 0x0 [0195.784] GetLastError () returned 0x7f [0195.784] SetLastError (dwErrCode=0x7f) Thread: id = 599 os_tid = 0xdac Process: id = "285" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x534d5000" os_pid = "0xa68" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "284" os_parent_pid = "0x1338" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_sameTokenId /fn_args=\"0\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "286" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x2e5ec000" os_pid = "0xfe8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=must /fn_args=\"0\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 20601 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 20602 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 20603 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 20604 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 20605 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 20606 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 20607 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 20608 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 20609 start_va = 0x620000 end_va = 0x621fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 20610 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 20611 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 20612 start_va = 0x7e5b0000 end_va = 0x7e5d2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e5b0000" filename = "" Region: id = 20613 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 20614 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 20615 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 20616 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 20617 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 20618 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 20619 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 20620 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 20621 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 20622 start_va = 0x630000 end_va = 0x91ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 20623 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 20624 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 20625 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 20626 start_va = 0x7e4b0000 end_va = 0x7e5affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e4b0000" filename = "" Region: id = 20627 start_va = 0x480000 end_va = 0x53dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 20628 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 20629 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 20630 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 20631 start_va = 0x540000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 20632 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 20633 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 20634 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 20635 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 20636 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 20637 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 20638 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 20639 start_va = 0x640000 end_va = 0x643fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 20640 start_va = 0x820000 end_va = 0x91ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 20641 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 20642 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 20643 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 20645 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 20646 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 20647 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 20648 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 20649 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 20650 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 20651 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 20652 start_va = 0x650000 end_va = 0x7d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 20653 start_va = 0x7e0000 end_va = 0x809fff monitored = 0 entry_point = 0x7e5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 20654 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 20655 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 20656 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 20657 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 20658 start_va = 0x920000 end_va = 0xaa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000920000" filename = "" Region: id = 20659 start_va = 0xab0000 end_va = 0xb5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 20660 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 20661 start_va = 0xab0000 end_va = 0xb40fff monitored = 0 entry_point = 0xae8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 20662 start_va = 0xb50000 end_va = 0xb5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b50000" filename = "" Region: id = 20665 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 20666 start_va = 0x7e0000 end_va = 0x7e2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 20667 start_va = 0xb60000 end_va = 0xc6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 20668 start_va = 0x10000000 end_va = 0x10023fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000010000000" filename = "" Region: id = 20669 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 20670 start_va = 0xc70000 end_va = 0xd1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c70000" filename = "" Region: id = 20671 start_va = 0x743a0000 end_va = 0x743b2fff monitored = 0 entry_point = 0x743a1d20 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 20672 start_va = 0x6f9d0000 end_va = 0x6f9ebfff monitored = 0 entry_point = 0x6f9d4720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 20673 start_va = 0x6f9b0000 end_va = 0x6f9c4fff monitored = 0 entry_point = 0x6f9b5210 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\SysWOW64\\samcli.dll" (normalized: "c:\\windows\\syswow64\\samcli.dll") Region: id = 20674 start_va = 0x6f9a0000 end_va = 0x6f9a9fff monitored = 0 entry_point = 0x6f9a28d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 20675 start_va = 0x6f970000 end_va = 0x6f99efff monitored = 0 entry_point = 0x6f985140 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\SysWOW64\\logoncli.dll" (normalized: "c:\\windows\\syswow64\\logoncli.dll") Region: id = 20676 start_va = 0x6f960000 end_va = 0x6f96ffff monitored = 0 entry_point = 0x6f9634d0 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 20677 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 20678 start_va = 0x6f940000 end_va = 0x6f958fff monitored = 0 entry_point = 0x6f9447e0 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 20679 start_va = 0x77200000 end_va = 0x7725efff monitored = 0 entry_point = 0x77204af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 20683 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 20684 start_va = 0xd20000 end_va = 0xdcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 20751 start_va = 0x7f0000 end_va = 0x7f3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 20752 start_va = 0x800000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 20753 start_va = 0xdd0000 end_va = 0xecffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 20774 start_va = 0x800000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 20775 start_va = 0xab0000 end_va = 0xac0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 20776 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 20787 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 20797 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 20802 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 20813 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 20832 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 20865 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 20914 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 20943 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 20971 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 20984 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 20990 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21005 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21033 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21035 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21056 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21067 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21086 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21110 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21124 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21149 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21152 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21160 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21162 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21185 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21193 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21209 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21226 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21236 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21245 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21247 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21265 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21290 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21347 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21372 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21397 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21426 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21438 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21468 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21478 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21481 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21483 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21500 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21509 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21521 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21539 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21544 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21554 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21561 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21562 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21569 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21572 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21596 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21620 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21641 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21662 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21678 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21688 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21696 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21697 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21704 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21708 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21709 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21711 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21713 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21731 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21762 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21778 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21798 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21808 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21814 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21817 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21825 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21827 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21830 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21832 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21836 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21855 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21863 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21878 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21894 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21902 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21911 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21917 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21921 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21929 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21931 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21933 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21935 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21937 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21939 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21957 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21966 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 21987 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 22006 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 22014 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 22018 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 22027 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 22035 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 22037 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 22041 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 22044 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 22045 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 22046 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 22047 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 22048 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 22065 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 22073 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 22086 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 22102 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 22108 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 22118 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 22124 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 22128 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 22134 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 22135 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 22143 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 22160 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 22170 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 22191 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 22235 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 22243 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 22249 start_va = 0x800000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Thread: id = 601 os_tid = 0xfd0 [0196.895] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0196.896] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0196.896] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0196.896] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0196.896] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0196.896] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0196.897] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0196.897] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0196.897] GetProcessHeap () returned 0x820000 [0196.897] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0196.897] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0196.898] GetLastError () returned 0x7e [0196.898] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0196.898] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0196.898] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x364) returned 0x830a28 [0196.898] SetLastError (dwErrCode=0x7e) [0196.899] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0xe00) returned 0x830d98 [0196.900] GetStartupInfoW (in: lpStartupInfo=0x18f7d4 | out: lpStartupInfo=0x18f7d4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0196.900] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0196.900] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0196.900] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0196.900] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=must /fn_args=\"0\"" [0196.900] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=must /fn_args=\"0\"" [0196.900] GetACP () returned 0x4e4 [0196.900] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x0, Size=0x220) returned 0x831ba0 [0196.901] IsValidCodePage (CodePage=0x4e4) returned 1 [0196.901] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f7f4 | out: lpCPInfo=0x18f7f4) returned 1 [0196.901] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f0bc | out: lpCPInfo=0x18f0bc) returned 1 [0196.901] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6d0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0196.901] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6d0, cbMultiByte=256, lpWideCharStr=0x18ee58, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0196.901] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f0d0 | out: lpCharType=0x18f0d0) returned 1 [0196.901] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6d0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0196.901] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6d0, cbMultiByte=256, lpWideCharStr=0x18ee18, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0196.901] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0196.901] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0196.901] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0196.901] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ec08, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0196.901] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f5d0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿB\x18KË\x0cø\x18", lpUsedDefaultChar=0x0) returned 256 [0196.901] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6d0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0196.901] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6d0, cbMultiByte=256, lpWideCharStr=0x18ee28, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0196.901] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0196.901] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ec18, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0196.901] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f4d0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿB\x18KË\x0cø\x18", lpUsedDefaultChar=0x0) returned 256 [0196.902] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x0, Size=0x80) returned 0x823830 [0196.902] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0196.902] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x15c) returned 0x829c70 [0196.902] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0196.902] GetLastError () returned 0x0 [0196.902] SetLastError (dwErrCode=0x0) [0196.902] GetEnvironmentStringsW () returned 0x831dc8* [0196.902] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x0, Size=0xa8c) returned 0x832860 [0196.902] FreeEnvironmentStringsW (penv=0x831dc8) returned 1 [0196.902] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x90) returned 0x824520 [0196.902] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x3e) returned 0x82b110 [0196.902] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x5c) returned 0x8287f8 [0196.902] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x6e) returned 0x8245e8 [0196.902] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x78) returned 0x833ea0 [0196.903] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x62) returned 0x8249b8 [0196.903] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x28) returned 0x823d50 [0196.903] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x48) returned 0x823fa0 [0196.903] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x1a) returned 0x820570 [0196.903] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x3a) returned 0x82ae88 [0196.903] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x62) returned 0x823bb0 [0196.903] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x2a) returned 0x828478 [0196.903] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x2e) returned 0x828670 [0196.903] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x1c) returned 0x823d80 [0196.903] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x144) returned 0x831dc8 [0196.903] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x7c) returned 0x828058 [0196.903] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x36) returned 0x82e478 [0196.903] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x3a) returned 0x82b0c8 [0196.903] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x90) returned 0x824358 [0196.903] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x24) returned 0x8238d0 [0196.903] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x30) returned 0x828520 [0196.903] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x36) returned 0x82e3b8 [0196.903] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x48) returned 0x8228d8 [0196.903] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x52) returned 0x8204b8 [0196.903] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x3c) returned 0x82aa50 [0196.903] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0xd6) returned 0x829e30 [0196.903] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x2e) returned 0x8285c8 [0196.903] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x1e) returned 0x822928 [0196.903] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x2c) returned 0x8286e0 [0196.903] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x54) returned 0x823dc8 [0196.903] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x52) returned 0x824028 [0196.904] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x24) returned 0x823e28 [0196.904] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x42) returned 0x824088 [0196.904] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x2c) returned 0x828600 [0196.904] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x44) returned 0x829f60 [0196.904] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x24) returned 0x823900 [0196.905] HeapFree (in: hHeap=0x820000, dwFlags=0x0, lpMem=0x832860 | out: hHeap=0x820000) returned 1 [0196.905] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x800) returned 0x831f18 [0196.905] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0196.905] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0196.905] GetStartupInfoW (in: lpStartupInfo=0x18f838 | out: lpStartupInfo=0x18f838*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0196.905] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=must /fn_args=\"0\"" [0196.905] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=must /fn_args=\"0\"", pNumArgs=0x18f824 | out: pNumArgs=0x18f824) returned 0x832b68*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0196.906] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0196.969] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x0, Size=0x1000) returned 0x834300 [0196.969] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x0, Size=0xa) returned 0x82a120 [0196.969] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="must", cchWideChar=-1, lpMultiByteStr=0x82a120, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="must", lpUsedDefaultChar=0x0) returned 5 [0196.969] GetLastError () returned 0x0 [0196.969] SetLastError (dwErrCode=0x0) [0196.970] GetProcAddress (hModule=0x647c0000, lpProcName="mustW") returned 0x0 [0196.970] GetLastError () returned 0x7f [0196.970] SetLastError (dwErrCode=0x7f) [0196.970] GetProcAddress (hModule=0x647c0000, lpProcName="mustA") returned 0x0 [0196.970] GetProcAddress (hModule=0x647c0000, lpProcName="must") returned 0x647c4e94 [0196.970] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x0, Size=0x4) returned 0x8237d8 [0196.970] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x8237d8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0196.970] GetActiveWindow () returned 0x0 [0196.971] VirtualAlloc (lpAddress=0x0, dwSize=0x2d82, flAllocationType=0x3000, flProtect=0x4) returned 0x7e0000 [0196.971] VirtualProtect (in: lpAddress=0x7e0000, dwSize=0x2d82, flNewProtect=0x20, lpflOldProtect=0x18f75c | out: lpflOldProtect=0x18f75c*=0x4) returned 1 [0196.984] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x100000) returned 0xb6e020 [0196.999] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x4) returned 0x823930 [0196.999] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x20800) returned 0x835308 [0197.002] RtlFreeHeap (HeapHandle=0x820000, Flags=0x0, BaseAddress=0x823930) returned 1 [0197.005] GetNativeSystemInfo (in: lpSystemInfo=0x18f5e4 | out: lpSystemInfo=0x18f5e4*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0197.005] VirtualAlloc (lpAddress=0x10000000, dwSize=0x24000, flAllocationType=0x3000, flProtect=0x4) returned 0x10000000 [0197.037] LoadLibraryA (lpLibFileName="msvcrt.dll") returned 0x754e0000 [0197.038] GetProcAddress (hModule=0x754e0000, lpProcName="_snprintf") returned 0x75555020 [0197.038] GetProcAddress (hModule=0x754e0000, lpProcName="memchr") returned 0x75568380 [0197.038] GetProcAddress (hModule=0x754e0000, lpProcName="malloc") returned 0x75527900 [0197.038] GetProcAddress (hModule=0x754e0000, lpProcName="_errno") returned 0x75515cd0 [0197.038] GetProcAddress (hModule=0x754e0000, lpProcName="_strtoi64") returned 0x75511e60 [0197.038] GetProcAddress (hModule=0x754e0000, lpProcName="_vsnprintf") returned 0x755563d0 [0197.226] GetProcAddress (hModule=0x754e0000, lpProcName="memset") returned 0x75568c80 [0197.226] GetProcAddress (hModule=0x754e0000, lpProcName="qsort") returned 0x7553c200 [0197.226] GetProcAddress (hModule=0x754e0000, lpProcName="_ftol2_sse") returned 0x7557a580 [0197.226] GetProcAddress (hModule=0x754e0000, lpProcName="_vsnwprintf") returned 0x75556840 [0197.226] GetProcAddress (hModule=0x754e0000, lpProcName="free") returned 0x75527740 [0197.227] GetProcAddress (hModule=0x754e0000, lpProcName="_time64") returned 0x7556ea10 [0197.227] GetProcAddress (hModule=0x754e0000, lpProcName="strncpy") returned 0x75569350 [0197.227] GetProcAddress (hModule=0x754e0000, lpProcName="strchr") returned 0x75568d90 [0197.227] GetProcAddress (hModule=0x754e0000, lpProcName="strtod") returned 0x75511ba0 [0197.227] GetProcAddress (hModule=0x754e0000, lpProcName="localeconv") returned 0x7553c100 [0197.227] GetProcAddress (hModule=0x754e0000, lpProcName="memcpy") returned 0x755684a0 [0197.227] GetProcAddress (hModule=0x754e0000, lpProcName="atol") returned 0x7550fe40 [0197.227] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x75820000 [0197.227] GetProcAddress (hModule=0x75820000, lpProcName="FindNextFileW") returned 0x758469a0 [0197.227] GetProcAddress (hModule=0x75820000, lpProcName="GetTickCount") returned 0x75845eb0 [0197.228] GetProcAddress (hModule=0x75820000, lpProcName="SetThreadPriority") returned 0x75839990 [0197.228] GetProcAddress (hModule=0x75820000, lpProcName="FlushFileBuffers") returned 0x758469b0 [0197.228] GetProcAddress (hModule=0x75820000, lpProcName="LocalAlloc") returned 0x75837a30 [0197.228] GetProcAddress (hModule=0x75820000, lpProcName="GetExitCodeProcess") returned 0x7583fdb0 [0197.228] GetProcAddress (hModule=0x75820000, lpProcName="GetSystemTimeAsFileTime") returned 0x75837620 [0197.228] GetProcAddress (hModule=0x75820000, lpProcName="GetFileAttributesW") returned 0x75846a50 [0197.228] GetProcAddress (hModule=0x75820000, lpProcName="MultiByteToWideChar") returned 0x75832ad0 [0197.228] GetProcAddress (hModule=0x75820000, lpProcName="SetCurrentDirectoryA") returned 0x75862290 [0197.228] GetProcAddress (hModule=0x75820000, lpProcName="Sleep") returned 0x75837990 [0197.228] GetProcAddress (hModule=0x75820000, lpProcName="lstrcmpiW") returned 0x75837590 [0197.229] GetProcAddress (hModule=0x75820000, lpProcName="GetDriveTypeW") returned 0x75846a10 [0197.229] GetProcAddress (hModule=0x75820000, lpProcName="GetLastError") returned 0x75833870 [0197.229] GetProcAddress (hModule=0x75820000, lpProcName="CreateDirectoryW") returned 0x75846860 [0197.229] GetProcAddress (hModule=0x75820000, lpProcName="lstrcatA") returned 0x7583f640 [0197.229] GetProcAddress (hModule=0x75820000, lpProcName="CreateMutexW") returned 0x758466f0 [0197.229] GetProcAddress (hModule=0x75820000, lpProcName="GetCurrentThread") returned 0x758375f0 [0197.229] GetProcAddress (hModule=0x75820000, lpProcName="GetProcessId") returned 0x7583a6a0 [0197.229] GetProcAddress (hModule=0x75820000, lpProcName="DisconnectNamedPipe") returned 0x75860990 [0197.229] GetProcAddress (hModule=0x75820000, lpProcName="lstrcmpA") returned 0x7583cc30 [0197.229] GetProcAddress (hModule=0x75820000, lpProcName="K32GetModuleFileNameExW") returned 0x758616a0 [0197.230] GetProcAddress (hModule=0x75820000, lpProcName="MoveFileW") returned 0x7583b1d0 [0197.230] GetProcAddress (hModule=0x75820000, lpProcName="ExitThread") returned 0x776b7a80 [0197.230] GetProcAddress (hModule=0x75820000, lpProcName="GetNumberFormatA") returned 0x75876060 [0197.230] GetProcAddress (hModule=0x75820000, lpProcName="GetCurrentProcessId") returned 0x758323e0 [0197.230] GetProcAddress (hModule=0x75820000, lpProcName="SwitchToThread") returned 0x7583a690 [0197.230] GetProcAddress (hModule=0x75820000, lpProcName="GetModuleHandleW") returned 0x75839bc0 [0197.230] GetProcAddress (hModule=0x75820000, lpProcName="GetProcAddress") returned 0x758378b0 [0197.230] GetProcAddress (hModule=0x75820000, lpProcName="HeapCreate") returned 0x7583a100 [0197.231] GetProcAddress (hModule=0x75820000, lpProcName="HeapFree") returned 0x75831ba0 [0197.231] GetProcAddress (hModule=0x75820000, lpProcName="HeapAlloc") returned 0x77682bd0 [0197.231] GetProcAddress (hModule=0x75820000, lpProcName="GetModuleHandleA") returned 0x758399f0 [0197.231] GetProcAddress (hModule=0x75820000, lpProcName="LoadLibraryA") returned 0x75844bf0 [0197.231] GetProcAddress (hModule=0x75820000, lpProcName="GetCurrentProcess") returned 0x758338c0 [0197.231] GetProcAddress (hModule=0x75820000, lpProcName="lstrcatW") returned 0x7585d170 [0197.231] GetProcAddress (hModule=0x75820000, lpProcName="WideCharToMultiByte") returned 0x75833880 [0197.231] GetProcAddress (hModule=0x75820000, lpProcName="FindFirstFileW") returned 0x75846960 [0197.231] GetProcAddress (hModule=0x75820000, lpProcName="GetWindowsDirectoryW") returned 0x75845120 [0197.231] GetProcAddress (hModule=0x75820000, lpProcName="SetFileAttributesW") returned 0x75846c20 [0197.232] GetProcAddress (hModule=0x75820000, lpProcName="lstrlenW") returned 0x75833690 [0197.232] GetProcAddress (hModule=0x75820000, lpProcName="LoadLibraryW") returned 0x7583a840 [0197.232] GetProcAddress (hModule=0x75820000, lpProcName="FreeLibrary") returned 0x75839f50 [0197.232] GetProcAddress (hModule=0x75820000, lpProcName="GetCommandLineW") returned 0x7583aba0 [0197.232] GetProcAddress (hModule=0x75820000, lpProcName="GetVersionExA") returned 0x7583a700 [0197.232] GetProcAddress (hModule=0x75820000, lpProcName="GetSystemInfo") returned 0x7583a0f0 [0197.232] GetProcAddress (hModule=0x75820000, lpProcName="GetCurrentDirectoryW") returned 0x7583a9a0 [0197.232] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x74ec0000 [0197.232] GetProcAddress (hModule=0x74ec0000, lpProcName="CharUpperBuffA") returned 0x74f4aba0 [0197.232] GetProcAddress (hModule=0x74ec0000, lpProcName="CharUpperBuffW") returned 0x74ef4d90 [0197.233] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x75e00000 [0197.233] GetProcAddress (hModule=0x75e00000, lpProcName="CommandLineToArgvW") returned 0x75fabf80 [0197.233] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75a90000 [0197.233] GetProcAddress (hModule=0x75a90000, lpProcName="CoCreateInstance") returned 0x75690060 [0197.233] GetProcAddress (hModule=0x75a90000, lpProcName="CoInitializeEx") returned 0x756688d0 [0197.233] GetProcAddress (hModule=0x75a90000, lpProcName="CoSetProxyBlanket") returned 0x756660a0 [0197.233] GetProcAddress (hModule=0x75a90000, lpProcName="CoInitializeSecurity") returned 0x756d3870 [0197.233] LoadLibraryA (lpLibFileName="OLEAUT32.dll") returned 0x74bb0000 [0197.236] GetProcAddress (hModule=0x74bb0000, lpProcName=0x14) returned 0x74bc2a10 [0197.237] GetProcAddress (hModule=0x74bb0000, lpProcName=0x6) returned 0x74bc9d40 [0197.237] GetProcAddress (hModule=0x74bb0000, lpProcName=0x2) returned 0x74bc9c90 [0197.237] GetProcAddress (hModule=0x74bb0000, lpProcName=0x9) returned 0x74bc9570 [0197.237] GetProcAddress (hModule=0x74bb0000, lpProcName=0x13) returned 0x74bc25b0 [0197.237] GetProcAddress (hModule=0x74bb0000, lpProcName=0x10) returned 0x74bc6200 [0197.237] GetProcAddress (hModule=0x74bb0000, lpProcName=0x19) returned 0x74bc5830 [0197.237] VirtualProtect (in: lpAddress=0x10001000, dwSize=0x18800, flNewProtect=0x20, lpflOldProtect=0x18f6a0 | out: lpflOldProtect=0x18f6a0*=0x4) returned 1 [0197.239] VirtualProtect (in: lpAddress=0x1001a000, dwSize=0x4800, flNewProtect=0x2, lpflOldProtect=0x18f6a0 | out: lpflOldProtect=0x18f6a0*=0x4) returned 1 [0197.239] VirtualProtect (in: lpAddress=0x1001f000, dwSize=0x2000, flNewProtect=0x4, lpflOldProtect=0x18f6a0 | out: lpflOldProtect=0x18f6a0*=0x4) returned 1 [0197.239] VirtualProtect (in: lpAddress=0x10022000, dwSize=0x600, flNewProtect=0x2, lpflOldProtect=0x18f6a0 | out: lpflOldProtect=0x18f6a0*=0x4) returned 1 [0197.239] VirtualProtect (in: lpAddress=0x10023000, dwSize=0xe00, flNewProtect=0x2, lpflOldProtect=0x18f6a0 | out: lpflOldProtect=0x18f6a0*=0x4) returned 1 [0197.240] NtFlushInstructionCache (ProcessHandle=0xffffffff, BaseAddress=0x0, NumberOfBytesToFlush=0x0) returned 0x0 [0197.243] HeapCreate (flOptions=0x0, dwInitialSize=0x96000, dwMaximumSize=0x0) returned 0xc80000 [0197.246] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x100) returned 0xcff5a8 [0197.246] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x7a) returned 0xcff6b0 [0197.246] GetNumberFormatA (in: Locale=0x7d3, dwFlags=0xb4, lpValue="electricmadness", lpFormat=0x0, lpNumberStr=0x18f254, cchNumber=34 | out: lpNumberStr="") returned 0 [0197.247] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x28) returned 0xcff738 [0197.247] GetFileAttributesW (lpFileName="C:\\INTERNAL\\__empty" (normalized: "c:\\internal\\__empty")) returned 0xffffffff [0197.257] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff738 | out: hHeap=0xc80000) returned 1 [0197.298] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f4cc, cbMultiByte=-1, lpWideCharStr=0x18f2cc, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0197.298] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f4cc, cbMultiByte=-1, lpWideCharStr=0x18f2cc, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0197.298] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f4cc, cbMultiByte=-1, lpWideCharStr=0x18f2cc, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0197.298] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f4cc, cbMultiByte=-1, lpWideCharStr=0x18f2cc, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0197.298] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f4cc, cbMultiByte=-1, lpWideCharStr=0x18f2cc, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0197.298] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f4cc, cbMultiByte=-1, lpWideCharStr=0x18f2cc, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0197.298] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f4cc, cbMultiByte=-1, lpWideCharStr=0x18f2cc, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0197.298] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f4cc, cbMultiByte=-1, lpWideCharStr=0x18f2cc, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0197.298] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f4cc, cbMultiByte=-1, lpWideCharStr=0x18f2cc, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0197.298] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f4cc, cbMultiByte=-1, lpWideCharStr=0x18f2cc, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0197.298] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f4cc, cbMultiByte=-1, lpWideCharStr=0x18f2cc, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0197.299] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f4cc, cbMultiByte=-1, lpWideCharStr=0x18f2cc, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0197.299] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f4cc, cbMultiByte=-1, lpWideCharStr=0x18f2cc, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0197.299] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f4cc, cbMultiByte=-1, lpWideCharStr=0x18f2cc, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0197.299] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f4cc, cbMultiByte=-1, lpWideCharStr=0x18f2cc, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0197.299] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f4cc, cbMultiByte=-1, lpWideCharStr=0x18f2cc, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0197.299] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f4cc, cbMultiByte=-1, lpWideCharStr=0x18f2cc, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0197.299] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f4cc, cbMultiByte=-1, lpWideCharStr=0x18f2cc, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0197.299] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f4cc, cbMultiByte=-1, lpWideCharStr=0x18f2cc, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0197.299] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f4cc, cbMultiByte=-1, lpWideCharStr=0x18f2cc, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0197.299] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xd) returned 0xcff738 [0197.299] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x75820000 [0197.299] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x144) returned 0xcff750 [0197.306] LoadLibraryA (lpLibFileName="NTDLL.dll") returned 0x77650000 [0197.306] GetProcAddress (hModule=0x77650000, lpProcName="RtlAddVectoredExceptionHandler") returned 0x77673f90 [0197.307] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff738 | out: hHeap=0xc80000) returned 1 [0197.307] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xd) returned 0xcff738 [0197.307] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x75820000 [0197.307] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x144) returned 0xcff8a0 [0197.313] LoadLibraryA (lpLibFileName="NTDLL.dll") returned 0x77650000 [0197.313] GetProcAddress (hModule=0x77650000, lpProcName="RtlAddVectoredExceptionHandler") returned 0x77673f90 [0197.313] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff738 | out: hHeap=0xc80000) returned 1 [0197.313] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xa) returned 0xcff738 [0197.313] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77650000 [0197.313] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x40) returned 0xcff9f0 [0197.315] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff738 | out: hHeap=0xc80000) returned 1 [0197.315] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xb) returned 0xcff738 [0197.315] LoadLibraryA (lpLibFileName="user32.dll") returned 0x74ec0000 [0197.315] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x6c) returned 0xcffa38 [0197.316] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff738 | out: hHeap=0xc80000) returned 1 [0197.316] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xa) returned 0xcff738 [0197.316] LoadLibraryA (lpLibFileName="gdi32.dll") returned 0x74a60000 [0197.316] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x24) returned 0xcffab0 [0197.316] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff738 | out: hHeap=0xc80000) returned 1 [0197.316] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xd) returned 0xcff738 [0197.316] LoadLibraryA (lpLibFileName="netapi32.dll") returned 0x743a0000 [0197.318] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x18) returned 0xcffae0 [0197.319] LoadLibraryA (lpLibFileName="SRVCLI.dll") returned 0x6f9d0000 [0197.322] GetProcAddress (hModule=0x6f9d0000, lpProcName="NetShareEnum") returned 0x6f9d4140 [0197.322] LoadLibraryA (lpLibFileName="SAMCLI.dll") returned 0x6f9b0000 [0197.325] GetProcAddress (hModule=0x6f9b0000, lpProcName="NetUserEnum") returned 0x6f9bc010 [0197.325] LoadLibraryA (lpLibFileName="NETUTILS.dll") returned 0x6f9a0000 [0197.328] GetProcAddress (hModule=0x6f9a0000, lpProcName="NetApiBufferFree") returned 0x6f9a16d0 [0197.328] LoadLibraryA (lpLibFileName="LOGONCLI.dll") returned 0x6f970000 [0197.331] GetProcAddress (hModule=0x6f970000, lpProcName="NetGetDCName") returned 0x6f98de00 [0197.331] LoadLibraryA (lpLibFileName="WKSCLI.dll") returned 0x6f960000 [0197.372] GetProcAddress (hModule=0x6f960000, lpProcName="NetGetJoinInformation") returned 0x6f962e90 [0197.372] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff738 | out: hHeap=0xc80000) returned 1 [0197.372] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xd) returned 0xcff738 [0197.372] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77260000 [0197.372] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xd4) returned 0xcffb00 [0197.374] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff738 | out: hHeap=0xc80000) returned 1 [0197.374] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xc) returned 0xcff738 [0197.374] LoadLibraryA (lpLibFileName="shlwapi.dll") returned 0x75a40000 [0197.374] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x2c) returned 0xcffbe0 [0197.374] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff738 | out: hHeap=0xc80000) returned 1 [0197.375] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xc) returned 0xcff738 [0197.375] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75e00000 [0197.375] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x8) returned 0xcffc18 [0197.375] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff738 | out: hHeap=0xc80000) returned 1 [0197.375] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xc) returned 0xcff738 [0197.375] LoadLibraryA (lpLibFileName="userenv.dll") returned 0x6f940000 [0197.378] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x4) returned 0xcffc28 [0197.378] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff738 | out: hHeap=0xc80000) returned 1 [0197.378] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xb) returned 0xcff738 [0197.378] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x77200000 [0197.381] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x10) returned 0xcffc38 [0197.381] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff738 | out: hHeap=0xc80000) returned 1 [0197.381] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x20) returned 0xcffc50 [0197.382] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcffc50 | out: hHeap=0xc80000) returned 1 [0197.384] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x1ac4) returned 0xcffc50 [0197.384] GetCurrentProcessId () returned 0xfe8 [0197.384] GetTickCount64 () returned 0x1d2eff8 [0197.384] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xd01294, nSize=0x105 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0197.384] GetCurrentProcess () returned 0xffffffff [0197.384] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18ec84 | out: TokenHandle=0x18ec84*=0x1b4) returned 1 [0197.384] GetTokenInformation (in: TokenHandle=0x1b4, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18ec64 | out: TokenInformation=0x0, ReturnLength=0x18ec64) returned 0 [0197.384] GetLastError () returned 0x7a [0197.384] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x24) returned 0xd01720 [0197.385] GetTokenInformation (in: TokenHandle=0x1b4, TokenInformationClass=0x1, TokenInformation=0xd01720, TokenInformationLength=0x24, ReturnLength=0x18ec74 | out: TokenInformation=0xd01720, ReturnLength=0x18ec74) returned 1 [0197.385] CloseHandle (hObject=0x1b4) returned 1 [0197.385] AllocateAndInitializeSid (in: pIdentifierAuthority=0x18ec7c, nSubAuthorityCount=0x1, nSubAuthority0=0x12, nSubAuthority1=0x0, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x18ec84 | out: pSid=0x18ec84*=0x82a048*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12)) returned 1 [0197.385] EqualSid (pSid1=0xd01728*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), pSid2=0x82a048*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12)) returned 0 [0197.385] GetCurrentThread () returned 0xfffffffe [0197.385] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x8, OpenAsSelf=0, TokenHandle=0x18ec58 | out: TokenHandle=0x18ec58*=0x0) returned 0 [0197.385] GetLastError () returned 0x3f0 [0197.385] GetCurrentProcess () returned 0xffffffff [0197.385] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18ec58 | out: TokenHandle=0x18ec58*=0x1b4) returned 1 [0197.385] GetTokenInformation (in: TokenHandle=0x1b4, TokenInformationClass=0x2, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18ec50 | out: TokenInformation=0x0, ReturnLength=0x18ec50) returned 0 [0197.385] GetLastError () returned 0x7a [0197.385] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x140) returned 0xd01750 [0197.385] GetTokenInformation (in: TokenHandle=0x1b4, TokenInformationClass=0x2, TokenInformation=0xd01750, TokenInformationLength=0x140, ReturnLength=0x18ec74 | out: TokenInformation=0xd01750, ReturnLength=0x18ec74) returned 1 [0197.385] AllocateAndInitializeSid (in: pIdentifierAuthority=0x18ec6c, nSubAuthorityCount=0x2, nSubAuthority0=0x20, nSubAuthority1=0x220, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x18ec80 | out: pSid=0x18ec80*=0x82a0c0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0197.385] EqualSid (pSid1=0xd017c4*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), pSid2=0x82a0c0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 0 [0197.385] EqualSid (pSid1=0xd017e0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0), pSid2=0x82a0c0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 0 [0197.385] EqualSid (pSid1=0xd017ec*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x72), pSid2=0x82a0c0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 0 [0197.385] EqualSid (pSid1=0xd017f8*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x82a0c0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0197.385] CloseHandle (hObject=0x1b4) returned 1 [0197.386] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd01750 | out: hHeap=0xc80000) returned 1 [0197.386] NetGetJoinInformation (in: lpServer=0x0, lpNameBuffer=0x18ec84, BufferType=0x18ec80 | out: lpNameBuffer=0x18ec84*="WORKGROUP", BufferType=0x18ec80) returned 0x0 [0197.541] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x14) returned 0xd01750 [0197.541] NetGetDCName (in: servername=0x0, domainname=0x0, bufptr=0x18ec84 | out: bufptr=0x18ec84) returned 0x995 [0197.544] LookupAccountSidW (in: lpSystemName=0x0, Sid=0xd01728*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), Name=0xcffd64, cchName=0x18f6e4, ReferencedDomainName=0x18f460, cchReferencedDomainName=0x18f6e8, peUse=0x18f6e0 | out: Name="RDhJ0CNFevzX", cchName=0x18f6e4, ReferencedDomainName="XC64ZB", cchReferencedDomainName=0x18f6e8, peUse=0x18f6e0) returned 1 [0197.547] GetSystemMetrics (nIndex=4096) returned 0 [0197.726] GetModuleFileNameW (in: hModule=0x10000000, lpFilename=0xcffe78, nSize=0x104 | out: lpFilename="") returned 0x0 [0197.726] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=must /fn_args=\"0\"" [0197.726] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=must /fn_args=\"0\"", pNumArgs=0x18ec7c | out: pNumArgs=0x18ec7c) returned 0x8598a0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0197.726] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe") returned 40 [0197.726] GetComputerNameW (in: lpBuffer=0x18e874, nSize=0x18ea78 | out: lpBuffer="XC64ZB", nSize=0x18ea78) returned 1 [0197.726] GetNumberFormatA (in: Locale=0x7d3, dwFlags=0xb4, lpValue="electricmadness", lpFormat=0x0, lpNumberStr=0x18e3f4, cchNumber=34 | out: lpNumberStr="tè\x18") returned 0 [0197.726] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xa) returned 0xcff738 [0197.726] GetVolumeInformationW (in: lpRootPathName="c:\\\\", lpVolumeNameBuffer=0x18e474, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x18ea7c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x18e674, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x18ea7c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0197.727] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff738 | out: hHeap=0xc80000) returned 1 [0197.727] _vsnwprintf (in: _Buffer=0x18ea94, _BufferCount=0xfa, _Format="%u", _ArgList=0x18e464 | out: _Buffer="203980600") returned 9 [0197.727] lstrcatW (in: lpString1="XC64ZB203980600", lpString2="RDhJ0CNFevzX" | out: lpString1="XC64ZB203980600RDhJ0CNFevzX") returned="XC64ZB203980600RDhJ0CNFevzX" [0197.727] CharUpperBuffW (in: lpsz="XC64ZB203980600RDhJ0CNFevzX", cchLength=0x1b | out: lpsz="XC64ZB203980600RDHJ0CNFEVZX") returned 0x1b [0197.728] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x21) returned 0xd01770 [0197.728] lstrlenW (lpString="䉁䑃䙅ခ\x18醺") returned 7 [0197.728] lstrlenW (lpString="䉁䑃䙅䆫\x18큈") returned 7 [0197.728] lstrlenW (lpString="䉁䑃䙅䆫") returned 4 [0197.728] lstrlenW (lpString="䉁䑃䙅䆫") returned 4 [0197.728] lstrlenW (lpString="䉁䑃䙅䆫") returned 4 [0197.728] lstrlenW (lpString="䉁䑃䙅䆫") returned 4 [0197.728] lstrlenW (lpString="䉁䑃䙅䆫") returned 4 [0197.728] lstrlenW (lpString="䉁䑃䙅䆫") returned 4 [0197.728] lstrlenW (lpString="䉁䑃䙅䆫") returned 4 [0197.729] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd01770 | out: hHeap=0xc80000) returned 1 [0197.730] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcffd00, cbMultiByte=-1, lpWideCharStr=0xcffd20, cchWideChar=32 | out: lpWideCharStr="fdircmne") returned 9 [0197.730] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x1b) returned 0xd01770 [0197.730] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xb) returned 0xcff738 [0197.730] lstrlenW (lpString="䉁䑃䙅ခ\x18醺") returned 7 [0197.730] lstrlenW (lpString="䉁䑃䙅ခ") returned 4 [0197.730] lstrlenW (lpString="䉁䑃䙅ခ") returned 4 [0197.730] lstrlenW (lpString="䉁䑃䙅ခ") returned 4 [0197.730] lstrlenW (lpString="䉁䑃䙅ခ") returned 4 [0197.730] lstrlenW (lpString="䉁䑃䙅ခ") returned 4 [0197.730] lstrlenW (lpString="䉁䑃䙅ခ") returned 4 [0197.730] lstrlenW (lpString="䉁䑃䙅ခ") returned 4 [0197.730] lstrlenW (lpString="䉁䑃䙅ခ") returned 4 [0197.730] lstrlenW (lpString="䉁䑃䙅ခ") returned 4 [0197.730] lstrlenW (lpString="䉁䑃䙅ခ") returned 4 [0197.730] lstrlenW (lpString="䉁䑃䙅ခ") returned 4 [0197.730] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd01770 | out: hHeap=0xc80000) returned 1 [0197.730] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff738 | out: hHeap=0xc80000) returned 1 [0197.730] GetCurrentProcess () returned 0xffffffff [0197.730] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18ec84 | out: TokenHandle=0x18ec84*=0x1fc) returned 1 [0197.730] GetTokenInformation (in: TokenHandle=0x1fc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18ec64 | out: TokenInformation=0x0, ReturnLength=0x18ec64) returned 0 [0197.730] GetLastError () returned 0x7a [0197.730] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x14) returned 0xd01770 [0197.730] GetTokenInformation (in: TokenHandle=0x1fc, TokenInformationClass=0x19, TokenInformation=0xd01770, TokenInformationLength=0x14, ReturnLength=0x18ec7c | out: TokenInformation=0xd01770, ReturnLength=0x18ec7c) returned 1 [0197.731] GetSidSubAuthorityCount (pSid=0xd01778*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0xd01779 [0197.731] GetSidSubAuthority (pSid=0xd01778*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0xd01780 [0197.731] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd01770 | out: hHeap=0xc80000) returned 1 [0197.731] CloseHandle (hObject=0x1fc) returned 1 [0197.731] GetVersionExA (in: lpVersionInformation=0xcffc50*(dwOSVersionInfoSize=0x9c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0xcffc50*(dwOSVersionInfoSize=0x9c, dwMajorVersion=0x6, dwMinorVersion=0x2, dwBuildNumber=0x23f0, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0197.731] GetCurrentProcess () returned 0xffffffff [0197.731] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x18ec84 | out: Wow64Process=0x18ec84*=1) returned 1 [0197.731] GetWindowsDirectoryW (in: lpBuffer=0xd00c70, uSize=0x104 | out: lpBuffer="C:\\Windows") returned 0xa [0197.731] GetNumberFormatA (in: Locale=0x7d3, dwFlags=0xb4, lpValue="electricmadness", lpFormat=0x0, lpNumberStr=0x18ec1c, cchNumber=34 | out: lpNumberStr="") returned 0 [0197.731] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x16) returned 0xd01770 [0197.731] GetEnvironmentVariableW (in: lpName="SystemRoot", lpBuffer=0x18f454, nSize=0x104 | out: lpBuffer="") returned 0xa [0197.731] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd01770 | out: hHeap=0xc80000) returned 1 [0197.731] GetEnvironmentVariableW (in: lpName="USERPROFILE", lpBuffer=0xd01084, nSize=0x209 | out: lpBuffer="") returned 0x15 [0197.731] GetEnvironmentVariableW (in: lpName="TEMP", lpBuffer=0xd00e7a, nSize=0x20a | out: lpBuffer="") returned 0x24 [0197.731] GetEnvironmentVariableW (in: lpName="SystemDrive", lpBuffer=0x18f660, nSize=0x40 | out: lpBuffer="") returned 0x2 [0197.731] GetComputerNameW (in: lpBuffer=0xd015ec, nSize=0x18f6e8 | out: lpBuffer="XC64ZB", nSize=0x18f6e8) returned 1 [0197.731] lstrlenW (lpString="䉁䑃䙅睬羹Ꮌ￾ÿ\x18䬇ခ\x18") returned 14 [0197.731] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0197.731] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0197.731] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0197.731] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0197.731] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0197.731] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0197.732] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0197.732] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0197.732] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0197.732] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0197.732] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0197.732] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0197.732] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0197.732] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0197.732] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0197.732] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0197.732] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0197.732] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0197.732] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0197.732] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0197.732] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0197.732] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0197.732] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0197.732] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0197.732] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0197.732] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0197.733] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0197.733] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0197.733] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0197.733] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0197.733] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0197.733] lstrlenW (lpString="䉁䑃䙅") returned 3 [0197.733] lstrlenW (lpString="䉁䑃䙅") returned 3 [0197.733] lstrlenW (lpString="䉁䑃䙅") returned 3 [0197.733] lstrlenW (lpString="䉁䑃䙅") returned 3 [0197.733] lstrlenW (lpString="䉁䑃䙅") returned 3 [0197.733] lstrlenW (lpString="䉁䑃䙅") returned 3 [0197.733] lstrlenW (lpString="䉁䑃䙅") returned 3 [0197.733] lstrlenW (lpString="䉁䑃䙅") returned 3 [0197.733] lstrlenW (lpString="䉁䑃䙅") returned 3 [0197.733] lstrlenW (lpString="䉁䑃䙅") returned 3 [0197.733] lstrlenW (lpString="䉁䑃䙅") returned 3 [0197.733] lstrlenW (lpString="䉁䑃䙅") returned 3 [0197.733] lstrlenW (lpString="䉁䑃䙅") returned 3 [0197.733] lstrlenW (lpString="䉁䑃䙅") returned 3 [0197.734] lstrlenW (lpString="䉁䑃䙅") returned 3 [0197.734] lstrlenW (lpString="䉁䑃䙅") returned 3 [0197.734] lstrlenW (lpString="䉁䑃䙅") returned 3 [0197.734] lstrlenW (lpString="䉁䑃䙅") returned 3 [0197.734] lstrlenW (lpString="䉁䑃䙅") returned 3 [0197.734] lstrlenW (lpString="䉁䑃䙅") returned 3 [0197.734] lstrlenW (lpString="䉁䑃䙅") returned 3 [0197.734] lstrlenW (lpString="䉁䑃䙅") returned 3 [0197.734] lstrlenW (lpString="䉁䑃䙅") returned 3 [0197.734] lstrlenW (lpString="䉁䑃䙅") returned 3 [0197.734] lstrlenW (lpString="䉁䑃䙅") returned 3 [0197.734] lstrlenW (lpString="䉁䑃䙅") returned 3 [0197.734] lstrlenW (lpString="䉁䑃䙅") returned 3 [0197.734] lstrlenW (lpString="䉁䑃䙅") returned 3 [0197.734] lstrlenW (lpString="䉁䑃䙅") returned 3 [0197.734] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x2d) returned 0xd01770 [0197.734] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xc) returned 0xcff738 [0197.734] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xd) returned 0xd017a8 [0197.734] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x13) returned 0xd017c0 [0197.734] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xd) returned 0xd017e0 [0197.735] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd01770 | out: hHeap=0xc80000) returned 1 [0197.735] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x26) returned 0xd01770 [0197.736] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xc) returned 0xd017f8 [0197.736] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xd) returned 0xd01810 [0197.736] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xc) returned 0xd01828 [0197.736] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xd) returned 0xd01840 [0197.737] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd01770 | out: hHeap=0xc80000) returned 1 [0197.737] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xc) returned 0xd01770 [0197.737] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x4) returned 0xd01788 [0197.737] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xc) returned 0xd01858 [0197.737] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd01770 | out: hHeap=0xc80000) returned 1 [0197.737] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xd) returned 0xd01770 [0197.737] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x4) returned 0xd01798 [0197.737] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xd) returned 0xd01870 [0197.737] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd01770 | out: hHeap=0xc80000) returned 1 [0197.737] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x14) returned 0xd01888 [0197.737] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x8) returned 0xd01770 [0197.737] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x8) returned 0xd018a8 [0197.737] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xc) returned 0xd018b8 [0197.737] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd01888 | out: hHeap=0xc80000) returned 1 [0197.737] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x12) returned 0xd01888 [0197.737] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x8) returned 0xd018d0 [0197.737] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x9) returned 0xd018e0 [0197.737] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x9) returned 0xd018f8 [0197.737] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd01888 | out: hHeap=0xc80000) returned 1 [0197.737] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x25) returned 0xd01910 [0197.737] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xc) returned 0xd01888 [0197.737] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xc) returned 0xd01940 [0197.737] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xb) returned 0xd01958 [0197.737] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xe) returned 0xd01970 [0197.739] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd01910 | out: hHeap=0xc80000) returned 1 [0197.739] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x53) returned 0xcff008 [0197.742] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x18) returned 0xd01910 [0197.742] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xd) returned 0xcff068 [0197.742] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xe) returned 0xcff168 [0197.742] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x10) returned 0xcff270 [0197.742] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xc) returned 0xcff150 [0197.742] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x10) returned 0xcff0f0 [0197.742] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xc) returned 0xcff258 [0197.743] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff008 | out: hHeap=0xc80000) returned 1 [0197.743] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x2f) returned 0xcff008 [0197.743] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xc) returned 0xcff1c8 [0197.743] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x15) returned 0xcff040 [0197.743] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xd) returned 0xcff0a8 [0197.743] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xd) returned 0xcff1b0 [0197.744] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff008 | out: hHeap=0xc80000) returned 1 [0197.744] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x3e) returned 0xcff288 [0197.744] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x10) returned 0xcff210 [0197.744] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xe) returned 0xcff228 [0197.744] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xd) returned 0xcff0c0 [0197.744] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x14) returned 0xcff008 [0197.744] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xf) returned 0xcff108 [0197.745] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff288 | out: hHeap=0xc80000) returned 1 [0197.745] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xf) returned 0xcff138 [0197.745] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x4) returned 0xd01930 [0197.745] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xf) returned 0xcff120 [0197.745] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff138 | out: hHeap=0xc80000) returned 1 [0197.745] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x9) returned 0xcff138 [0197.745] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x4) returned 0xcff028 [0197.745] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x9) returned 0xcff240 [0197.745] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff138 | out: hHeap=0xc80000) returned 1 [0197.745] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x22) returned 0xcff288 [0197.745] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xc) returned 0xcff138 [0197.745] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xa) returned 0xcff198 [0197.745] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xb) returned 0xcff0d8 [0197.745] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xd) returned 0xcff180 [0197.746] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff288 | out: hHeap=0xc80000) returned 1 [0197.746] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xe) returned 0xcff1e0 [0197.746] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x4) returned 0xcff288 [0197.746] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xe) returned 0xcff1f8 [0197.746] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff1e0 | out: hHeap=0xc80000) returned 1 [0197.746] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x1c) returned 0xcff298 [0197.746] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x8) returned 0xcff2c0 [0197.746] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x10) returned 0xcff1e0 [0197.746] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xc) returned 0xc80a98 [0197.746] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff298 | out: hHeap=0xc80000) returned 1 [0197.746] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x9) returned 0xc808e8 [0197.746] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x4) returned 0xcff298 [0197.746] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x9) returned 0xc80900 [0197.746] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xc808e8 | out: hHeap=0xc80000) returned 1 [0197.746] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x2b) returned 0xcff2d0 [0197.746] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xc) returned 0xc80978 [0197.746] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xd) returned 0xc809c0 [0197.746] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x10) returned 0xc809d8 [0197.746] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xe) returned 0xc80b10 [0197.747] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff2d0 | out: hHeap=0xc80000) returned 1 [0197.747] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x72) returned 0xcff2d0 [0197.747] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x14) returned 0xcff350 [0197.747] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x18) returned 0xcff370 [0197.747] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x19) returned 0xcff390 [0197.747] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x12) returned 0xcff3b8 [0197.747] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x20) returned 0xcff3d8 [0197.747] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xf) returned 0xc80a68 [0197.748] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff2d0 | out: hHeap=0xc80000) returned 1 [0197.748] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x30) returned 0xcff2d0 [0197.748] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x8) returned 0xcff2a8 [0197.748] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x25) returned 0xcff308 [0197.748] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xb) returned 0xc80b40 [0197.749] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff2d0 | out: hHeap=0xc80000) returned 1 [0197.749] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x2a) returned 0xcff2d0 [0197.749] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xc) returned 0xc80ae0 [0197.749] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xd) returned 0xc80b28 [0197.749] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xc) returned 0xc80a20 [0197.749] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x11) returned 0xcff400 [0197.749] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff2d0 | out: hHeap=0xc80000) returned 1 [0197.749] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x2a) returned 0xcff2d0 [0197.750] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x8) returned 0xcff338 [0197.750] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x14) returned 0xcff420 [0197.750] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x16) returned 0xcff440 [0197.750] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff2d0 | out: hHeap=0xc80000) returned 1 [0197.750] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xa) returned 0xc80a80 [0197.751] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x4) returned 0xcff2d0 [0197.751] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xa) returned 0xc80ab0 [0197.751] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xc80a80 | out: hHeap=0xc80000) returned 1 [0197.751] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xd) returned 0xc80bb8 [0197.751] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x4) returned 0xcff2e0 [0197.751] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xd) returned 0xc80a38 [0197.751] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xc80bb8 | out: hHeap=0xc80000) returned 1 [0197.751] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xb) returned 0xc80b70 [0197.752] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x4) returned 0xcff2f0 [0197.752] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xb) returned 0xc809f0 [0197.752] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xc80b70 | out: hHeap=0xc80000) returned 1 [0197.752] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x1f) returned 0xcff460 [0197.752] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x8) returned 0xc80e20 [0197.752] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xe) returned 0xc80a08 [0197.752] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x11) returned 0xcff488 [0197.752] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff460 | out: hHeap=0xc80000) returned 1 [0197.753] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1fc [0197.845] Process32First (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0197.846] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x20) returned 0xcff460 [0197.847] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff460 | out: hHeap=0xc80000) returned 1 [0197.847] Sleep (dwMilliseconds=0xa) [0197.921] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x73, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0197.922] Sleep (dwMilliseconds=0xa) [0198.002] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0198.003] Sleep (dwMilliseconds=0xa) [0198.075] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0198.076] Sleep (dwMilliseconds=0xa) [0198.181] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0198.182] Sleep (dwMilliseconds=0xa) [0198.275] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1b4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0198.275] Sleep (dwMilliseconds=0xa) [0198.415] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1b4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0198.416] Sleep (dwMilliseconds=0xa) [0198.765] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x214, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1bc, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0198.766] Sleep (dwMilliseconds=0xa) [0198.954] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x21c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1bc, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0198.955] Sleep (dwMilliseconds=0xa) [0199.284] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0199.285] Sleep (dwMilliseconds=0xa) [0199.383] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0199.384] Sleep (dwMilliseconds=0xa) [0199.624] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1fc, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0199.626] Sleep (dwMilliseconds=0xa) [0199.746] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4f, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0199.747] Sleep (dwMilliseconds=0xa) [0199.877] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x37c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0199.879] Sleep (dwMilliseconds=0xa) [0200.068] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0200.069] Sleep (dwMilliseconds=0xa) [0200.204] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0200.205] Sleep (dwMilliseconds=0xa) [0200.298] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0200.299] Sleep (dwMilliseconds=0xa) [0200.373] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0200.374] Sleep (dwMilliseconds=0xa) [0200.513] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0200.514] Sleep (dwMilliseconds=0xa) [0200.630] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0200.631] Sleep (dwMilliseconds=0xa) [0200.774] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x364, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0200.775] Sleep (dwMilliseconds=0xa) [0200.914] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x274, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0200.915] Sleep (dwMilliseconds=0xa) [0200.996] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x644, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0200.997] Sleep (dwMilliseconds=0xa) [0201.062] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x778, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x764, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0201.063] Sleep (dwMilliseconds=0xa) [0201.264] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x364, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0201.267] Sleep (dwMilliseconds=0xa) [0201.362] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x274, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0201.363] Sleep (dwMilliseconds=0xa) [0201.438] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x274, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0201.440] Sleep (dwMilliseconds=0xa) [0201.548] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x828, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0201.550] Sleep (dwMilliseconds=0xa) [0201.662] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x274, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0201.663] Sleep (dwMilliseconds=0xa) [0201.770] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x274, pcPriClassBase=8, dwFlags=0x0, szExeFile="ApplicationFrameHost.exe")) returned 1 [0201.771] Sleep (dwMilliseconds=0xa) [0201.868] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x274, pcPriClassBase=8, dwFlags=0x0, szExeFile="SystemSettings.exe")) returned 1 [0201.869] Sleep (dwMilliseconds=0xa) [0201.977] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x274, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0201.978] Sleep (dwMilliseconds=0xa) [0202.238] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0202.238] Sleep (dwMilliseconds=0xa) [0202.519] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0202.520] Sleep (dwMilliseconds=0xa) [0202.636] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="require-wife.exe")) returned 1 [0202.637] Sleep (dwMilliseconds=0xa) [0202.759] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="hold_just.exe")) returned 1 [0202.760] Sleep (dwMilliseconds=0xa) [0202.945] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="hear.exe")) returned 1 [0202.946] Sleep (dwMilliseconds=0xa) [0203.119] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="sourcecampaignmake.exe")) returned 1 [0203.120] Sleep (dwMilliseconds=0xa) [0203.337] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="natureinformationidea.exe")) returned 1 [0203.338] Sleep (dwMilliseconds=0xa) [0203.476] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="entire-oil-if.exe")) returned 1 [0203.477] Sleep (dwMilliseconds=0xa) [0203.694] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="him_between.exe")) returned 1 [0203.695] Sleep (dwMilliseconds=0xa) [0203.791] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="sort few.exe")) returned 1 [0203.793] Sleep (dwMilliseconds=0xa) [0203.873] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="involve_her_hundred.exe")) returned 1 [0203.874] Sleep (dwMilliseconds=0xa) [0203.986] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="page.exe")) returned 1 [0203.987] Sleep (dwMilliseconds=0xa) [0204.065] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe5c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="say glass.exe")) returned 1 [0204.066] Sleep (dwMilliseconds=0xa) [0204.296] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="hour.exe")) returned 1 [0204.297] Sleep (dwMilliseconds=0xa) [0204.393] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="red.exe")) returned 1 [0204.395] Sleep (dwMilliseconds=0xa) [0204.844] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="stockupon.exe")) returned 1 [0204.845] Sleep (dwMilliseconds=0xa) [0205.003] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="method.exe")) returned 1 [0205.004] Sleep (dwMilliseconds=0xa) [0205.180] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xea0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="huge-on-his.exe")) returned 1 [0205.182] Sleep (dwMilliseconds=0xa) [0205.353] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xeb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0205.354] Sleep (dwMilliseconds=0xa) [0205.473] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xec0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0205.474] Sleep (dwMilliseconds=0xa) [0205.625] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xec8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0205.626] Sleep (dwMilliseconds=0xa) [0205.773] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xed0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0205.774] Sleep (dwMilliseconds=0xa) [0205.905] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xedc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0205.906] Sleep (dwMilliseconds=0xa) [0206.101] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xef0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0206.102] Sleep (dwMilliseconds=0xa) [0206.308] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xef8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0206.309] Sleep (dwMilliseconds=0xa) [0206.389] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0206.390] Sleep (dwMilliseconds=0xa) [0206.492] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0206.494] Sleep (dwMilliseconds=0xa) [0206.586] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0206.588] Sleep (dwMilliseconds=0xa) [0206.667] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0206.669] Sleep (dwMilliseconds=0xa) [0206.754] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0206.756] Sleep (dwMilliseconds=0xa) [0206.857] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0206.858] Sleep (dwMilliseconds=0xa) [0206.922] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0206.924] Sleep (dwMilliseconds=0xa) [0206.982] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf5c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0206.983] Sleep (dwMilliseconds=0xa) [0207.099] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0207.100] Sleep (dwMilliseconds=0xa) [0207.237] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0207.239] Sleep (dwMilliseconds=0xa) [0207.355] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0207.357] Sleep (dwMilliseconds=0xa) [0207.446] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0207.448] Sleep (dwMilliseconds=0xa) [0207.509] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0207.510] Sleep (dwMilliseconds=0xa) [0207.614] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0207.615] Sleep (dwMilliseconds=0xa) [0207.697] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfa8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0207.699] Sleep (dwMilliseconds=0xa) [0207.779] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0207.781] Sleep (dwMilliseconds=0xa) [0207.876] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0207.878] Sleep (dwMilliseconds=0xa) [0207.967] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0207.968] Sleep (dwMilliseconds=0xa) [0208.010] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0208.011] Sleep (dwMilliseconds=0xa) [0208.070] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0208.072] Sleep (dwMilliseconds=0xa) [0208.140] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xff4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0208.141] Sleep (dwMilliseconds=0xa) [0208.238] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0208.240] Sleep (dwMilliseconds=0xa) [0208.425] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0208.426] Sleep (dwMilliseconds=0xa) [0208.509] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x100c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0208.511] Sleep (dwMilliseconds=0xa) [0208.590] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1014, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0208.591] Sleep (dwMilliseconds=0xa) [0208.662] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1028, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0208.663] Sleep (dwMilliseconds=0xa) [0208.755] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1030, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0208.757] Sleep (dwMilliseconds=0xa) [0208.851] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1040, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0208.853] Sleep (dwMilliseconds=0xa) [0208.945] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1048, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0208.946] Sleep (dwMilliseconds=0xa) [0209.000] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1054, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0209.003] Sleep (dwMilliseconds=0xa) [0209.074] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x105c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0209.076] Sleep (dwMilliseconds=0xa) [0209.145] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x106c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0209.147] Sleep (dwMilliseconds=0xa) [0209.216] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x107c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0209.217] Sleep (dwMilliseconds=0xa) [0209.337] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1084, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0209.338] Sleep (dwMilliseconds=0xa) [0209.405] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1094, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0209.406] Sleep (dwMilliseconds=0xa) [0209.480] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x109c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0209.481] Sleep (dwMilliseconds=0xa) [0209.642] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="assume-use.exe")) returned 1 [0209.643] Sleep (dwMilliseconds=0xa) [0209.765] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="soonfilmsuggest.exe")) returned 1 [0209.766] Sleep (dwMilliseconds=0xa) [0209.820] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1128, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x324, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0209.821] Sleep (dwMilliseconds=0xa) [0209.913] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1204, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x274, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0209.914] Sleep (dwMilliseconds=0xa) [0210.041] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x133c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x364, pcPriClassBase=6, dwFlags=0x0, szExeFile="msfeedssync.exe")) returned 1 [0210.042] Sleep (dwMilliseconds=0xa) [0210.142] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x111c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0210.143] Sleep (dwMilliseconds=0xa) [0210.230] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xcf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0210.232] Sleep (dwMilliseconds=0xa) [0210.564] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0210.565] Sleep (dwMilliseconds=0xa) [0210.722] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1334, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0xfcc, pcPriClassBase=8, dwFlags=0x0, szExeFile="wermgr.exe")) returned 1 [0210.723] Sleep (dwMilliseconds=0xa) [0210.810] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcf8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0210.811] Sleep (dwMilliseconds=0xa) [0210.880] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x13c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x0, th32ParentProcessID=0x13bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0210.881] Sleep (dwMilliseconds=0xa) [0210.931] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x13bc, pcPriClassBase=8, dwFlags=0x0, szExeFile="WerFault.exe")) returned 1 [0210.933] Sleep (dwMilliseconds=0xa) [0210.974] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcf8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0210.975] Sleep (dwMilliseconds=0xa) [0211.050] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcf8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0211.051] Sleep (dwMilliseconds=0xa) [0211.411] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc5c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcf8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0211.413] Sleep (dwMilliseconds=0xa) [0211.499] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1064, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcf8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0211.502] Sleep (dwMilliseconds=0xa) [0211.821] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcf8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0211.822] Sleep (dwMilliseconds=0xa) [0211.982] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcf8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0211.983] Sleep (dwMilliseconds=0xa) [0212.109] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1380, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcf8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0212.110] Sleep (dwMilliseconds=0xa) [0212.248] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcf8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0212.249] Sleep (dwMilliseconds=0xa) [0212.462] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x0, th32ParentProcessID=0x11e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0212.464] Sleep (dwMilliseconds=0xa) [0212.609] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xd60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcf8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0212.610] Sleep (dwMilliseconds=0xa) [0212.685] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x784, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x11e0, pcPriClassBase=8, dwFlags=0x0, szExeFile="WerFault.exe")) returned 1 [0212.686] Sleep (dwMilliseconds=0xa) [0212.774] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x11d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcf8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0212.775] Sleep (dwMilliseconds=0xa) [0212.885] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xc64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcf8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0212.886] Sleep (dwMilliseconds=0xa) [0212.982] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x0, th32ParentProcessID=0xc64, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0212.983] Sleep (dwMilliseconds=0xa) [0213.063] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x10d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xc64, pcPriClassBase=8, dwFlags=0x0, szExeFile="WerFault.exe")) returned 1 [0213.064] Sleep (dwMilliseconds=0xa) [0213.258] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcf8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0213.259] Sleep (dwMilliseconds=0xa) [0213.328] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcf8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 1 [0213.329] Sleep (dwMilliseconds=0xa) [0213.429] Process32Next (in: hSnapshot=0x1fc, lppe=0x18e9a8 | out: lppe=0x18e9a8*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x12b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xcf8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sXnufF.exe")) returned 0 [0213.430] CloseHandle (hObject=0x1fc) returned 1 [0213.431] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd017a8 | out: hHeap=0xc80000) returned 1 [0213.431] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd017c0 | out: hHeap=0xc80000) returned 1 [0213.431] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd017e0 | out: hHeap=0xc80000) returned 1 [0213.431] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff738 | out: hHeap=0xc80000) returned 1 [0213.431] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd01810 | out: hHeap=0xc80000) returned 1 [0213.431] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd01828 | out: hHeap=0xc80000) returned 1 [0213.431] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd01840 | out: hHeap=0xc80000) returned 1 [0213.431] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd017f8 | out: hHeap=0xc80000) returned 1 [0213.431] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd01858 | out: hHeap=0xc80000) returned 1 [0213.432] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd01788 | out: hHeap=0xc80000) returned 1 [0213.432] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd01870 | out: hHeap=0xc80000) returned 1 [0213.432] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd01798 | out: hHeap=0xc80000) returned 1 [0213.432] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd018a8 | out: hHeap=0xc80000) returned 1 [0213.432] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd018b8 | out: hHeap=0xc80000) returned 1 [0213.432] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd01770 | out: hHeap=0xc80000) returned 1 [0213.432] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd018e0 | out: hHeap=0xc80000) returned 1 [0213.432] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd018f8 | out: hHeap=0xc80000) returned 1 [0213.432] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd018d0 | out: hHeap=0xc80000) returned 1 [0213.432] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd01940 | out: hHeap=0xc80000) returned 1 [0213.432] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd01958 | out: hHeap=0xc80000) returned 1 [0213.432] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd01970 | out: hHeap=0xc80000) returned 1 [0213.432] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd01888 | out: hHeap=0xc80000) returned 1 [0213.432] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff068 | out: hHeap=0xc80000) returned 1 [0213.432] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff168 | out: hHeap=0xc80000) returned 1 [0213.432] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff270 | out: hHeap=0xc80000) returned 1 [0213.432] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff150 | out: hHeap=0xc80000) returned 1 [0213.432] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff0f0 | out: hHeap=0xc80000) returned 1 [0213.433] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff258 | out: hHeap=0xc80000) returned 1 [0213.433] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd01910 | out: hHeap=0xc80000) returned 1 [0213.433] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff040 | out: hHeap=0xc80000) returned 1 [0213.433] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff0a8 | out: hHeap=0xc80000) returned 1 [0213.433] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff1b0 | out: hHeap=0xc80000) returned 1 [0213.433] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff1c8 | out: hHeap=0xc80000) returned 1 [0213.433] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff228 | out: hHeap=0xc80000) returned 1 [0213.433] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff0c0 | out: hHeap=0xc80000) returned 1 [0213.433] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff008 | out: hHeap=0xc80000) returned 1 [0213.433] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff108 | out: hHeap=0xc80000) returned 1 [0213.433] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff210 | out: hHeap=0xc80000) returned 1 [0213.433] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff120 | out: hHeap=0xc80000) returned 1 [0213.433] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd01930 | out: hHeap=0xc80000) returned 1 [0213.433] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff240 | out: hHeap=0xc80000) returned 1 [0213.433] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff028 | out: hHeap=0xc80000) returned 1 [0213.433] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff198 | out: hHeap=0xc80000) returned 1 [0213.433] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff0d8 | out: hHeap=0xc80000) returned 1 [0213.433] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff180 | out: hHeap=0xc80000) returned 1 [0213.433] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff138 | out: hHeap=0xc80000) returned 1 [0213.433] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff1f8 | out: hHeap=0xc80000) returned 1 [0213.434] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff288 | out: hHeap=0xc80000) returned 1 [0213.434] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff1e0 | out: hHeap=0xc80000) returned 1 [0213.434] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xc80a98 | out: hHeap=0xc80000) returned 1 [0213.434] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff2c0 | out: hHeap=0xc80000) returned 1 [0213.434] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xc80900 | out: hHeap=0xc80000) returned 1 [0213.434] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff298 | out: hHeap=0xc80000) returned 1 [0213.434] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xc809c0 | out: hHeap=0xc80000) returned 1 [0213.434] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xc809d8 | out: hHeap=0xc80000) returned 1 [0213.434] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xc80b10 | out: hHeap=0xc80000) returned 1 [0213.434] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xc80978 | out: hHeap=0xc80000) returned 1 [0213.434] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff370 | out: hHeap=0xc80000) returned 1 [0213.434] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff390 | out: hHeap=0xc80000) returned 1 [0213.434] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff3b8 | out: hHeap=0xc80000) returned 1 [0213.435] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff3d8 | out: hHeap=0xc80000) returned 1 [0213.435] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xc80a68 | out: hHeap=0xc80000) returned 1 [0213.435] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff350 | out: hHeap=0xc80000) returned 1 [0213.435] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff308 | out: hHeap=0xc80000) returned 1 [0213.436] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xc80b40 | out: hHeap=0xc80000) returned 1 [0213.436] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff2a8 | out: hHeap=0xc80000) returned 1 [0213.436] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xc80b28 | out: hHeap=0xc80000) returned 1 [0213.436] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xc80a20 | out: hHeap=0xc80000) returned 1 [0213.436] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff400 | out: hHeap=0xc80000) returned 1 [0213.436] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xc80ae0 | out: hHeap=0xc80000) returned 1 [0213.436] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff420 | out: hHeap=0xc80000) returned 1 [0213.436] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff440 | out: hHeap=0xc80000) returned 1 [0213.436] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff338 | out: hHeap=0xc80000) returned 1 [0213.436] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xc80ab0 | out: hHeap=0xc80000) returned 1 [0213.436] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff2d0 | out: hHeap=0xc80000) returned 1 [0213.436] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xc80a38 | out: hHeap=0xc80000) returned 1 [0213.436] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff2e0 | out: hHeap=0xc80000) returned 1 [0213.436] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xc809f0 | out: hHeap=0xc80000) returned 1 [0213.436] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff2f0 | out: hHeap=0xc80000) returned 1 [0213.436] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xc80a08 | out: hHeap=0xc80000) returned 1 [0213.436] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff488 | out: hHeap=0xc80000) returned 1 [0213.436] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xc80e20 | out: hHeap=0xc80000) returned 1 [0213.437] lstrlenW (lpString="䉁䑃䙅Gခx") returned 7 [0213.437] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0xc) returned 0xc80af8 [0213.437] GetNumberFormatA (in: Locale=0x7d3, dwFlags=0xb4, lpValue="electricmadness", lpFormat=0x0, lpNumberStr=0x18f408, cchNumber=34 | out: lpNumberStr="è\x07\x7f") returned 0 [0213.437] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x42) returned 0xcff008 [0213.438] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%\\SysWOW64\\wermgr.exe", lpDst=0x18f488, nSize=0x104 | out: lpDst="C:\\Windows\\SysWOW64\\wermgr.exe") returned 0x1f [0213.439] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff008 | out: hHeap=0xc80000) returned 1 [0213.439] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x3e) returned 0xcff008 [0213.439] GetNumberFormatA (in: Locale=0x7d3, dwFlags=0xb4, lpValue="electricmadness", lpFormat=0x0, lpNumberStr=0x18f408, cchNumber=34 | out: lpNumberStr="<") returned 0 [0213.439] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x5a) returned 0xc80eb0 [0213.439] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%\\SysWOW64\\backgroundTaskHost.exe", lpDst=0x18f488, nSize=0x104 | out: lpDst="C:\\Windows\\SysWOW64\\backgroundTaskHost.exe") returned 0x2b [0213.440] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xc80eb0 | out: hHeap=0xc80000) returned 1 [0213.440] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x56) returned 0xc80eb0 [0213.440] GetNumberFormatA (in: Locale=0x7d3, dwFlags=0xb4, lpValue="electricmadness", lpFormat=0x0, lpNumberStr=0x18f408, cchNumber=34 | out: lpNumberStr="T") returned 0 [0213.440] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x42) returned 0xc80f10 [0213.440] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%\\SysWOW64\\dxdiag.exe", lpDst=0x18f488, nSize=0x104 | out: lpDst="C:\\Windows\\SysWOW64\\dxdiag.exe") returned 0x1f [0213.441] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xc80f10 | out: hHeap=0xc80000) returned 1 [0213.441] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x3e) returned 0xc80f10 [0213.441] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="C:\\Windows\\SysWOW64\\wermgr.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18f668*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f6c0 | out: lpCommandLine="C:\\Windows\\SysWOW64\\wermgr.exe", lpProcessInformation=0x18f6c0*(hProcess=0x200, hThread=0x1fc, dwProcessId=0xa7c, dwThreadId=0x5c0)) returned 1 [0213.465] NtAllocateVirtualMemory (in: ProcessHandle=0x200, BaseAddress=0x18f3a4*=0x0, ZeroBits=0x0, RegionSize=0x18f39c*=0x24000, AllocationType=0x3000, Protect=0x40 | out: BaseAddress=0x18f3a4*=0x4a0000, RegionSize=0x18f39c*=0x24000) returned 0x0 [0213.466] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x1ac6) returned 0xd048b8 [0213.466] NtAllocateVirtualMemory (in: ProcessHandle=0x200, BaseAddress=0x18f368*=0x0, ZeroBits=0x0, RegionSize=0x18f378*=0x1ac4, AllocationType=0x3000, Protect=0x4 | out: BaseAddress=0x18f368*=0x4d0000, RegionSize=0x18f378*=0x2000) returned 0x0 [0213.467] NtWriteVirtualMemory (in: ProcessHandle=0x200, BaseAddress=0x4d0000, Buffer=0xd048b8*, NumberOfBytesToWrite=0x1ac4, NumberOfBytesWritten=0x18f364 | out: Buffer=0xd048b8*, NumberOfBytesWritten=0x18f364*=0x1ac4) returned 0x0 [0213.468] NtProtectVirtualMemory (in: ProcessHandle=0x200, BaseAddress=0x18f368*=0x4d0000, NumberOfBytesToProtect=0x18f378, NewAccessProtection=0x4, OldAccessProtection=0x18f360 | out: BaseAddress=0x18f368*=0x4d0000, NumberOfBytesToProtect=0x18f378, OldAccessProtection=0x18f360*=0x4) returned 0x0 [0213.470] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd048b8 | out: hHeap=0xc80000) returned 1 [0213.470] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x24002) returned 0xc80f58 [0213.473] NtWriteVirtualMemory (in: ProcessHandle=0x200, BaseAddress=0x4a0000, Buffer=0xc80f58*, NumberOfBytesToWrite=0x24000, NumberOfBytesWritten=0x18f38c | out: Buffer=0xc80f58*, NumberOfBytesWritten=0x18f38c*=0x24000) returned 0x0 [0213.484] NtProtectVirtualMemory (in: ProcessHandle=0x200, BaseAddress=0x18f33c*=0x4a0000, NumberOfBytesToProtect=0x18f354, NewAccessProtection=0x4, OldAccessProtection=0x18f348 | out: BaseAddress=0x18f33c*=0x4a0000, NumberOfBytesToProtect=0x18f354, OldAccessProtection=0x18f348*=0x40) returned 0x0 [0227.015] NtProtectVirtualMemory (in: ProcessHandle=0x200, BaseAddress=0x18f330*=0x4a1000, NumberOfBytesToProtect=0x18f354, NewAccessProtection=0x20, OldAccessProtection=0x18f348 | out: BaseAddress=0x18f330*=0x4a1000, NumberOfBytesToProtect=0x18f354, OldAccessProtection=0x18f348*=0x40) returned 0x0 [0227.059] NtProtectVirtualMemory (in: ProcessHandle=0x200, BaseAddress=0x18f330*=0x4ba000, NumberOfBytesToProtect=0x18f354, NewAccessProtection=0x4, OldAccessProtection=0x18f348 | out: BaseAddress=0x18f330*=0x4ba000, NumberOfBytesToProtect=0x18f354, OldAccessProtection=0x18f348*=0x40) returned 0x0 [0227.084] NtProtectVirtualMemory (in: ProcessHandle=0x200, BaseAddress=0x18f330*=0x4bf000, NumberOfBytesToProtect=0x18f354, NewAccessProtection=0x4, OldAccessProtection=0x18f348 | out: BaseAddress=0x18f330*=0x4bf000, NumberOfBytesToProtect=0x18f354, OldAccessProtection=0x18f348*=0x40) returned 0x0 [0227.179] NtProtectVirtualMemory (in: ProcessHandle=0x200, BaseAddress=0x18f330*=0x4c2000, NumberOfBytesToProtect=0x18f354, NewAccessProtection=0x2, OldAccessProtection=0x18f348 | out: BaseAddress=0x18f330*=0x4c2000, NumberOfBytesToProtect=0x18f354, OldAccessProtection=0x18f348*=0x40) returned 0x0 [0227.656] NtProtectVirtualMemory (in: ProcessHandle=0x200, BaseAddress=0x18f330*=0x4c3000, NumberOfBytesToProtect=0x18f354, NewAccessProtection=0x2, OldAccessProtection=0x18f348 | out: BaseAddress=0x18f330*=0x4c3000, NumberOfBytesToProtect=0x18f354, OldAccessProtection=0x18f348*=0x40) returned 0x0 [0227.779] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xc80f58 | out: hHeap=0xc80000) returned 1 [0227.779] GetThreadContext (in: hThread=0x1fc, lpContext=0x18f3bc | out: lpContext=0x18f3bc*(ContextFlags=0x10002, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x309000, Edx=0x0, Ecx=0x0, Eax=0x919700, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0227.844] NtProtectVirtualMemory (in: ProcessHandle=0x200, BaseAddress=0x18f690*=0x919700, NumberOfBytesToProtect=0x18f6a0, NewAccessProtection=0x4, OldAccessProtection=0x18f694 | out: BaseAddress=0x18f690*=0x919000, NumberOfBytesToProtect=0x18f6a0, OldAccessProtection=0x18f694*=0x20) returned 0x0 [0227.896] NtWriteVirtualMemory (in: ProcessHandle=0x200, BaseAddress=0x919700, Buffer=0x18f698*, NumberOfBytesToWrite=0x5, NumberOfBytesWritten=0x18f6a0 | out: Buffer=0x18f698*, NumberOfBytesWritten=0x18f6a0*=0x5) returned 0x0 [0228.071] NtProtectVirtualMemory (in: ProcessHandle=0x200, BaseAddress=0x18f688*=0x919700, NumberOfBytesToProtect=0x18f6a0, NewAccessProtection=0x20, OldAccessProtection=0x18f68c | out: BaseAddress=0x18f688*=0x919000, NumberOfBytesToProtect=0x18f6a0, OldAccessProtection=0x18f68c*=0x4) returned 0x0 [0249.089] lstrlenW (lpString="䉁䑃䙅") returned 3 [0249.090] lstrlenW (lpString="䉁䑃䙅") returned 3 [0249.090] lstrlenW (lpString="䉁䑃䙅") returned 3 [0249.090] lstrlenW (lpString="䉁䑃䙅") returned 3 [0249.090] lstrlenW (lpString="䉁䑃䙅") returned 3 [0249.090] lstrlenW (lpString="䉁䑃䙅") returned 3 [0249.090] lstrlenW (lpString="䉁䑃䙅") returned 3 [0249.090] lstrlenW (lpString="䉁䑃䙅") returned 3 [0249.090] lstrlenW (lpString="䉁䑃䙅") returned 3 [0249.090] lstrlenW (lpString="䉁䑃䙅") returned 3 [0249.090] lstrlenW (lpString="䉁䑃䙅") returned 3 [0249.091] lstrlenW (lpString="䉁䑃䙅") returned 3 [0249.091] lstrlenW (lpString="䉁䑃䙅") returned 3 [0249.091] lstrlenW (lpString="䉁䑃䙅") returned 3 [0249.091] lstrlenW (lpString="䉁䑃䙅") returned 3 [0249.091] lstrlenW (lpString="䉁䑃䙅") returned 3 [0249.091] RtlAllocateHeap (HeapHandle=0xc80000, Flags=0x8, Size=0x47) returned 0xd01770 [0249.092] _vsnprintf (in: _DstBuf=0x18f684, _MaxCount=0x28, _Format="{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}", _ArgList=0x18ec28 | out: _DstBuf="{A310C111-CEDF-4B1D-9A50-2B2447874BB3}") returned 38 [0249.093] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xd01770 | out: hHeap=0xc80000) returned 1 [0249.093] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName="{A310C111-CEDF-4B1D-9A50-2B2447874BB3}") returned 0x1ec [0249.093] GetLastError () returned 0x0 [0249.093] NtResumeThread (in: ThreadHandle=0x1fc, SuspendCount=0x0 | out: SuspendCount=0x0) returned 0x0 [0249.179] WaitForSingleObject (hHandle=0x1ec, dwMilliseconds=0x2710) returned 0x0 [0250.400] CloseHandle (hObject=0x1ec) returned 1 [0250.400] CloseHandle (hObject=0x1fc) returned 1 [0250.400] CloseHandle (hObject=0x200) returned 1 [0250.400] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xcff008 | out: hHeap=0xc80000) returned 1 [0250.401] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xc80eb0 | out: hHeap=0xc80000) returned 1 [0250.401] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xc80f10 | out: hHeap=0xc80000) returned 1 [0250.401] HeapFree (in: hHeap=0xc80000, dwFlags=0x0, lpMem=0xc80af8 | out: hHeap=0xc80000) returned 1 [0250.402] ExitProcess (uExitCode=0x0) [0250.402] HeapFree (in: hHeap=0x820000, dwFlags=0x0, lpMem=0x830a28 | out: hHeap=0x820000) returned 1 Thread: id = 603 os_tid = 0xfcc Thread: id = 682 os_tid = 0x1314 Thread: id = 683 os_tid = 0xd1c Process: id = "287" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x20a02000" os_pid = "0x12b8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_addProvider /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 20685 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 20686 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 20687 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 20688 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 20689 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 20690 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 20691 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 20692 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 20693 start_va = 0x7c0000 end_va = 0x7c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 20694 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 20695 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 20696 start_va = 0x7f260000 end_va = 0x7f282fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f260000" filename = "" Region: id = 20697 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 20698 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 20699 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 20700 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 20701 start_va = 0x400000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 20702 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 20703 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 20704 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 20705 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 20706 start_va = 0x7d0000 end_va = 0xa9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 20749 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 20750 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 20754 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 20755 start_va = 0x7f160000 end_va = 0x7f25ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f160000" filename = "" Region: id = 20756 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 20757 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 20758 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 20759 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 20760 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 20761 start_va = 0x560000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 20762 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 20763 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 20764 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 20765 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 20766 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 20767 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 20768 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 20769 start_va = 0x7c0000 end_va = 0x7c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 20770 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 20771 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 20772 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 20773 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 20777 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 20778 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 20779 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 20780 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 20781 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 20782 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 20783 start_va = 0x7d0000 end_va = 0x957fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 20784 start_va = 0x960000 end_va = 0x989fff monitored = 0 entry_point = 0x965680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 20785 start_va = 0x9a0000 end_va = 0xa9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 20786 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 20788 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 20789 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 20790 start_va = 0xaa0000 end_va = 0xc20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000aa0000" filename = "" Region: id = 20791 start_va = 0xc30000 end_va = 0xdfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 20792 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 20793 start_va = 0xc30000 end_va = 0xcc0fff monitored = 0 entry_point = 0xc68cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 20794 start_va = 0xdf0000 end_va = 0xdfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000df0000" filename = "" Region: id = 20798 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 20799 start_va = 0x960000 end_va = 0x960fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Region: id = 20800 start_va = 0x970000 end_va = 0x970fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000970000" filename = "" Region: id = 20801 start_va = 0x970000 end_va = 0x977fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000970000" filename = "" Region: id = 20803 start_va = 0x970000 end_va = 0x970fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Region: id = 20804 start_va = 0x980000 end_va = 0x981fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000980000" filename = "" Region: id = 20805 start_va = 0x970000 end_va = 0x970fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Region: id = 20806 start_va = 0x980000 end_va = 0x980fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000980000" filename = "" Region: id = 20814 start_va = 0x970000 end_va = 0x970fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000970000" filename = "" Region: id = 20815 start_va = 0x980000 end_va = 0x980fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Thread: id = 604 os_tid = 0x132c [0197.942] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0197.942] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0197.942] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0197.942] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0197.942] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0197.942] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0197.943] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0197.943] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0197.943] GetProcessHeap () returned 0x9a0000 [0197.944] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0197.944] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0197.944] GetLastError () returned 0x7e [0197.944] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0197.944] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0197.944] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x364) returned 0x9b0a50 [0197.944] SetLastError (dwErrCode=0x7e) [0197.946] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0xe00) returned 0x9b0dc0 [0197.948] GetStartupInfoW (in: lpStartupInfo=0x18f7cc | out: lpStartupInfo=0x18f7cc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0197.948] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0197.948] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0197.948] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0197.948] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_addProvider /fn_args=\"1\"" [0197.948] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_addProvider /fn_args=\"1\"" [0197.948] GetACP () returned 0x4e4 [0197.948] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x220) returned 0x9b1bc8 [0197.948] IsValidCodePage (CodePage=0x4e4) returned 1 [0197.948] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f7ec | out: lpCPInfo=0x18f7ec) returned 1 [0197.948] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f0b4 | out: lpCPInfo=0x18f0b4) returned 1 [0197.948] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6c8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0197.948] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6c8, cbMultiByte=256, lpWideCharStr=0x18ee58, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0197.948] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f0c8 | out: lpCharType=0x18f0c8) returned 1 [0197.948] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6c8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0197.948] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6c8, cbMultiByte=256, lpWideCharStr=0x18ee08, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0197.948] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0197.949] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0197.949] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0197.949] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ebf8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0197.949] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f5c8, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x8b@=L\x04ø\x18", lpUsedDefaultChar=0x0) returned 256 [0197.949] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6c8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0197.949] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6c8, cbMultiByte=256, lpWideCharStr=0x18ee28, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0197.949] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0197.949] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ec18, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0197.949] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f4c8, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x8b@=L\x04ø\x18", lpUsedDefaultChar=0x0) returned 256 [0197.949] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x80) returned 0x9a3858 [0197.949] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0197.949] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x17a) returned 0x9b1df0 [0197.949] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0197.949] GetLastError () returned 0x0 [0197.949] SetLastError (dwErrCode=0x0) [0197.949] GetEnvironmentStringsW () returned 0x9b1f78* [0197.950] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0xa8c) returned 0x9b2a10 [0197.950] FreeEnvironmentStringsW (penv=0x9b1f78) returned 1 [0197.950] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x90) returned 0x9a4548 [0197.950] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x3e) returned 0x9aabe0 [0197.950] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x5c) returned 0x9a8820 [0197.950] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x6e) returned 0x9a4610 [0197.950] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x78) returned 0x9b3950 [0197.950] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x62) returned 0x9a49e0 [0197.950] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x28) returned 0x9a3d78 [0197.950] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x48) returned 0x9a3fc8 [0197.950] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x1a) returned 0x9a0570 [0197.950] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x3a) returned 0x9aae68 [0197.950] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x62) returned 0x9a3bd8 [0197.950] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x2a) returned 0x9a8708 [0197.950] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x2e) returned 0x9a8740 [0197.950] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x1c) returned 0x9a3da8 [0197.950] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x144) returned 0x9a9c98 [0197.950] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x7c) returned 0x9a8080 [0197.950] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x36) returned 0x9ae0e0 [0197.951] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x3a) returned 0x9aaeb0 [0197.951] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x90) returned 0x9a4380 [0197.951] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x24) returned 0x9a38f8 [0197.951] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x30) returned 0x9a8468 [0197.951] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x36) returned 0x9ae360 [0197.951] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x48) returned 0x9a28f0 [0197.951] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x52) returned 0x9a04b8 [0197.951] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x3c) returned 0x9aab50 [0197.951] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0xd6) returned 0x9a9e58 [0197.951] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x2e) returned 0x9a8660 [0197.951] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x1e) returned 0x9a2940 [0197.951] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x2c) returned 0x9a85f0 [0197.951] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x54) returned 0x9a3df0 [0197.951] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x52) returned 0x9a4050 [0197.951] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x24) returned 0x9a3e50 [0197.951] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x42) returned 0x9a40b0 [0197.951] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x2c) returned 0x9a8698 [0197.951] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x44) returned 0x9a9f88 [0197.951] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x24) returned 0x9a3928 [0197.952] HeapFree (in: hHeap=0x9a0000, dwFlags=0x0, lpMem=0x9b2a10 | out: hHeap=0x9a0000) returned 1 [0197.952] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x800) returned 0x9b1f78 [0197.952] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0197.952] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0197.952] GetStartupInfoW (in: lpStartupInfo=0x18f830 | out: lpStartupInfo=0x18f830*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0197.952] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_addProvider /fn_args=\"1\"" [0197.952] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_addProvider /fn_args=\"1\"", pNumArgs=0x18f81c | out: pNumArgs=0x18f81c) returned 0x9b2bc8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0197.953] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0198.005] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x1000) returned 0x9b44b0 [0198.005] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x28) returned 0x9aa6d0 [0198.005] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_addProvider", cchWideChar=-1, lpMultiByteStr=0x9aa6d0, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_addProvider", lpUsedDefaultChar=0x0) returned 20 [0198.006] GetLastError () returned 0x0 [0198.006] SetLastError (dwErrCode=0x0) [0198.006] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_addProviderW") returned 0x0 [0198.006] GetLastError () returned 0x7f [0198.006] SetLastError (dwErrCode=0x7f) [0198.006] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_addProviderA") returned 0x0 [0198.006] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_addProvider") returned 0x647cb3e5 [0198.006] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x4) returned 0x9a3800 [0198.006] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x9a3800, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0198.006] GetActiveWindow () returned 0x0 [0198.007] GetLastError () returned 0x7f [0198.008] SetLastError (dwErrCode=0x7f) Thread: id = 608 os_tid = 0xcb8 Process: id = "288" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x204cc000" os_pid = "0xda8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "287" os_parent_pid = "0x12b8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_addProvider /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "289" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x69c1a000" os_pid = "0xd9c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_create /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 20816 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 20817 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 20818 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 20819 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 20820 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 20821 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 20822 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 20823 start_va = 0x1e0000 end_va = 0x1e1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 20824 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 20825 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 20826 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 20827 start_va = 0x7e4b0000 end_va = 0x7e4d2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e4b0000" filename = "" Region: id = 20828 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 20829 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 20830 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 20831 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 20836 start_va = 0x400000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 20837 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 20838 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 20839 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 20840 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 20841 start_va = 0x490000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 20842 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 20843 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 20882 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 20883 start_va = 0x7e3b0000 end_va = 0x7e4affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e3b0000" filename = "" Region: id = 20884 start_va = 0x5e0000 end_va = 0x69dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 20885 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 20886 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 20887 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 20888 start_va = 0x6a0000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 20889 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 20890 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 20891 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 20892 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 20896 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 20897 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 20898 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 20899 start_va = 0x400000 end_va = 0x403fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 20900 start_va = 0x480000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 20901 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 20902 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 20903 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 20904 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 20905 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 20919 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 20920 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 20921 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 20922 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 20923 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 20924 start_va = 0x410000 end_va = 0x439fff monitored = 0 entry_point = 0x415680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 20925 start_va = 0x7a0000 end_va = 0x927fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 20926 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 20947 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 20948 start_va = 0x410000 end_va = 0x410fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 20949 start_va = 0x930000 end_va = 0xab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 20950 start_va = 0xac0000 end_va = 0xb9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 20951 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 20952 start_va = 0xac0000 end_va = 0xb50fff monitored = 0 entry_point = 0xaf8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 20953 start_va = 0xb90000 end_va = 0xb9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 20974 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 20981 start_va = 0x420000 end_va = 0x420fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 20982 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 20983 start_va = 0x430000 end_va = 0x437fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 20988 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 20989 start_va = 0x440000 end_va = 0x441fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 21001 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 21002 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 21003 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 21004 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Thread: id = 610 os_tid = 0x1354 [0199.322] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0199.322] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0199.322] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0199.322] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0199.323] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0199.323] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0199.323] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0199.324] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0199.324] GetProcessHeap () returned 0x4e0000 [0199.324] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0199.324] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0199.324] GetLastError () returned 0x7e [0199.324] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0199.324] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0199.325] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x364) returned 0x4f0a60 [0199.325] SetLastError (dwErrCode=0x7e) [0199.325] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0xe00) returned 0x4f0dd0 [0199.326] GetStartupInfoW (in: lpStartupInfo=0x18f968 | out: lpStartupInfo=0x18f968*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0199.326] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0199.326] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0199.326] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0199.327] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_create /fn_args=\"1\"" [0199.327] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_create /fn_args=\"1\"" [0199.327] GetACP () returned 0x4e4 [0199.327] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x220) returned 0x4f1bd8 [0199.327] IsValidCodePage (CodePage=0x4e4) returned 1 [0199.327] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f988 | out: lpCPInfo=0x18f988) returned 1 [0199.327] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f250 | out: lpCPInfo=0x18f250) returned 1 [0199.327] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f864, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0199.327] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f864, cbMultiByte=256, lpWideCharStr=0x18eff8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0199.327] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f264 | out: lpCharType=0x18f264) returned 1 [0199.327] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f864, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0199.327] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f864, cbMultiByte=256, lpWideCharStr=0x18efa8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0199.327] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0199.327] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0199.327] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0199.327] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ed98, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0199.327] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f764, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ4Õº\x8c ù\x18", lpUsedDefaultChar=0x0) returned 256 [0199.327] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f864, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0199.327] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f864, cbMultiByte=256, lpWideCharStr=0x18efc8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0199.328] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0199.328] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18edb8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0199.328] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f664, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ4Õº\x8c ù\x18", lpUsedDefaultChar=0x0) returned 256 [0199.328] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x80) returned 0x4e3868 [0199.328] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0199.328] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x188) returned 0x4f1e00 [0199.328] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0199.328] GetLastError () returned 0x0 [0199.328] SetLastError (dwErrCode=0x0) [0199.328] GetEnvironmentStringsW () returned 0x4f1f90* [0199.328] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0xa8c) returned 0x4f2a28 [0199.328] FreeEnvironmentStringsW (penv=0x4f1f90) returned 1 [0199.328] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x90) returned 0x4e4558 [0199.329] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x3e) returned 0x4eade8 [0199.329] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x5c) returned 0x4e8830 [0199.329] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x6e) returned 0x4e4620 [0199.329] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x78) returned 0x4f3968 [0199.329] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x62) returned 0x4e49f0 [0199.329] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x28) returned 0x4e3d88 [0199.329] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x48) returned 0x4e3fd8 [0199.329] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x1a) returned 0x4e0570 [0199.329] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x3a) returned 0x4eaf98 [0199.329] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x62) returned 0x4e3be8 [0199.329] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2a) returned 0x4e8478 [0199.329] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2e) returned 0x4e8520 [0199.329] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x1c) returned 0x4e3db8 [0199.329] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x144) returned 0x4e9ca8 [0199.329] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x7c) returned 0x4e8090 [0199.329] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x36) returned 0x4ee2b0 [0199.329] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x3a) returned 0x4eaad0 [0199.329] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x90) returned 0x4e4390 [0199.329] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x24) returned 0x4e3908 [0199.329] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x30) returned 0x4e86e0 [0199.329] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x36) returned 0x4ee2f0 [0199.329] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x48) returned 0x4e2900 [0199.329] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x52) returned 0x4e04b8 [0199.329] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x3c) returned 0x4eb0b8 [0199.330] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0xd6) returned 0x4e9e68 [0199.330] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2e) returned 0x4e8750 [0199.330] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x1e) returned 0x4e2950 [0199.330] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2c) returned 0x4e8558 [0199.330] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x54) returned 0x4e3e00 [0199.330] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x52) returned 0x4e4060 [0199.330] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x24) returned 0x4e3e60 [0199.330] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x42) returned 0x4e40c0 [0199.330] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x2c) returned 0x4e8638 [0199.330] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x44) returned 0x4e9f98 [0199.330] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x24) returned 0x4e3938 [0199.330] HeapFree (in: hHeap=0x4e0000, dwFlags=0x0, lpMem=0x4f2a28 | out: hHeap=0x4e0000) returned 1 [0199.330] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x8, Size=0x800) returned 0x4f1f90 [0199.331] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0199.331] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0199.331] GetStartupInfoW (in: lpStartupInfo=0x18f9cc | out: lpStartupInfo=0x18f9cc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0199.331] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_create /fn_args=\"1\"" [0199.331] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_create /fn_args=\"1\"", pNumArgs=0x18f9b8 | out: pNumArgs=0x18f9b8) returned 0x4f2be0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0199.331] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0199.334] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x1000) returned 0x4f44c8 [0199.334] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x36) returned 0x4ee330 [0199.334] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_create", cchWideChar=-1, lpMultiByteStr=0x4ee330, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_create", lpUsedDefaultChar=0x0) returned 27 [0199.334] GetLastError () returned 0x0 [0199.334] SetLastError (dwErrCode=0x0) [0199.334] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_createW") returned 0x0 [0199.334] GetLastError () returned 0x7f [0199.334] SetLastError (dwErrCode=0x7f) [0199.334] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_createA") returned 0x0 [0199.335] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_create") returned 0x647c7d14 [0199.335] RtlAllocateHeap (HeapHandle=0x4e0000, Flags=0x0, Size=0x4) returned 0x4e3810 [0199.335] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x4e3810, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0199.335] GetActiveWindow () returned 0x0 [0199.352] GetLastError () returned 0x7f [0199.352] SetLastError (dwErrCode=0x7f) Thread: id = 614 os_tid = 0xd78 Process: id = "290" image_name = "werfault.exe" filename = "c:\\windows\\syswow64\\werfault.exe" page_root = "0x2025b000" os_pid = "0x11f0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "287" os_parent_pid = "0x12b8" cmd_line = "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 4792 -s 364" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 20844 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 20845 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 20846 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 20847 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 20848 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 20849 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 20850 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 20851 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 20852 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 20853 start_va = 0x10e0000 end_va = 0x1122fff monitored = 0 entry_point = 0x1100f50 region_type = mapped_file name = "werfault.exe" filename = "\\Windows\\SysWOW64\\WerFault.exe" (normalized: "c:\\windows\\syswow64\\werfault.exe") Region: id = 20854 start_va = 0x1130000 end_va = 0x512ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 20855 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 20856 start_va = 0x7e500000 end_va = 0x7e522fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e500000" filename = "" Region: id = 20857 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 20858 start_va = 0x7fff0000 end_va = 0x7dfb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 20859 start_va = 0x7dfb201b0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfb201b0000" filename = "" Region: id = 20860 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 20861 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 20862 start_va = 0x100000 end_va = 0x17ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 20863 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 20864 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 20906 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 20907 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 20908 start_va = 0x410000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 20909 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 20910 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 20911 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 20912 start_va = 0x7e400000 end_va = 0x7e4fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e400000" filename = "" Region: id = 20913 start_va = 0x560000 end_va = 0x61dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 20927 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 20928 start_va = 0x100000 end_va = 0x13ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 20929 start_va = 0x170000 end_va = 0x17ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 20930 start_va = 0x180000 end_va = 0x1bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 20931 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 20932 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 20933 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 20934 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 20935 start_va = 0x400000 end_va = 0x403fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 20936 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 20937 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 20938 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 20939 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 20940 start_va = 0x6fb30000 end_va = 0x6fbb6fff monitored = 0 entry_point = 0x6fb9dbc0 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\SysWOW64\\wer.dll" (normalized: "c:\\windows\\syswow64\\wer.dll") Region: id = 20941 start_va = 0x6fbc0000 end_va = 0x6fcfefff monitored = 0 entry_point = 0x6fbed880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 20942 start_va = 0x6fb00000 end_va = 0x6fb21fff monitored = 0 entry_point = 0x6fb091f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 20955 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 20956 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 20957 start_va = 0x6faa0000 end_va = 0x6faf3fff monitored = 0 entry_point = 0x6fad10d0 region_type = mapped_file name = "faultrep.dll" filename = "\\Windows\\SysWOW64\\Faultrep.dll" (normalized: "c:\\windows\\syswow64\\faultrep.dll") Region: id = 20958 start_va = 0x6fa70000 end_va = 0x6fa90fff monitored = 0 entry_point = 0x6fa8a910 region_type = mapped_file name = "dbgcore.dll" filename = "\\Windows\\SysWOW64\\dbgcore.dll" (normalized: "c:\\windows\\syswow64\\dbgcore.dll") Region: id = 20959 start_va = 0x620000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 20960 start_va = 0x410000 end_va = 0x41ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 20961 start_va = 0x460000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 20962 start_va = 0x420000 end_va = 0x423fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 20963 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 20964 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 20965 start_va = 0x430000 end_va = 0x459fff monitored = 0 entry_point = 0x435680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 20966 start_va = 0x710000 end_va = 0x897fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 20967 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 20968 start_va = 0x8a0000 end_va = 0xa20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 20969 start_va = 0x5130000 end_va = 0x652ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005130000" filename = "" Region: id = 20970 start_va = 0x430000 end_va = 0x433fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werfault.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\WerFault.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werfault.exe.mui") Region: id = 20977 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 20978 start_va = 0x140000 end_va = 0x140fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 20979 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 20980 start_va = 0xa30000 end_va = 0xb3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 20992 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 20993 start_va = 0x450000 end_va = 0x450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 20994 start_va = 0x620000 end_va = 0x620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 20995 start_va = 0x700000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 20996 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 20997 start_va = 0x620000 end_va = 0x620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 20998 start_va = 0x6530000 end_va = 0x6d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006530000" filename = "" Region: id = 20999 start_va = 0x620000 end_va = 0x626fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 21000 start_va = 0x620000 end_va = 0x626fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 21008 start_va = 0x620000 end_va = 0x626fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 21009 start_va = 0x620000 end_va = 0x626fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 21010 start_va = 0x620000 end_va = 0x626fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 21011 start_va = 0x620000 end_va = 0x626fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 21012 start_va = 0x620000 end_va = 0x626fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 21013 start_va = 0x620000 end_va = 0x626fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 21014 start_va = 0x620000 end_va = 0x626fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 21015 start_va = 0x620000 end_va = 0x626fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 21016 start_va = 0x620000 end_va = 0x626fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 21017 start_va = 0x620000 end_va = 0x626fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 21018 start_va = 0x620000 end_va = 0x626fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 21019 start_va = 0x620000 end_va = 0x626fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 21020 start_va = 0x620000 end_va = 0x626fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 21021 start_va = 0x620000 end_va = 0x626fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 21022 start_va = 0x620000 end_va = 0x626fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 21023 start_va = 0x620000 end_va = 0x626fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 21024 start_va = 0x620000 end_va = 0x626fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 21025 start_va = 0x620000 end_va = 0x626fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 21026 start_va = 0x620000 end_va = 0x626fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 21027 start_va = 0x620000 end_va = 0x626fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 21028 start_va = 0x620000 end_va = 0x626fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 21029 start_va = 0x620000 end_va = 0x626fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 21030 start_va = 0x620000 end_va = 0x626fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 21031 start_va = 0x620000 end_va = 0x626fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 21032 start_va = 0x620000 end_va = 0x626fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 21058 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 21059 start_va = 0x620000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 21060 start_va = 0x660000 end_va = 0x6dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 21088 start_va = 0x620000 end_va = 0x621fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "faultrep.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\faultrep.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\faultrep.dll.mui") Region: id = 21089 start_va = 0x630000 end_va = 0x630fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 21090 start_va = 0x6ee90000 end_va = 0x6f2adfff monitored = 0 entry_point = 0x6ef8ee80 region_type = mapped_file name = "dbgeng.dll" filename = "\\Windows\\SysWOW64\\dbgeng.dll" (normalized: "c:\\windows\\syswow64\\dbgeng.dll") Region: id = 21091 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 21092 start_va = 0x6f840000 end_va = 0x6f8affff monitored = 0 entry_point = 0x6f894b90 region_type = mapped_file name = "dbgmodel.dll" filename = "\\Windows\\SysWOW64\\DbgModel.dll" (normalized: "c:\\windows\\syswow64\\dbgmodel.dll") Region: id = 21093 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 21094 start_va = 0xa30000 end_va = 0xb19fff monitored = 0 entry_point = 0xa6d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 21095 start_va = 0xb30000 end_va = 0xb3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 21112 start_va = 0x70050000 end_va = 0x70059fff monitored = 0 entry_point = 0x70053200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 21113 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 21114 start_va = 0x6f5d0000 end_va = 0x6f5d7fff monitored = 0 entry_point = 0x6f5d17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 21115 start_va = 0xa30000 end_va = 0xb2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 21116 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 21127 start_va = 0xb40000 end_va = 0xe76fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 21128 start_va = 0x630000 end_va = 0x631fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 21129 start_va = 0x630000 end_va = 0x633fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 21130 start_va = 0x630000 end_va = 0x635fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 21131 start_va = 0x630000 end_va = 0x637fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 21132 start_va = 0xe80000 end_va = 0xf7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e80000" filename = "" Region: id = 21133 start_va = 0x630000 end_va = 0x639fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 21134 start_va = 0x630000 end_va = 0x63bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 21135 start_va = 0x630000 end_va = 0x63dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 21136 start_va = 0x630000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 21137 start_va = 0x630000 end_va = 0x641fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 21138 start_va = 0x630000 end_va = 0x643fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 21139 start_va = 0x630000 end_va = 0x645fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 21140 start_va = 0x630000 end_va = 0x647fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 21141 start_va = 0x630000 end_va = 0x649fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 21142 start_va = 0x630000 end_va = 0x64bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 21143 start_va = 0x630000 end_va = 0x64dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 21144 start_va = 0x630000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 21154 start_va = 0xf80000 end_va = 0x105ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 21212 start_va = 0x6530000 end_va = 0x6600fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006530000" filename = "" Region: id = 21227 start_va = 0x6610000 end_va = 0x66bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006610000" filename = "" Region: id = 21240 start_va = 0x66c0000 end_va = 0x6766fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000066c0000" filename = "" Region: id = 21366 start_va = 0x630000 end_va = 0x630fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 21367 start_va = 0x640000 end_va = 0x642fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wer.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wer.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wer.dll.mui") Region: id = 21368 start_va = 0x650000 end_va = 0x653fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 21383 start_va = 0x6530000 end_va = 0x6d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006530000" filename = "" Region: id = 21384 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 21385 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 21386 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 21387 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 21388 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 21389 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 21390 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 21391 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 21392 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 21393 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 21394 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 21395 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 21396 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 21404 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 21405 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 21406 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 21407 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 21408 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 21409 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 21410 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 21411 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 21412 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 21413 start_va = 0x6530000 end_va = 0x662ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006530000" filename = "" Region: id = 21414 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 21415 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 21416 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 21417 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 21418 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 21429 start_va = 0x6fa00000 end_va = 0x6fa63fff monitored = 0 entry_point = 0x6fa3e270 region_type = mapped_file name = "werui.dll" filename = "\\Windows\\SysWOW64\\werui.dll" (normalized: "c:\\windows\\syswow64\\werui.dll") Region: id = 21430 start_va = 0x150000 end_va = 0x151fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 21431 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 21432 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 21445 start_va = 0x731b0000 end_va = 0x733befff monitored = 0 entry_point = 0x7325b0a0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 21446 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 21447 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 21448 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 21449 start_va = 0x6f460000 end_va = 0x6f5c6fff monitored = 0 entry_point = 0x6f4db9d0 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\SysWOW64\\dui70.dll" (normalized: "c:\\windows\\syswow64\\dui70.dll") Region: id = 21450 start_va = 0x160000 end_va = 0x161fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 21451 start_va = 0x6f430000 end_va = 0x6f457fff monitored = 0 entry_point = 0x6f437820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 21452 start_va = 0x6e0000 end_va = 0x6e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 21453 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 21470 start_va = 0x6e0000 end_va = 0x6e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 21471 start_va = 0x759b0000 end_va = 0x75a33fff monitored = 0 entry_point = 0x759d6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 21472 start_va = 0x6f0000 end_va = 0x6f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006f0000" filename = "" Region: id = 21473 start_va = 0x6f800000 end_va = 0x6f833fff monitored = 0 entry_point = 0x6f818280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 21968 start_va = 0x1060000 end_va = 0x109ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001060000" filename = "" Region: id = 21969 start_va = 0x10a0000 end_va = 0x10dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010a0000" filename = "" Region: id = 21970 start_va = 0x6630000 end_va = 0x666ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006630000" filename = "" Region: id = 21971 start_va = 0x6670000 end_va = 0x66affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006670000" filename = "" Region: id = 21972 start_va = 0x66b0000 end_va = 0x66effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000066b0000" filename = "" Region: id = 21973 start_va = 0x66f0000 end_va = 0x672ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000066f0000" filename = "" Region: id = 21974 start_va = 0x6f8b0000 end_va = 0x6f8b8fff monitored = 0 entry_point = 0x6f8b3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 22126 start_va = 0x6e0000 end_va = 0x6e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 22127 start_va = 0x6f800000 end_va = 0x6f833fff monitored = 0 entry_point = 0x6f818280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 22318 start_va = 0x6f8b0000 end_va = 0x6f8b8fff monitored = 0 entry_point = 0x6f8b3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 22492 start_va = 0x6e0000 end_va = 0x6e4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werui.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\werui.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werui.dll.mui") Region: id = 22493 start_va = 0x6730000 end_va = 0x6730fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006730000" filename = "" Region: id = 22494 start_va = 0x6f800000 end_va = 0x6f833fff monitored = 0 entry_point = 0x6f818280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 22713 start_va = 0x6f8b0000 end_va = 0x6f8b8fff monitored = 0 entry_point = 0x6f8b3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 22932 start_va = 0x6730000 end_va = 0x676ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006730000" filename = "" Region: id = 22933 start_va = 0x6770000 end_va = 0x67affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006770000" filename = "" Region: id = 22935 start_va = 0x67b0000 end_va = 0x67b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000067b0000" filename = "" Region: id = 22936 start_va = 0x6f800000 end_va = 0x6f833fff monitored = 0 entry_point = 0x6f818280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 23160 start_va = 0x6f8b0000 end_va = 0x6f8b8fff monitored = 0 entry_point = 0x6f8b3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 23269 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 23270 start_va = 0x6f6c0000 end_va = 0x6f73afff monitored = 0 entry_point = 0x6f6e4d80 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\SysWOW64\\duser.dll" (normalized: "c:\\windows\\syswow64\\duser.dll") Region: id = 23271 start_va = 0x67b0000 end_va = 0x67effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000067b0000" filename = "" Region: id = 23272 start_va = 0x67f0000 end_va = 0x682ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000067f0000" filename = "" Region: id = 23273 start_va = 0x6f630000 end_va = 0x6f6b0fff monitored = 0 entry_point = 0x6f636310 region_type = mapped_file name = "riched20.dll" filename = "\\Windows\\SysWOW64\\riched20.dll" (normalized: "c:\\windows\\syswow64\\riched20.dll") Region: id = 23274 start_va = 0x6f790000 end_va = 0x6f7a5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 23275 start_va = 0x6f750000 end_va = 0x6f780fff monitored = 0 entry_point = 0x6f7622d0 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\SysWOW64\\msls31.dll" (normalized: "c:\\windows\\syswow64\\msls31.dll") Region: id = 23276 start_va = 0x6830000 end_va = 0x6830fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006830000" filename = "" Region: id = 23277 start_va = 0x6830000 end_va = 0x68ebfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006830000" filename = "" Region: id = 23278 start_va = 0x68f0000 end_va = 0x68f3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000068f0000" filename = "" Region: id = 23279 start_va = 0x74230000 end_va = 0x7424cfff monitored = 0 entry_point = 0x74233b10 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 23280 start_va = 0x6900000 end_va = 0x6903fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006900000" filename = "" Region: id = 23281 start_va = 0x6910000 end_va = 0x6910fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006910000" filename = "" Region: id = 23282 start_va = 0x6920000 end_va = 0x6920fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006920000" filename = "" Region: id = 23283 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 23284 start_va = 0x6930000 end_va = 0x6930fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "duser.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\duser.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\duser.dll.mui") Region: id = 23285 start_va = 0x6f9f0000 end_va = 0x6f9fcfff monitored = 0 entry_point = 0x6f9f7d80 region_type = mapped_file name = "atlthunk.dll" filename = "\\Windows\\SysWOW64\\atlthunk.dll" (normalized: "c:\\windows\\syswow64\\atlthunk.dll") Region: id = 23286 start_va = 0x6940000 end_va = 0x6942fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui") Region: id = 23287 start_va = 0x1f0000 end_va = 0x1f2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 23290 start_va = 0x6950000 end_va = 0x6e41fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006950000" filename = "" Region: id = 23291 start_va = 0x6e50000 end_va = 0x7e8ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 23292 start_va = 0x7e90000 end_va = 0x7ed1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007e90000" filename = "" Region: id = 23390 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 23391 start_va = 0x77500000 end_va = 0x7761efff monitored = 0 entry_point = 0x77545980 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Thread: id = 612 os_tid = 0xc88 Thread: id = 615 os_tid = 0xcc4 Thread: id = 616 os_tid = 0x1324 Thread: id = 637 os_tid = 0xd5c Thread: id = 638 os_tid = 0xd48 Thread: id = 640 os_tid = 0xf3c Thread: id = 674 os_tid = 0xc9c Thread: id = 687 os_tid = 0xcc0 Process: id = "291" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x1ffb9000" os_pid = "0x1378" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "289" os_parent_pid = "0xd9c" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_create /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "292" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x1fd30000" os_pid = "0xd14" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decrypt /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 21038 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 21039 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 21040 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 21041 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 21042 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 21043 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 21044 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 21045 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 21046 start_va = 0x7a0000 end_va = 0x7a1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 21047 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 21048 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 21049 start_va = 0x7f100000 end_va = 0x7f122fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f100000" filename = "" Region: id = 21050 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 21051 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 21052 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 21053 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 21061 start_va = 0x400000 end_va = 0x45ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 21062 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 21063 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 21064 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 21065 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 21066 start_va = 0x7b0000 end_va = 0x94ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 21069 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 21070 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 21071 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 21072 start_va = 0x7f000000 end_va = 0x7f0fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f000000" filename = "" Region: id = 21073 start_va = 0x460000 end_va = 0x51dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 21074 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 21075 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 21076 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 21077 start_va = 0x520000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 21078 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 21079 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 21080 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 21081 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 21082 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 21083 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 21084 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 21085 start_va = 0x7a0000 end_va = 0x7a3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 21096 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 21097 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 21098 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 21099 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 21100 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 21101 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 21102 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 21103 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 21104 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 21105 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 21106 start_va = 0x7b0000 end_va = 0x7d9fff monitored = 0 entry_point = 0x7b5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 21107 start_va = 0x850000 end_va = 0x94ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 21108 start_va = 0x950000 end_va = 0xad7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 21109 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 21117 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 21118 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 21119 start_va = 0x450000 end_va = 0x45ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 21120 start_va = 0xae0000 end_va = 0xc60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ae0000" filename = "" Region: id = 21121 start_va = 0xc70000 end_va = 0xddffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c70000" filename = "" Region: id = 21122 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 21123 start_va = 0x7b0000 end_va = 0x840fff monitored = 0 entry_point = 0x7e8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 21145 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 21146 start_va = 0x7b0000 end_va = 0x7b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 21147 start_va = 0x7c0000 end_va = 0x7c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 21148 start_va = 0x7c0000 end_va = 0x7c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 21151 start_va = 0x7c0000 end_va = 0x7c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 21155 start_va = 0x7d0000 end_va = 0x7d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 21156 start_va = 0x7c0000 end_va = 0x7c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 21157 start_va = 0x7d0000 end_va = 0x7d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 21158 start_va = 0x7c0000 end_va = 0x7c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 21159 start_va = 0x7d0000 end_va = 0x7d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Thread: id = 617 os_tid = 0xd28 [0200.728] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0200.728] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0200.729] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0200.729] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0200.729] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0200.729] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0200.730] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0200.730] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0200.731] GetProcessHeap () returned 0x850000 [0200.731] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0200.731] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0200.731] GetLastError () returned 0x7e [0200.731] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0200.731] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0200.731] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x364) returned 0x8609a8 [0200.731] SetLastError (dwErrCode=0x7e) [0200.732] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0xe00) returned 0x860d18 [0200.734] GetStartupInfoW (in: lpStartupInfo=0x18f98c | out: lpStartupInfo=0x18f98c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0200.734] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0200.734] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0200.734] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0200.734] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decrypt /fn_args=\"1\"" [0200.734] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decrypt /fn_args=\"1\"" [0200.734] GetACP () returned 0x4e4 [0200.734] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x0, Size=0x220) returned 0x861b20 [0200.734] IsValidCodePage (CodePage=0x4e4) returned 1 [0200.734] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f9ac | out: lpCPInfo=0x18f9ac) returned 1 [0200.734] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f274 | out: lpCPInfo=0x18f274) returned 1 [0200.734] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f888, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0200.734] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f888, cbMultiByte=256, lpWideCharStr=0x18f018, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0200.734] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f288 | out: lpCharType=0x18f288) returned 1 [0200.734] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f888, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0200.734] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f888, cbMultiByte=256, lpWideCharStr=0x18efc8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0200.734] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0200.735] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0200.735] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0200.735] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18edb8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0200.735] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f788, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ¾ñÐ\x7fÄù\x18", lpUsedDefaultChar=0x0) returned 256 [0200.735] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f888, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0200.735] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f888, cbMultiByte=256, lpWideCharStr=0x18efe8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0200.735] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0200.735] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18edd8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0200.735] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f688, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ¾ñÐ\x7fÄù\x18", lpUsedDefaultChar=0x0) returned 256 [0200.735] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x0, Size=0x80) returned 0x853870 [0200.735] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0200.735] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x18a) returned 0x861d48 [0200.735] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0200.735] GetLastError () returned 0x0 [0200.736] SetLastError (dwErrCode=0x0) [0200.736] GetEnvironmentStringsW () returned 0x861ee0* [0200.736] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x0, Size=0xa8c) returned 0x862978 [0200.736] FreeEnvironmentStringsW (penv=0x861ee0) returned 1 [0200.736] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x90) returned 0x854568 [0200.736] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x3e) returned 0x85ad70 [0200.736] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x5c) returned 0x858aa8 [0200.736] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x6e) returned 0x854860 [0200.736] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x78) returned 0x863eb8 [0200.737] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x62) returned 0x854a00 [0200.737] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x28) returned 0x853d90 [0200.737] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x48) returned 0x853fe8 [0200.737] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x1a) returned 0x853dc0 [0200.737] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x3a) returned 0x85ad28 [0200.737] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x62) returned 0x854630 [0200.737] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x2a) returned 0x858680 [0200.737] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x2e) returned 0x8586f0 [0200.737] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x1c) returned 0x8547d0 [0200.737] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x144) returned 0x859cc0 [0200.737] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x7c) returned 0x8543a0 [0200.737] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x36) returned 0x85deb8 [0200.737] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x3a) returned 0x85aaa0 [0200.737] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x90) returned 0x853e08 [0200.737] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x24) returned 0x8547f8 [0200.737] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x30) returned 0x8587d0 [0200.737] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x36) returned 0x85e2f8 [0200.737] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x48) returned 0x853bf0 [0200.737] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x52) returned 0x853910 [0200.737] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x3c) returned 0x85ae48 [0200.737] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0xd6) returned 0x859e80 [0200.737] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x2e) returned 0x858840 [0200.737] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x1e) returned 0x853c40 [0200.738] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x2c) returned 0x8589c8 [0200.738] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x54) returned 0x852900 [0200.738] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x52) returned 0x8504b8 [0200.738] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x24) returned 0x854070 [0200.738] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x42) returned 0x8540a0 [0200.738] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x2c) returned 0x858878 [0200.738] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x44) returned 0x859fb0 [0200.738] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x24) returned 0x8540f0 [0200.738] HeapFree (in: hHeap=0x850000, dwFlags=0x0, lpMem=0x862978 | out: hHeap=0x850000) returned 1 [0200.738] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x8, Size=0x800) returned 0x861ee0 [0200.739] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0200.739] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0200.739] GetStartupInfoW (in: lpStartupInfo=0x18f9f0 | out: lpStartupInfo=0x18f9f0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0200.739] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decrypt /fn_args=\"1\"" [0200.739] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decrypt /fn_args=\"1\"", pNumArgs=0x18f9dc | out: pNumArgs=0x18f9dc) returned 0x862b30*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0200.740] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0200.743] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x0, Size=0x1000) returned 0x864418 [0200.743] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x0, Size=0x38) returned 0x85e5b8 [0200.743] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_decrypt", cchWideChar=-1, lpMultiByteStr=0x85e5b8, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_decrypt", lpUsedDefaultChar=0x0) returned 28 [0200.743] GetLastError () returned 0x0 [0200.743] SetLastError (dwErrCode=0x0) [0200.743] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_decryptW") returned 0x0 [0200.744] GetLastError () returned 0x7f [0200.744] SetLastError (dwErrCode=0x7f) [0200.744] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_decryptA") returned 0x0 [0200.744] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_decrypt") returned 0x647c7430 [0200.744] RtlAllocateHeap (HeapHandle=0x850000, Flags=0x0, Size=0x4) returned 0x853ea0 [0200.744] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x853ea0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0200.744] GetActiveWindow () returned 0x0 [0200.745] GetLastError () returned 0x7f [0200.745] SetLastError (dwErrCode=0x7f) Thread: id = 619 os_tid = 0x11d8 Process: id = "293" image_name = "werfault.exe" filename = "c:\\windows\\syswow64\\werfault.exe" page_root = "0x1fd61000" os_pid = "0x3f8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "292" os_parent_pid = "0xd14" cmd_line = "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 3348 -s 364" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 21164 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 21165 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 21166 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 21167 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 21168 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 21169 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 21170 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 21171 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 21172 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 21173 start_va = 0x10e0000 end_va = 0x1122fff monitored = 0 entry_point = 0x1100f50 region_type = mapped_file name = "werfault.exe" filename = "\\Windows\\SysWOW64\\WerFault.exe" (normalized: "c:\\windows\\syswow64\\werfault.exe") Region: id = 21174 start_va = 0x1130000 end_va = 0x512ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 21175 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 21176 start_va = 0x7f020000 end_va = 0x7f042fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f020000" filename = "" Region: id = 21177 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 21178 start_va = 0x7fff0000 end_va = 0x7dfb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 21179 start_va = 0x7dfb201b0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfb201b0000" filename = "" Region: id = 21180 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 21181 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 21182 start_va = 0x100000 end_va = 0x16ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 21183 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 21184 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 21188 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 21189 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 21190 start_va = 0x410000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 21191 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 21192 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 21194 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 21195 start_va = 0x7ef20000 end_va = 0x7f01ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ef20000" filename = "" Region: id = 21196 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 21197 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 21198 start_va = 0x100000 end_va = 0x13ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 21199 start_va = 0x160000 end_va = 0x16ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 21200 start_va = 0x170000 end_va = 0x1affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 21201 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 21202 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 21203 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 21204 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 21205 start_va = 0x5c0000 end_va = 0x5c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 21206 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 21207 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 21208 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 21213 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 21214 start_va = 0x6fb30000 end_va = 0x6fbb6fff monitored = 0 entry_point = 0x6fb9dbc0 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\SysWOW64\\wer.dll" (normalized: "c:\\windows\\syswow64\\wer.dll") Region: id = 21215 start_va = 0x6fbc0000 end_va = 0x6fcfefff monitored = 0 entry_point = 0x6fbed880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 21216 start_va = 0x6fb00000 end_va = 0x6fb21fff monitored = 0 entry_point = 0x6fb091f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 21217 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 21218 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 21219 start_va = 0x6faa0000 end_va = 0x6faf3fff monitored = 0 entry_point = 0x6fad10d0 region_type = mapped_file name = "faultrep.dll" filename = "\\Windows\\SysWOW64\\Faultrep.dll" (normalized: "c:\\windows\\syswow64\\faultrep.dll") Region: id = 21220 start_va = 0x6fa70000 end_va = 0x6fa90fff monitored = 0 entry_point = 0x6fa8a910 region_type = mapped_file name = "dbgcore.dll" filename = "\\Windows\\SysWOW64\\dbgcore.dll" (normalized: "c:\\windows\\syswow64\\dbgcore.dll") Region: id = 21221 start_va = 0x5d0000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 21222 start_va = 0x5d0000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 21223 start_va = 0x6e0000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 21224 start_va = 0x5d0000 end_va = 0x5d3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 21225 start_va = 0x6c0000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 21228 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 21229 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 21230 start_va = 0x5e0000 end_va = 0x609fff monitored = 0 entry_point = 0x5e5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 21231 start_va = 0x6f0000 end_va = 0x877fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006f0000" filename = "" Region: id = 21232 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 21233 start_va = 0x5e0000 end_va = 0x5e3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werfault.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\WerFault.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werfault.exe.mui") Region: id = 21234 start_va = 0x880000 end_va = 0xa00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 21235 start_va = 0x5130000 end_va = 0x652ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005130000" filename = "" Region: id = 21241 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 21242 start_va = 0x140000 end_va = 0x140fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 21243 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 21244 start_va = 0x5f0000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 21273 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 21274 start_va = 0x680000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 21275 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 21276 start_va = 0x610000 end_va = 0x610fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 21277 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 21278 start_va = 0x610000 end_va = 0x610fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 21279 start_va = 0x6530000 end_va = 0x6d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006530000" filename = "" Region: id = 21280 start_va = 0x610000 end_va = 0x616fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 21281 start_va = 0x610000 end_va = 0x616fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 21282 start_va = 0x610000 end_va = 0x616fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 21283 start_va = 0x610000 end_va = 0x616fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 21284 start_va = 0x610000 end_va = 0x616fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 21285 start_va = 0x610000 end_va = 0x616fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 21286 start_va = 0x610000 end_va = 0x616fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 21287 start_va = 0x610000 end_va = 0x616fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 21288 start_va = 0x610000 end_va = 0x616fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 21289 start_va = 0x610000 end_va = 0x616fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 21330 start_va = 0x610000 end_va = 0x616fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 21331 start_va = 0x610000 end_va = 0x616fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 21332 start_va = 0x610000 end_va = 0x616fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 21333 start_va = 0x610000 end_va = 0x616fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 21334 start_va = 0x610000 end_va = 0x616fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 21335 start_va = 0x610000 end_va = 0x616fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 21336 start_va = 0x610000 end_va = 0x616fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 21337 start_va = 0x610000 end_va = 0x616fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 21338 start_va = 0x610000 end_va = 0x616fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 21339 start_va = 0x610000 end_va = 0x616fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 21340 start_va = 0x610000 end_va = 0x616fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 21341 start_va = 0x610000 end_va = 0x616fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 21342 start_va = 0x610000 end_va = 0x616fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 21343 start_va = 0x610000 end_va = 0x616fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 21344 start_va = 0x610000 end_va = 0x616fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 21345 start_va = 0x610000 end_va = 0x616fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 21346 start_va = 0x610000 end_va = 0x616fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 21369 start_va = 0x1b0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 21370 start_va = 0x610000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 21371 start_va = 0xa10000 end_va = 0xa8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 21419 start_va = 0x610000 end_va = 0x611fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "faultrep.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\faultrep.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\faultrep.dll.mui") Region: id = 21420 start_va = 0x620000 end_va = 0x620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 21421 start_va = 0x6ee90000 end_va = 0x6f2adfff monitored = 0 entry_point = 0x6ef8ee80 region_type = mapped_file name = "dbgeng.dll" filename = "\\Windows\\SysWOW64\\dbgeng.dll" (normalized: "c:\\windows\\syswow64\\dbgeng.dll") Region: id = 21422 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 21423 start_va = 0x6f850000 end_va = 0x6f8bffff monitored = 0 entry_point = 0x6f8a4b90 region_type = mapped_file name = "dbgmodel.dll" filename = "\\Windows\\SysWOW64\\DbgModel.dll" (normalized: "c:\\windows\\syswow64\\dbgmodel.dll") Region: id = 21424 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 21425 start_va = 0xa90000 end_va = 0xb79fff monitored = 0 entry_point = 0xacd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 21433 start_va = 0x70050000 end_va = 0x70059fff monitored = 0 entry_point = 0x70053200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 21434 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 21435 start_va = 0x6f5d0000 end_va = 0x6f5d7fff monitored = 0 entry_point = 0x6f5d17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 21436 start_va = 0xa90000 end_va = 0xb8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a90000" filename = "" Region: id = 21437 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 21454 start_va = 0xb90000 end_va = 0xec6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 21455 start_va = 0x620000 end_va = 0x621fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 21456 start_va = 0x620000 end_va = 0x623fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 21457 start_va = 0x620000 end_va = 0x625fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 21458 start_va = 0x620000 end_va = 0x627fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 21459 start_va = 0xed0000 end_va = 0xfcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ed0000" filename = "" Region: id = 21460 start_va = 0x620000 end_va = 0x629fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 21461 start_va = 0x620000 end_va = 0x62bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 21462 start_va = 0x620000 end_va = 0x62dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 21463 start_va = 0x620000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 21464 start_va = 0x620000 end_va = 0x631fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 21465 start_va = 0x620000 end_va = 0x633fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 21466 start_va = 0x620000 end_va = 0x635fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 21467 start_va = 0x620000 end_va = 0x637fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 21474 start_va = 0x620000 end_va = 0x639fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 21475 start_va = 0x620000 end_va = 0x63bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 21476 start_va = 0x620000 end_va = 0x63dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 21477 start_va = 0x620000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 21480 start_va = 0xfd0000 end_va = 0x10affff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 21538 start_va = 0x6530000 end_va = 0x65fbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006530000" filename = "" Region: id = 21543 start_va = 0x6600000 end_va = 0x66b7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006600000" filename = "" Region: id = 21553 start_va = 0x66c0000 end_va = 0x676dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000066c0000" filename = "" Region: id = 21574 start_va = 0x620000 end_va = 0x620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 21575 start_va = 0x630000 end_va = 0x632fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wer.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wer.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wer.dll.mui") Region: id = 21576 start_va = 0x640000 end_va = 0x643fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 21577 start_va = 0x6530000 end_va = 0x6d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006530000" filename = "" Region: id = 21578 start_va = 0x650000 end_va = 0x656fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 21579 start_va = 0x650000 end_va = 0x656fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 21597 start_va = 0x650000 end_va = 0x656fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 21598 start_va = 0x650000 end_va = 0x656fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 21599 start_va = 0x650000 end_va = 0x656fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 21600 start_va = 0x650000 end_va = 0x656fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 21601 start_va = 0x650000 end_va = 0x656fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 21602 start_va = 0x650000 end_va = 0x656fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 21603 start_va = 0x650000 end_va = 0x656fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 21604 start_va = 0x650000 end_va = 0x656fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 21605 start_va = 0x650000 end_va = 0x656fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 21606 start_va = 0x650000 end_va = 0x656fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 21607 start_va = 0x650000 end_va = 0x656fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 21608 start_va = 0x650000 end_va = 0x656fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 21609 start_va = 0x650000 end_va = 0x656fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 21610 start_va = 0x650000 end_va = 0x656fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 21611 start_va = 0x650000 end_va = 0x656fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 21612 start_va = 0x650000 end_va = 0x656fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 21613 start_va = 0x650000 end_va = 0x656fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 21621 start_va = 0x650000 end_va = 0x656fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 21622 start_va = 0x650000 end_va = 0x656fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 21623 start_va = 0x650000 end_va = 0x656fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 21624 start_va = 0x6530000 end_va = 0x662ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006530000" filename = "" Region: id = 21625 start_va = 0x650000 end_va = 0x656fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 21626 start_va = 0x650000 end_va = 0x656fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 21627 start_va = 0x650000 end_va = 0x656fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 21628 start_va = 0x650000 end_va = 0x656fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 21629 start_va = 0x650000 end_va = 0x656fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 21642 start_va = 0x6fa00000 end_va = 0x6fa63fff monitored = 0 entry_point = 0x6fa3e270 region_type = mapped_file name = "werui.dll" filename = "\\Windows\\SysWOW64\\werui.dll" (normalized: "c:\\windows\\syswow64\\werui.dll") Region: id = 21643 start_va = 0x150000 end_va = 0x151fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 21644 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 21645 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 21663 start_va = 0x731b0000 end_va = 0x733befff monitored = 0 entry_point = 0x7325b0a0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 21664 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 21665 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 21666 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 21667 start_va = 0x6f460000 end_va = 0x6f5c6fff monitored = 0 entry_point = 0x6f4db9d0 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\SysWOW64\\dui70.dll" (normalized: "c:\\windows\\syswow64\\dui70.dll") Region: id = 21668 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 21669 start_va = 0x6f430000 end_va = 0x6f457fff monitored = 0 entry_point = 0x6f437820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 21670 start_va = 0x650000 end_va = 0x650fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 21671 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 21672 start_va = 0x650000 end_va = 0x650fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 21673 start_va = 0x759b0000 end_va = 0x75a33fff monitored = 0 entry_point = 0x759d6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 21679 start_va = 0x660000 end_va = 0x660fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 21680 start_va = 0x6f800000 end_va = 0x6f833fff monitored = 0 entry_point = 0x6f818280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 22136 start_va = 0x6630000 end_va = 0x666ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006630000" filename = "" Region: id = 22137 start_va = 0x6670000 end_va = 0x66affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006670000" filename = "" Region: id = 22138 start_va = 0x66b0000 end_va = 0x66effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000066b0000" filename = "" Region: id = 22139 start_va = 0x66f0000 end_va = 0x672ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000066f0000" filename = "" Region: id = 22140 start_va = 0x6730000 end_va = 0x676ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006730000" filename = "" Region: id = 22141 start_va = 0x6770000 end_va = 0x67affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006770000" filename = "" Region: id = 22142 start_va = 0x6f8b0000 end_va = 0x6f8b8fff monitored = 0 entry_point = 0x6f8b3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 22368 start_va = 0x650000 end_va = 0x650fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 22369 start_va = 0x6f800000 end_va = 0x6f833fff monitored = 0 entry_point = 0x6f818280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 22497 start_va = 0x6f8b0000 end_va = 0x6f8b8fff monitored = 0 entry_point = 0x6f8b3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 22739 start_va = 0x650000 end_va = 0x654fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werui.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\werui.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werui.dll.mui") Region: id = 22740 start_va = 0x670000 end_va = 0x670fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 22741 start_va = 0x6f800000 end_va = 0x6f833fff monitored = 0 entry_point = 0x6f818280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 22924 start_va = 0x6f8b0000 end_va = 0x6f8b8fff monitored = 0 entry_point = 0x6f8b3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 23185 start_va = 0x67b0000 end_va = 0x67effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000067b0000" filename = "" Region: id = 23186 start_va = 0x67f0000 end_va = 0x682ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000067f0000" filename = "" Region: id = 23191 start_va = 0x670000 end_va = 0x670fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 23192 start_va = 0x6f800000 end_va = 0x6f833fff monitored = 0 entry_point = 0x6f818280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 23320 start_va = 0x6f8b0000 end_va = 0x6f8b8fff monitored = 0 entry_point = 0x6f8b3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 23489 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 23490 start_va = 0x6f6c0000 end_va = 0x6f73afff monitored = 0 entry_point = 0x6f6e4d80 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\SysWOW64\\duser.dll" (normalized: "c:\\windows\\syswow64\\duser.dll") Region: id = 23496 start_va = 0x6830000 end_va = 0x686ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006830000" filename = "" Region: id = 23497 start_va = 0x6870000 end_va = 0x68affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006870000" filename = "" Region: id = 23498 start_va = 0x6f630000 end_va = 0x6f6b0fff monitored = 0 entry_point = 0x6f636310 region_type = mapped_file name = "riched20.dll" filename = "\\Windows\\SysWOW64\\riched20.dll" (normalized: "c:\\windows\\syswow64\\riched20.dll") Region: id = 23499 start_va = 0x6f790000 end_va = 0x6f7a5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 23500 start_va = 0x6f750000 end_va = 0x6f780fff monitored = 0 entry_point = 0x6f7622d0 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\SysWOW64\\msls31.dll" (normalized: "c:\\windows\\syswow64\\msls31.dll") Region: id = 23501 start_va = 0x670000 end_va = 0x670fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 23502 start_va = 0x68b0000 end_va = 0x696bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000068b0000" filename = "" Region: id = 23503 start_va = 0x670000 end_va = 0x673fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 23504 start_va = 0x74230000 end_va = 0x7424cfff monitored = 0 entry_point = 0x74233b10 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 23505 start_va = 0x690000 end_va = 0x693fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 23506 start_va = 0x6a0000 end_va = 0x6a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 23507 start_va = 0x6b0000 end_va = 0x6b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006b0000" filename = "" Region: id = 23514 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 23515 start_va = 0x6d0000 end_va = 0x6d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "duser.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\duser.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\duser.dll.mui") Region: id = 23516 start_va = 0x6f9f0000 end_va = 0x6f9fcfff monitored = 0 entry_point = 0x6f9f7d80 region_type = mapped_file name = "atlthunk.dll" filename = "\\Windows\\SysWOW64\\atlthunk.dll" (normalized: "c:\\windows\\syswow64\\atlthunk.dll") Region: id = 23517 start_va = 0x10b0000 end_va = 0x10b2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui") Region: id = 23518 start_va = 0x1f0000 end_va = 0x1f2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 23519 start_va = 0x6970000 end_va = 0x6e61fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006970000" filename = "" Region: id = 23521 start_va = 0x6e70000 end_va = 0x7eaffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 23522 start_va = 0x7eb0000 end_va = 0x7ef1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007eb0000" filename = "" Region: id = 23550 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 23551 start_va = 0x77500000 end_va = 0x7761efff monitored = 0 entry_point = 0x77545980 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Thread: id = 620 os_tid = 0xd34 Thread: id = 621 os_tid = 0x1244 Thread: id = 625 os_tid = 0x1194 Thread: id = 645 os_tid = 0xf40 Thread: id = 646 os_tid = 0xfb4 Thread: id = 647 os_tid = 0xfc8 Thread: id = 681 os_tid = 0x11ac Thread: id = 697 os_tid = 0xba0 Process: id = "294" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x7d9ca000" os_pid = "0xd0c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "292" os_parent_pid = "0xd14" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decrypt /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "295" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x1f446000" os_pid = "0x3b8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decryptAny /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 21249 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 21250 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 21251 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 21252 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 21253 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 21254 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 21255 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 21256 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 21257 start_va = 0x440000 end_va = 0x441fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 21258 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 21259 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 21260 start_va = 0x7e8b0000 end_va = 0x7e8d2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e8b0000" filename = "" Region: id = 21261 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 21262 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 21263 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 21264 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 21267 start_va = 0x450000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 21268 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 21269 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 21270 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 21271 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 21272 start_va = 0x550000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 21292 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 21293 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 21294 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 21295 start_va = 0x7e7b0000 end_va = 0x7e8affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e7b0000" filename = "" Region: id = 21296 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 21297 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 21298 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 21299 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 21300 start_va = 0x720000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 21301 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 21302 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 21303 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 21304 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 21305 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 21349 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 21350 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 21351 start_va = 0x4c0000 end_va = 0x4c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 21352 start_va = 0x540000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 21353 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 21354 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 21355 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 21356 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 21357 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 21358 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 21359 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 21360 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 21361 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 21362 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 21363 start_va = 0x4d0000 end_va = 0x4f9fff monitored = 0 entry_point = 0x4d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 21364 start_va = 0x820000 end_va = 0x9a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 21365 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 21376 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 21377 start_va = 0x4d0000 end_va = 0x4d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 21378 start_va = 0x4e0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 21379 start_va = 0x9b0000 end_va = 0xb30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009b0000" filename = "" Region: id = 21380 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 21381 start_va = 0x550000 end_va = 0x5e0fff monitored = 0 entry_point = 0x588cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 21382 start_va = 0x620000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 21399 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 21400 start_va = 0x4e0000 end_va = 0x4e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 21401 start_va = 0x4f0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 21402 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 21403 start_va = 0x500000 end_va = 0x507fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 21428 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 21440 start_va = 0x510000 end_va = 0x511fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 21441 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 21442 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 21443 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 21444 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Thread: id = 622 os_tid = 0x13a8 [0202.824] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0202.824] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0202.825] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0202.825] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0202.825] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0202.825] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0202.826] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0202.826] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0202.827] GetProcessHeap () returned 0x620000 [0202.827] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0202.827] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0202.827] GetLastError () returned 0x7e [0202.827] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0202.827] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0202.827] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x364) returned 0x6309a0 [0202.827] SetLastError (dwErrCode=0x7e) [0202.828] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0xe00) returned 0x630d10 [0202.830] GetStartupInfoW (in: lpStartupInfo=0x18fb94 | out: lpStartupInfo=0x18fb94*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0202.830] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0202.830] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0202.830] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0202.830] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decryptAny /fn_args=\"1\"" [0202.830] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decryptAny /fn_args=\"1\"" [0202.830] GetACP () returned 0x4e4 [0202.830] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x0, Size=0x220) returned 0x631b18 [0202.830] IsValidCodePage (CodePage=0x4e4) returned 1 [0202.830] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fbb4 | out: lpCPInfo=0x18fbb4) returned 1 [0202.830] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f47c | out: lpCPInfo=0x18f47c) returned 1 [0202.830] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa90, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0202.830] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa90, cbMultiByte=256, lpWideCharStr=0x18f218, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0202.830] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f490 | out: lpCharType=0x18f490) returned 1 [0202.831] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa90, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0202.831] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa90, cbMultiByte=256, lpWideCharStr=0x18f1d8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0202.831] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0202.831] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0202.831] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0202.831] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18efc8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0202.831] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f990, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ@Q\x16\x0fÌû\x18", lpUsedDefaultChar=0x0) returned 256 [0202.831] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa90, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0202.831] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa90, cbMultiByte=256, lpWideCharStr=0x18f1e8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0202.831] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0202.831] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18efd8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0202.831] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f890, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ@Q\x16\x0fÌû\x18", lpUsedDefaultChar=0x0) returned 256 [0202.831] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x0, Size=0x80) returned 0x623878 [0202.832] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0202.832] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x190) returned 0x631d40 [0202.832] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0202.832] GetLastError () returned 0x0 [0202.832] SetLastError (dwErrCode=0x0) [0202.832] GetEnvironmentStringsW () returned 0x631ed8* [0202.832] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x0, Size=0xa8c) returned 0x632970 [0202.832] FreeEnvironmentStringsW (penv=0x631ed8) returned 1 [0202.832] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x90) returned 0x624568 [0202.832] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x3e) returned 0x62aa98 [0202.832] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x5c) returned 0x628aa0 [0202.833] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x6e) returned 0x624630 [0202.833] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x78) returned 0x633fb0 [0202.833] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x62) returned 0x624c60 [0202.833] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x28) returned 0x623d98 [0202.833] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x48) returned 0x623fe8 [0202.833] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x1a) returned 0x620570 [0202.833] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x3a) returned 0x62aff0 [0202.833] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x62) returned 0x623bf8 [0202.833] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x2a) returned 0x628720 [0202.833] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x2e) returned 0x6288e0 [0202.833] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x1c) returned 0x623dc8 [0202.833] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x144) returned 0x629cb8 [0202.833] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x7c) returned 0x628300 [0202.833] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x36) returned 0x62deb0 [0202.833] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x3a) returned 0x62ae88 [0202.833] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x90) returned 0x6243a0 [0202.833] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x24) returned 0x623918 [0202.833] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x30) returned 0x628918 [0202.834] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x36) returned 0x62e370 [0202.834] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x48) returned 0x622908 [0202.834] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x52) returned 0x6204b8 [0202.834] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x3c) returned 0x62abb8 [0202.834] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0xd6) returned 0x629e78 [0202.834] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x2e) returned 0x628950 [0202.834] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x1e) returned 0x622958 [0202.834] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x2c) returned 0x628800 [0202.834] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x54) returned 0x623e10 [0202.834] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x52) returned 0x624070 [0202.834] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x24) returned 0x623e70 [0202.834] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x42) returned 0x6240d0 [0202.834] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x2c) returned 0x6289c0 [0202.834] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x44) returned 0x629fa8 [0202.834] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x24) returned 0x623948 [0202.835] HeapFree (in: hHeap=0x620000, dwFlags=0x0, lpMem=0x632970 | out: hHeap=0x620000) returned 1 [0202.835] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x800) returned 0x631ed8 [0202.836] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0202.836] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0202.836] GetStartupInfoW (in: lpStartupInfo=0x18fbf8 | out: lpStartupInfo=0x18fbf8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0202.836] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decryptAny /fn_args=\"1\"" [0202.836] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decryptAny /fn_args=\"1\"", pNumArgs=0x18fbe4 | out: pNumArgs=0x18fbe4) returned 0x632b28*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0202.837] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0202.841] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x0, Size=0x1000) returned 0x634410 [0202.841] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x0, Size=0x3e) returned 0x62aa50 [0202.841] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_decryptAny", cchWideChar=-1, lpMultiByteStr=0x62aa50, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_decryptAny", lpUsedDefaultChar=0x0) returned 31 [0202.841] GetLastError () returned 0x0 [0202.841] SetLastError (dwErrCode=0x0) [0202.841] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_decryptAnyW") returned 0x0 [0202.841] GetLastError () returned 0x7f [0202.841] SetLastError (dwErrCode=0x7f) [0202.841] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_decryptAnyA") returned 0x0 [0202.841] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_decryptAny") returned 0x647c7a5d [0202.841] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x0, Size=0x4) returned 0x623820 [0202.841] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x623820, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0202.842] GetActiveWindow () returned 0x0 [0202.843] GetLastError () returned 0x7f [0202.843] SetLastError (dwErrCode=0x7f) Thread: id = 624 os_tid = 0x13fc Process: id = "296" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x1eeaa000" os_pid = "0xaac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "295" os_parent_pid = "0x3b8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decryptAny /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "297" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x1ea5e000" os_pid = "0xc54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_deserializeCertificateId /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 21484 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 21485 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 21486 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 21487 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 21488 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 21489 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 21490 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 21491 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 21492 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 21493 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 21494 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 21495 start_va = 0x7f360000 end_va = 0x7f382fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f360000" filename = "" Region: id = 21496 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 21497 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 21498 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 21499 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 21502 start_va = 0x410000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 21503 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 21504 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 21505 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 21506 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 21507 start_va = 0x410000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 21508 start_va = 0x5e0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 21510 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 21511 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 21512 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 21513 start_va = 0x7f260000 end_va = 0x7f35ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f260000" filename = "" Region: id = 21514 start_va = 0x520000 end_va = 0x5ddfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 21515 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 21516 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 21517 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 21518 start_va = 0x5f0000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 21519 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 21520 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 21522 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 21523 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 21524 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 21525 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 21526 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 21527 start_va = 0x400000 end_va = 0x403fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 21528 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 21529 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 21530 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 21531 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 21532 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 21533 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 21534 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 21535 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 21536 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 21537 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 21540 start_va = 0x6f0000 end_va = 0x877fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006f0000" filename = "" Region: id = 21541 start_va = 0x880000 end_va = 0x8a9fff monitored = 0 entry_point = 0x885680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 21542 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 21547 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 21548 start_va = 0x410000 end_va = 0x410fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 21549 start_va = 0x420000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 21550 start_va = 0x880000 end_va = 0xa00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 21551 start_va = 0xa10000 end_va = 0xa6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 21552 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 21555 start_va = 0xa70000 end_va = 0xb00fff monitored = 0 entry_point = 0xaa8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 21556 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 21557 start_va = 0xa10000 end_va = 0xa10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 21558 start_va = 0xa60000 end_va = 0xa6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 21559 start_va = 0xa20000 end_va = 0xa20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a20000" filename = "" Region: id = 21560 start_va = 0xa20000 end_va = 0xa27fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a20000" filename = "" Region: id = 21563 start_va = 0xa20000 end_va = 0xa20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Region: id = 21564 start_va = 0xa30000 end_va = 0xa31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 21565 start_va = 0xa20000 end_va = 0xa20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Region: id = 21566 start_va = 0xa30000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 21570 start_va = 0xa20000 end_va = 0xa20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a20000" filename = "" Region: id = 21571 start_va = 0xa30000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Thread: id = 626 os_tid = 0x113c [0204.854] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0204.854] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0204.855] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0204.855] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0204.855] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0204.855] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0204.856] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0204.856] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0204.857] GetProcessHeap () returned 0x420000 [0204.857] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0204.857] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0204.857] GetLastError () returned 0x7e [0204.857] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0204.857] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0204.857] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x364) returned 0x430aa0 [0204.858] SetLastError (dwErrCode=0x7e) [0204.858] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0xe00) returned 0x430e10 [0204.860] GetStartupInfoW (in: lpStartupInfo=0x18fa8c | out: lpStartupInfo=0x18fa8c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0204.860] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0204.860] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0204.860] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0204.860] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_deserializeCertificateId /fn_args=\"1\"" [0204.860] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_deserializeCertificateId /fn_args=\"1\"" [0204.860] GetACP () returned 0x4e4 [0204.860] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x220) returned 0x431c18 [0204.860] IsValidCodePage (CodePage=0x4e4) returned 1 [0204.860] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18faac | out: lpCPInfo=0x18faac) returned 1 [0204.860] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f374 | out: lpCPInfo=0x18f374) returned 1 [0204.860] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f988, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0204.860] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f988, cbMultiByte=256, lpWideCharStr=0x18f118, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0204.860] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f388 | out: lpCharType=0x18f388) returned 1 [0204.861] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f988, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0204.861] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f988, cbMultiByte=256, lpWideCharStr=0x18f0c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0204.861] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0204.861] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0204.861] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0204.861] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18eeb8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0204.861] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f888, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿg\x7f[4Äú\x18", lpUsedDefaultChar=0x0) returned 256 [0204.861] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f988, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0204.861] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f988, cbMultiByte=256, lpWideCharStr=0x18f0e8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0204.861] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0204.861] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18eed8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0204.861] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f788, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿg\x7f[4Äú\x18", lpUsedDefaultChar=0x0) returned 256 [0204.862] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x80) returned 0x4238a8 [0204.862] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0204.862] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x1ac) returned 0x431e40 [0204.862] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0204.862] GetLastError () returned 0x0 [0204.862] SetLastError (dwErrCode=0x0) [0204.862] GetEnvironmentStringsW () returned 0x431ff8* [0204.862] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0xa8c) returned 0x432a90 [0204.863] FreeEnvironmentStringsW (penv=0x431ff8) returned 1 [0204.863] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x90) returned 0x4247f8 [0204.863] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x3e) returned 0x42ae28 [0204.863] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x5c) returned 0x428ad0 [0204.863] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x6e) returned 0x4248c0 [0204.863] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x78) returned 0x434250 [0204.863] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x62) returned 0x424c90 [0204.863] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x28) returned 0x423dc8 [0204.863] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x48) returned 0x424278 [0204.863] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x1a) returned 0x420570 [0204.863] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x3a) returned 0x42afd8 [0204.863] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x62) returned 0x423c28 [0204.863] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x2a) returned 0x4286e0 [0204.863] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x2e) returned 0x428718 [0204.863] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x1c) returned 0x423df8 [0204.863] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x144) returned 0x429ce8 [0204.863] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x7c) returned 0x428330 [0204.863] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x36) returned 0x42e070 [0204.863] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x3a) returned 0x42ac30 [0204.864] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x90) returned 0x424630 [0204.864] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x24) returned 0x423948 [0204.864] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x30) returned 0x428980 [0204.864] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x36) returned 0x42e4f0 [0204.864] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x48) returned 0x422928 [0204.864] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x52) returned 0x4204b8 [0204.864] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x3c) returned 0x42b0b0 [0204.864] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0xd6) returned 0x429ea8 [0204.864] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x2e) returned 0x4287c0 [0204.864] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x1e) returned 0x422978 [0204.864] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x2c) returned 0x428750 [0204.864] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x54) returned 0x423e40 [0204.864] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x52) returned 0x424300 [0204.864] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x24) returned 0x423ea0 [0204.864] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x42) returned 0x424360 [0204.864] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x2c) returned 0x4288a0 [0204.864] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x44) returned 0x429fd8 [0204.864] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x24) returned 0x423978 [0204.865] HeapFree (in: hHeap=0x420000, dwFlags=0x0, lpMem=0x432a90 | out: hHeap=0x420000) returned 1 [0204.865] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x8, Size=0x800) returned 0x431ff8 [0204.865] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0204.865] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0204.866] GetStartupInfoW (in: lpStartupInfo=0x18faf0 | out: lpStartupInfo=0x18faf0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0204.866] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_deserializeCertificateId /fn_args=\"1\"" [0204.866] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_deserializeCertificateId /fn_args=\"1\"", pNumArgs=0x18fadc | out: pNumArgs=0x18fadc) returned 0x432c48*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0204.869] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0204.873] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x1000) returned 0x434530 [0204.873] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x5a) returned 0x42a808 [0204.873] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_deserializeCertificateId", cchWideChar=-1, lpMultiByteStr=0x42a808, cbMultiByte=90, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_deserializeCertificateId", lpUsedDefaultChar=0x0) returned 45 [0204.873] GetLastError () returned 0x0 [0204.873] SetLastError (dwErrCode=0x0) [0204.873] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_deserializeCertificateIdW") returned 0x0 [0204.873] GetLastError () returned 0x7f [0204.874] SetLastError (dwErrCode=0x7f) [0204.874] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_deserializeCertificateIdA") returned 0x0 [0204.874] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_deserializeCertificateId") returned 0x647cddbf [0204.874] RtlAllocateHeap (HeapHandle=0x420000, Flags=0x0, Size=0x4) returned 0x423850 [0204.874] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x423850, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0204.874] GetActiveWindow () returned 0x0 [0204.876] GetLastError () returned 0x7f [0204.876] SetLastError (dwErrCode=0x7f) Thread: id = 628 os_tid = 0xe68 Process: id = "298" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x1dd49000" os_pid = "0xc44" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "297" os_parent_pid = "0xc54" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_deserializeCertificateId /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "299" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x1d801000" os_pid = "0xd3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_duplicateCertificateId /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 21580 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 21581 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 21582 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 21583 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 21584 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 21585 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 21586 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 21587 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 21588 start_va = 0xb70000 end_va = 0xb71fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 21589 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 21590 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 21591 start_va = 0x7e6c0000 end_va = 0x7e6e2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e6c0000" filename = "" Region: id = 21592 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 21593 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 21594 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 21595 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 21614 start_va = 0x400000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 21615 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 21616 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 21617 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 21618 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 21619 start_va = 0xb80000 end_va = 0xdeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 21630 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 21631 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 21632 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 21633 start_va = 0x7e5c0000 end_va = 0x7e6bffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e5c0000" filename = "" Region: id = 21634 start_va = 0x470000 end_va = 0x52dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 21635 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 21636 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 21637 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 21638 start_va = 0x530000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 21639 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 21640 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 21646 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 21647 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 21648 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 21649 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 21650 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 21651 start_va = 0xb70000 end_va = 0xb73fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 21652 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 21653 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 21654 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 21655 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 21656 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 21657 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 21658 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 21659 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 21660 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 21661 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 21674 start_va = 0x630000 end_va = 0x7b7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 21675 start_va = 0xb80000 end_va = 0xba9fff monitored = 0 entry_point = 0xb85680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 21676 start_va = 0xcf0000 end_va = 0xdeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 21677 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 21681 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 21682 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 21683 start_va = 0x460000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 21684 start_va = 0x7c0000 end_va = 0x940fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 21685 start_va = 0xb80000 end_va = 0xbbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 21686 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 21687 start_va = 0xbc0000 end_va = 0xc50fff monitored = 0 entry_point = 0xbf8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 21691 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 21692 start_va = 0xb80000 end_va = 0xb80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 21693 start_va = 0xbb0000 end_va = 0xbbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bb0000" filename = "" Region: id = 21694 start_va = 0xb90000 end_va = 0xb90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b90000" filename = "" Region: id = 21695 start_va = 0xb90000 end_va = 0xb97fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b90000" filename = "" Region: id = 21698 start_va = 0xb90000 end_va = 0xb90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 21699 start_va = 0xba0000 end_va = 0xba1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 21700 start_va = 0xb90000 end_va = 0xb90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 21701 start_va = 0xba0000 end_va = 0xba0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 21702 start_va = 0xb90000 end_va = 0xb90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b90000" filename = "" Region: id = 21703 start_va = 0xba0000 end_va = 0xba0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Thread: id = 629 os_tid = 0xe98 [0206.462] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0206.462] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0206.462] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0206.462] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0206.462] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0206.462] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0206.463] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0206.463] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0206.464] GetProcessHeap () returned 0xcf0000 [0206.464] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0206.464] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0206.464] GetLastError () returned 0x7e [0206.464] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0206.464] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0206.464] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x364) returned 0xd00a90 [0206.465] SetLastError (dwErrCode=0x7e) [0206.465] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0xe00) returned 0xd00e00 [0206.466] GetStartupInfoW (in: lpStartupInfo=0x18fe1c | out: lpStartupInfo=0x18fe1c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0206.466] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0206.466] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0206.466] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0206.467] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_duplicateCertificateId /fn_args=\"1\"" [0206.467] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_duplicateCertificateId /fn_args=\"1\"" [0206.467] GetACP () returned 0x4e4 [0206.467] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x0, Size=0x220) returned 0xd01c08 [0206.467] IsValidCodePage (CodePage=0x4e4) returned 1 [0206.467] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fe3c | out: lpCPInfo=0x18fe3c) returned 1 [0206.467] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f704 | out: lpCPInfo=0x18f704) returned 1 [0206.467] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd18, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0206.467] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd18, cbMultiByte=256, lpWideCharStr=0x18f4a8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0206.467] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f718 | out: lpCharType=0x18f718) returned 1 [0206.467] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd18, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0206.467] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd18, cbMultiByte=256, lpWideCharStr=0x18f458, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0206.467] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0206.467] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0206.468] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0206.468] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f248, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0206.468] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fc18, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿtùÓ¤Tþ\x18", lpUsedDefaultChar=0x0) returned 256 [0206.468] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd18, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0206.468] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd18, cbMultiByte=256, lpWideCharStr=0x18f478, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0206.468] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0206.468] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f268, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0206.468] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fb18, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿtùÓ¤Tþ\x18", lpUsedDefaultChar=0x0) returned 256 [0206.468] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x0, Size=0x80) returned 0xcf3898 [0206.468] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0206.468] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x1a8) returned 0xd01e30 [0206.468] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0206.468] GetLastError () returned 0x0 [0206.468] SetLastError (dwErrCode=0x0) [0206.468] GetEnvironmentStringsW () returned 0xd01fe8* [0206.469] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x0, Size=0xa8c) returned 0xd02a80 [0206.469] FreeEnvironmentStringsW (penv=0xd01fe8) returned 1 [0206.469] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x90) returned 0xcf47e8 [0206.469] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x3e) returned 0xcfac68 [0206.469] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x5c) returned 0xcf8ac0 [0206.469] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x6e) returned 0xcf48b0 [0206.469] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x78) returned 0xd03e40 [0206.469] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x62) returned 0xcf4c80 [0206.469] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x28) returned 0xcf3db8 [0206.469] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x48) returned 0xcf4268 [0206.469] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x1a) returned 0xcf0570 [0206.469] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x3a) returned 0xcfaef0 [0206.469] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x62) returned 0xcf3c18 [0206.469] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x2a) returned 0xcf8740 [0206.469] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x2e) returned 0xcf89e0 [0206.470] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x1c) returned 0xcf3de8 [0206.470] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x144) returned 0xcf9cd8 [0206.470] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x7c) returned 0xcf8320 [0206.470] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x36) returned 0xcfe3a0 [0206.470] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x3a) returned 0xcfaf38 [0206.470] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x90) returned 0xcf4620 [0206.470] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x24) returned 0xcf3938 [0206.470] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x30) returned 0xcf8a18 [0206.470] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x36) returned 0xcfe420 [0206.470] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x48) returned 0xcf2920 [0206.470] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x52) returned 0xcf04b8 [0206.470] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x3c) returned 0xcfab90 [0206.470] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0xd6) returned 0xcf9e98 [0206.470] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x2e) returned 0xcf87e8 [0206.470] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x1e) returned 0xcf2970 [0206.470] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x2c) returned 0xcf8698 [0206.470] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x54) returned 0xcf3e30 [0206.470] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x52) returned 0xcf42f0 [0206.470] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x24) returned 0xcf3e90 [0206.470] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x42) returned 0xcf4350 [0206.470] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x2c) returned 0xcf8778 [0206.470] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x44) returned 0xcf9fc8 [0206.470] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x24) returned 0xcf3968 [0206.471] HeapFree (in: hHeap=0xcf0000, dwFlags=0x0, lpMem=0xd02a80 | out: hHeap=0xcf0000) returned 1 [0206.471] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x8, Size=0x800) returned 0xd01fe8 [0206.471] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0206.471] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0206.471] GetStartupInfoW (in: lpStartupInfo=0x18fe80 | out: lpStartupInfo=0x18fe80*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0206.471] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_duplicateCertificateId /fn_args=\"1\"" [0206.472] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_duplicateCertificateId /fn_args=\"1\"", pNumArgs=0x18fe6c | out: pNumArgs=0x18fe6c) returned 0xd02c38*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0206.472] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0206.475] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x0, Size=0x1000) returned 0xd04520 [0206.475] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x0, Size=0x56) returned 0xcfa710 [0206.475] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_duplicateCertificateId", cchWideChar=-1, lpMultiByteStr=0xcfa710, cbMultiByte=86, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_duplicateCertificateId", lpUsedDefaultChar=0x0) returned 43 [0206.475] GetLastError () returned 0x0 [0206.475] SetLastError (dwErrCode=0x0) [0206.476] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_duplicateCertificateIdW") returned 0x0 [0206.476] GetLastError () returned 0x7f [0206.476] SetLastError (dwErrCode=0x7f) [0206.476] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_duplicateCertificateIdA") returned 0x0 [0206.476] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_duplicateCertificateId") returned 0x647c6aee [0206.476] RtlAllocateHeap (HeapHandle=0xcf0000, Flags=0x0, Size=0x4) returned 0xcf3840 [0206.476] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0xcf3840, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0206.476] GetActiveWindow () returned 0x0 [0206.478] GetLastError () returned 0x7f [0206.478] SetLastError (dwErrCode=0x7f) Thread: id = 631 os_tid = 0xf00 Process: id = "300" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x1d236000" os_pid = "0xcd0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "299" os_parent_pid = "0xd3c" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_duplicateCertificateId /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "301" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x1d28e000" os_pid = "0x97c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureCertificateAccess /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 21715 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 21716 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 21717 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 21718 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 21719 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 21720 start_va = 0x730000 end_va = 0x731fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 21721 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 21722 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 21723 start_va = 0x7f5e0000 end_va = 0x7f602fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f5e0000" filename = "" Region: id = 21724 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 21725 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 21726 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 21727 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 21728 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 21729 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 21730 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 21756 start_va = 0x400000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 21757 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 21758 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 21759 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 21760 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 21761 start_va = 0x740000 end_va = 0xa0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 21763 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 21764 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 21765 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 21766 start_va = 0x7f4e0000 end_va = 0x7f5dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f4e0000" filename = "" Region: id = 21767 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 21768 start_va = 0x4c0000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 21769 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 21770 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 21771 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 21772 start_va = 0x4d0000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 21773 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 21774 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 21775 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 21776 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 21779 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 21780 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 21781 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 21782 start_va = 0x730000 end_va = 0x733fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 21783 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 21784 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 21785 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 21786 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 21787 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 21788 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 21789 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 21790 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 21791 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 21792 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 21793 start_va = 0x740000 end_va = 0x8c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 21794 start_va = 0x8d0000 end_va = 0x8f9fff monitored = 0 entry_point = 0x8d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 21795 start_va = 0x910000 end_va = 0xa0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000910000" filename = "" Region: id = 21796 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 21799 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 21800 start_va = 0x5d0000 end_va = 0x5d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 21801 start_va = 0xa10000 end_va = 0xb90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a10000" filename = "" Region: id = 21802 start_va = 0xba0000 end_va = 0xc6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 21803 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 21804 start_va = 0xba0000 end_va = 0xc30fff monitored = 0 entry_point = 0xbd8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 21805 start_va = 0xc60000 end_va = 0xc6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 21809 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 21810 start_va = 0x8d0000 end_va = 0x8d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008d0000" filename = "" Region: id = 21811 start_va = 0x8e0000 end_va = 0x8e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 21812 start_va = 0x8e0000 end_va = 0x8e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 21818 start_va = 0x8e0000 end_va = 0x8e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008e0000" filename = "" Region: id = 21819 start_va = 0x8f0000 end_va = 0x8f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 21820 start_va = 0x8e0000 end_va = 0x8e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008e0000" filename = "" Region: id = 21821 start_va = 0x8f0000 end_va = 0x8f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 21822 start_va = 0x8e0000 end_va = 0x8e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 21823 start_va = 0x8f0000 end_va = 0x8f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Thread: id = 632 os_tid = 0xd04 [0207.512] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0207.512] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0207.513] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0207.513] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0207.513] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0207.513] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0207.514] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0207.514] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0207.514] GetProcessHeap () returned 0x910000 [0207.514] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0207.515] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0207.515] GetLastError () returned 0x7e [0207.515] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0207.515] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0207.515] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x364) returned 0x920a98 [0207.515] SetLastError (dwErrCode=0x7e) [0207.516] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0xe00) returned 0x920e08 [0207.518] GetStartupInfoW (in: lpStartupInfo=0x18fb0c | out: lpStartupInfo=0x18fb0c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0207.518] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0207.518] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0207.518] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0207.518] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureCertificateAccess /fn_args=\"1\"" [0207.518] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureCertificateAccess /fn_args=\"1\"" [0207.518] GetACP () returned 0x4e4 [0207.518] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x0, Size=0x220) returned 0x921c10 [0207.518] IsValidCodePage (CodePage=0x4e4) returned 1 [0207.518] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fb2c | out: lpCPInfo=0x18fb2c) returned 1 [0207.518] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f3f4 | out: lpCPInfo=0x18f3f4) returned 1 [0207.518] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa08, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0207.518] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa08, cbMultiByte=256, lpWideCharStr=0x18f198, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0207.518] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f408 | out: lpCharType=0x18f408) returned 1 [0207.518] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa08, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0207.518] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa08, cbMultiByte=256, lpWideCharStr=0x18f148, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0207.519] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0207.519] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0207.519] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0207.519] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ef38, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0207.519] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f908, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x8e£\x18îDû\x18", lpUsedDefaultChar=0x0) returned 256 [0207.519] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa08, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0207.519] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa08, cbMultiByte=256, lpWideCharStr=0x18f168, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0207.519] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0207.519] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ef58, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0207.519] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f808, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x8e£\x18îDû\x18", lpUsedDefaultChar=0x0) returned 256 [0207.519] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x0, Size=0x80) returned 0x9138a0 [0207.519] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0207.520] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x1aa) returned 0x921e38 [0207.520] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0207.520] GetLastError () returned 0x0 [0207.520] SetLastError (dwErrCode=0x0) [0207.520] GetEnvironmentStringsW () returned 0x921ff0* [0207.520] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x0, Size=0xa8c) returned 0x922a88 [0207.520] FreeEnvironmentStringsW (penv=0x921ff0) returned 1 [0207.520] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x90) returned 0x9147f0 [0207.520] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x3e) returned 0x91b0a8 [0207.520] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x5c) returned 0x918ac8 [0207.520] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x6e) returned 0x9148b8 [0207.520] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x78) returned 0x923bc8 [0207.521] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x62) returned 0x914c88 [0207.521] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x28) returned 0x913dc0 [0207.521] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x48) returned 0x914010 [0207.521] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x1a) returned 0x910570 [0207.521] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x3a) returned 0x91aef8 [0207.521] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x62) returned 0x913c20 [0207.521] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x2a) returned 0x9187b8 [0207.521] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x2e) returned 0x918978 [0207.521] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x1c) returned 0x913df0 [0207.521] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x144) returned 0x919ce0 [0207.521] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x7c) returned 0x918328 [0207.521] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x36) returned 0x91e3e8 [0207.521] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x3a) returned 0x91ab08 [0207.521] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x90) returned 0x9143c8 [0207.521] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x24) returned 0x913940 [0207.521] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x30) returned 0x9189b0 [0207.521] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x36) returned 0x91e428 [0207.521] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x48) returned 0x912920 [0207.521] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x52) returned 0x9104b8 [0207.521] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x3c) returned 0x91af40 [0207.521] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0xd6) returned 0x919ea0 [0207.521] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x2e) returned 0x9189e8 [0207.521] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x1e) returned 0x912970 [0207.521] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x2c) returned 0x918a20 [0207.521] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x54) returned 0x913e38 [0207.521] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x52) returned 0x914098 [0207.521] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x24) returned 0x913e98 [0207.521] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x42) returned 0x9140f8 [0207.522] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x2c) returned 0x9186a0 [0207.522] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x44) returned 0x919fd0 [0207.522] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x24) returned 0x913970 [0207.523] HeapFree (in: hHeap=0x910000, dwFlags=0x0, lpMem=0x922a88 | out: hHeap=0x910000) returned 1 [0207.523] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x8, Size=0x800) returned 0x921ff0 [0207.523] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0207.523] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0207.523] GetStartupInfoW (in: lpStartupInfo=0x18fb70 | out: lpStartupInfo=0x18fb70*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0207.524] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureCertificateAccess /fn_args=\"1\"" [0207.524] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureCertificateAccess /fn_args=\"1\"", pNumArgs=0x18fb5c | out: pNumArgs=0x18fb5c) returned 0x922c40*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0207.524] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0207.527] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x0, Size=0x1000) returned 0x924528 [0207.527] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x0, Size=0x58) returned 0x91a718 [0207.527] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_ensureCertificateAccess", cchWideChar=-1, lpMultiByteStr=0x91a718, cbMultiByte=88, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_ensureCertificateAccess", lpUsedDefaultChar=0x0) returned 44 [0207.527] GetLastError () returned 0x0 [0207.527] SetLastError (dwErrCode=0x0) [0207.527] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_ensureCertificateAccessW") returned 0x0 [0207.527] GetLastError () returned 0x7f [0207.527] SetLastError (dwErrCode=0x7f) [0207.528] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_ensureCertificateAccessA") returned 0x0 [0207.528] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_ensureCertificateAccess") returned 0x647c84a4 [0207.528] RtlAllocateHeap (HeapHandle=0x910000, Flags=0x0, Size=0x4) returned 0x913848 [0207.528] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x913848, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0207.528] GetActiveWindow () returned 0x0 [0207.529] GetLastError () returned 0x7f [0207.529] SetLastError (dwErrCode=0x7f) Thread: id = 634 os_tid = 0x10e8 Process: id = "302" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x1cea3000" os_pid = "0x118c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "301" os_parent_pid = "0x97c" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureCertificateAccess /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "303" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x69aa6000" os_pid = "0xe9c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureKeyAccess /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 21839 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 21840 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 21841 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 21842 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 21843 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 21844 start_va = 0x930000 end_va = 0x931fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 21845 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 21846 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 21847 start_va = 0x7ed00000 end_va = 0x7ed22fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed00000" filename = "" Region: id = 21848 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 21849 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 21850 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 21851 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 21852 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 21853 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 21854 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 21857 start_va = 0x400000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 21858 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 21859 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 21860 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 21861 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 21862 start_va = 0x940000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 21866 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 21867 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 21868 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 21869 start_va = 0x7ec00000 end_va = 0x7ecfffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ec00000" filename = "" Region: id = 21870 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 21871 start_va = 0x5e0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 21872 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 21873 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 21874 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 21875 start_va = 0x4c0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 21876 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 21877 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 21880 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 21881 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 21882 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 21883 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 21884 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 21885 start_va = 0x930000 end_va = 0x933fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 21886 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 21887 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 21888 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 21889 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 21890 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 21891 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 21892 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 21893 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 21896 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 21897 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 21898 start_va = 0x5f0000 end_va = 0x777fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 21899 start_va = 0x940000 end_va = 0x969fff monitored = 0 entry_point = 0x945680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 21900 start_va = 0x980000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 21901 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 21904 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 21905 start_va = 0x5c0000 end_va = 0x5c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 21906 start_va = 0x780000 end_va = 0x900fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 21907 start_va = 0xa80000 end_va = 0xbaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 21908 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 21909 start_va = 0xa80000 end_va = 0xb10fff monitored = 0 entry_point = 0xab8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 21910 start_va = 0xba0000 end_va = 0xbaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 21913 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 21914 start_va = 0x940000 end_va = 0x940fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 21915 start_va = 0x950000 end_va = 0x950fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 21916 start_va = 0x950000 end_va = 0x957fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 21923 start_va = 0x950000 end_va = 0x950fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 21924 start_va = 0x960000 end_va = 0x961fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000960000" filename = "" Region: id = 21925 start_va = 0x950000 end_va = 0x950fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 21926 start_va = 0x960000 end_va = 0x960fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000960000" filename = "" Region: id = 21927 start_va = 0x950000 end_va = 0x950fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 21928 start_va = 0x960000 end_va = 0x960fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Thread: id = 635 os_tid = 0xd50 [0208.702] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0208.703] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0208.703] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0208.703] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0208.703] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0208.703] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0208.704] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0208.704] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0208.705] GetProcessHeap () returned 0x980000 [0208.705] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0208.705] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0208.705] GetLastError () returned 0x7e [0208.705] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0208.705] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0208.705] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x364) returned 0x990a80 [0208.706] SetLastError (dwErrCode=0x7e) [0208.706] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0xe00) returned 0x990df0 [0208.708] GetStartupInfoW (in: lpStartupInfo=0x18f978 | out: lpStartupInfo=0x18f978*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0208.708] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0208.708] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0208.708] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0208.708] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureKeyAccess /fn_args=\"1\"" [0208.708] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureKeyAccess /fn_args=\"1\"" [0208.708] GetACP () returned 0x4e4 [0208.708] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x0, Size=0x220) returned 0x991bf8 [0208.708] IsValidCodePage (CodePage=0x4e4) returned 1 [0208.708] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f998 | out: lpCPInfo=0x18f998) returned 1 [0208.708] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f260 | out: lpCPInfo=0x18f260) returned 1 [0208.708] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f874, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0208.708] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f874, cbMultiByte=256, lpWideCharStr=0x18f008, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0208.708] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f274 | out: lpCharType=0x18f274) returned 1 [0208.709] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f874, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0208.709] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f874, cbMultiByte=256, lpWideCharStr=0x18efb8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0208.709] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0208.709] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0208.709] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0208.709] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18eda8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0208.709] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f774, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ%2\x8ax°ù\x18", lpUsedDefaultChar=0x0) returned 256 [0208.709] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f874, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0208.709] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f874, cbMultiByte=256, lpWideCharStr=0x18efd8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0208.709] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0208.709] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18edc8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0208.709] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f674, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ%2\x8ax°ù\x18", lpUsedDefaultChar=0x0) returned 256 [0208.709] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x0, Size=0x80) returned 0x983888 [0208.709] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0208.709] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x19a) returned 0x991e20 [0208.709] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0208.710] GetLastError () returned 0x0 [0208.710] SetLastError (dwErrCode=0x0) [0208.710] GetEnvironmentStringsW () returned 0x991fc8* [0208.710] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x0, Size=0xa8c) returned 0x992a60 [0208.711] FreeEnvironmentStringsW (penv=0x991fc8) returned 1 [0208.711] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x90) returned 0x9847d8 [0208.711] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x3e) returned 0x98ad78 [0208.711] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x5c) returned 0x988ab0 [0208.711] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x6e) returned 0x9848a0 [0208.711] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x78) returned 0x9939a0 [0208.711] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x62) returned 0x984c70 [0208.711] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x28) returned 0x983da8 [0208.711] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x48) returned 0x984258 [0208.711] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x1a) returned 0x980570 [0208.711] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x3a) returned 0x98b168 [0208.711] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x62) returned 0x983c08 [0208.711] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x2a) returned 0x988768 [0208.711] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x2e) returned 0x988810 [0208.711] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x1c) returned 0x983dd8 [0208.711] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x144) returned 0x989cc8 [0208.711] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x7c) returned 0x988310 [0208.711] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x36) returned 0x98e2d0 [0208.711] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x3a) returned 0x98ae98 [0208.712] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x90) returned 0x984610 [0208.712] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x24) returned 0x983928 [0208.712] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x30) returned 0x988688 [0208.712] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x36) returned 0x98e150 [0208.712] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x48) returned 0x982910 [0208.712] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x52) returned 0x9804b8 [0208.712] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x3c) returned 0x98aa60 [0208.712] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0xd6) returned 0x989e88 [0208.712] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x2e) returned 0x988998 [0208.712] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x1e) returned 0x982960 [0208.712] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x2c) returned 0x988a08 [0208.712] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x54) returned 0x983e20 [0208.712] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x52) returned 0x9842e0 [0208.712] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x24) returned 0x983e80 [0208.712] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x42) returned 0x984340 [0208.712] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x2c) returned 0x988848 [0208.712] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x44) returned 0x989fb8 [0208.712] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x24) returned 0x983958 [0208.713] HeapFree (in: hHeap=0x980000, dwFlags=0x0, lpMem=0x992a60 | out: hHeap=0x980000) returned 1 [0208.713] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x8, Size=0x800) returned 0x991fc8 [0208.713] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0208.713] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0208.714] GetStartupInfoW (in: lpStartupInfo=0x18f9dc | out: lpStartupInfo=0x18f9dc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0208.714] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureKeyAccess /fn_args=\"1\"" [0208.714] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureKeyAccess /fn_args=\"1\"", pNumArgs=0x18f9c8 | out: pNumArgs=0x18f9c8) returned 0x992c18*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0208.714] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0208.718] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x0, Size=0x1000) returned 0x994500 [0208.718] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x0, Size=0x48) returned 0x98a760 [0208.718] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_ensureKeyAccess", cchWideChar=-1, lpMultiByteStr=0x98a760, cbMultiByte=72, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_ensureKeyAccess", lpUsedDefaultChar=0x0) returned 36 [0208.718] GetLastError () returned 0x0 [0208.718] SetLastError (dwErrCode=0x0) [0208.718] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_ensureKeyAccessW") returned 0x0 [0208.718] GetLastError () returned 0x7f [0208.718] SetLastError (dwErrCode=0x7f) [0208.718] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_ensureKeyAccessA") returned 0x0 [0208.719] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_ensureKeyAccess") returned 0x647c86f6 [0208.719] RtlAllocateHeap (HeapHandle=0x980000, Flags=0x0, Size=0x4) returned 0x983830 [0208.719] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x983830, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0208.719] GetActiveWindow () returned 0x0 [0208.720] GetLastError () returned 0x7f [0208.720] SetLastError (dwErrCode=0x7f) Thread: id = 639 os_tid = 0xeb8 Process: id = "304" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x4ce68000" os_pid = "0xed8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "303" os_parent_pid = "0xe9c" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureKeyAccess /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "305" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x46cbe000" os_pid = "0xee4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumCertificateIds /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 21941 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 21942 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 21943 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 21944 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 21945 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 21946 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 21947 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 21948 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 21949 start_va = 0xa50000 end_va = 0xa51fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 21950 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 21951 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 21952 start_va = 0x7f290000 end_va = 0x7f2b2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f290000" filename = "" Region: id = 21953 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 21954 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 21955 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 21956 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 21959 start_va = 0x1c0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 21960 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 21961 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 21962 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 21963 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 21964 start_va = 0xa60000 end_va = 0xb6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 21965 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 21975 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 21976 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 21977 start_va = 0x7f190000 end_va = 0x7f28ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f190000" filename = "" Region: id = 21978 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 21979 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 21980 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 21981 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 21982 start_va = 0x500000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 21983 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 21984 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 21985 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 21986 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 21989 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 21990 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 21991 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 21992 start_va = 0xa50000 end_va = 0xa53fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 21993 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 21994 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 21995 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 21996 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 21997 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 21998 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 21999 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 22000 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 22001 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 22002 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 22003 start_va = 0x600000 end_va = 0x787fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 22004 start_va = 0xb70000 end_va = 0xb99fff monitored = 0 entry_point = 0xb75680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 22005 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 22008 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 22009 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 22010 start_va = 0x1e0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 22011 start_va = 0x790000 end_va = 0x910fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 22012 start_va = 0xb70000 end_va = 0xbcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 22013 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 22016 start_va = 0xbd0000 end_va = 0xc60fff monitored = 0 entry_point = 0xc08cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 22017 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 22022 start_va = 0xa60000 end_va = 0xa60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 22023 start_va = 0xa70000 end_va = 0xb6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 22024 start_va = 0xb70000 end_va = 0xb70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b70000" filename = "" Region: id = 22025 start_va = 0xbc0000 end_va = 0xbcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bc0000" filename = "" Region: id = 22026 start_va = 0xb70000 end_va = 0xb77fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b70000" filename = "" Region: id = 22029 start_va = 0xb70000 end_va = 0xb70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 22030 start_va = 0xb80000 end_va = 0xb81fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 22031 start_va = 0xb70000 end_va = 0xb70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 22032 start_va = 0xb80000 end_va = 0xb80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 22033 start_va = 0xb70000 end_va = 0xb70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b70000" filename = "" Region: id = 22034 start_va = 0xb80000 end_va = 0xb80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Thread: id = 641 os_tid = 0xd40 [0209.884] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0209.884] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0209.884] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0209.885] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0209.885] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0209.885] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0209.886] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0209.886] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0209.887] GetProcessHeap () returned 0xa70000 [0209.887] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0209.887] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0209.887] GetLastError () returned 0x7e [0209.888] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0209.888] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0209.888] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x364) returned 0xa80a88 [0209.888] SetLastError (dwErrCode=0x7e) [0209.888] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0xe00) returned 0xa80df8 [0209.891] GetStartupInfoW (in: lpStartupInfo=0x18f7e0 | out: lpStartupInfo=0x18f7e0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0209.891] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0209.891] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0209.891] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0209.891] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumCertificateIds /fn_args=\"1\"" [0209.891] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumCertificateIds /fn_args=\"1\"" [0209.892] GetACP () returned 0x4e4 [0209.892] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x0, Size=0x220) returned 0xa81c00 [0209.892] IsValidCodePage (CodePage=0x4e4) returned 1 [0209.892] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f800 | out: lpCPInfo=0x18f800) returned 1 [0209.892] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f0c8 | out: lpCPInfo=0x18f0c8) returned 1 [0209.892] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6dc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0209.892] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6dc, cbMultiByte=256, lpWideCharStr=0x18ee68, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0209.892] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f0dc | out: lpCharType=0x18f0dc) returned 1 [0209.892] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6dc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0209.892] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6dc, cbMultiByte=256, lpWideCharStr=0x18ee18, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0209.892] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0209.893] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0209.893] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0209.893] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ec08, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0209.893] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f5dc, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ'\x83\x98\x9c\x18ø\x18", lpUsedDefaultChar=0x0) returned 256 [0209.893] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6dc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0209.893] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6dc, cbMultiByte=256, lpWideCharStr=0x18ee38, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0209.893] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0209.893] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ec28, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0209.893] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f4dc, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ'\x83\x98\x9c\x18ø\x18", lpUsedDefaultChar=0x0) returned 256 [0209.894] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x0, Size=0x80) returned 0xa73890 [0209.894] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0209.894] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x1a0) returned 0xa81e28 [0209.894] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0209.894] GetLastError () returned 0x0 [0209.894] SetLastError (dwErrCode=0x0) [0209.894] GetEnvironmentStringsW () returned 0xa81fd0* [0209.894] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x0, Size=0xa8c) returned 0xa82a68 [0209.895] FreeEnvironmentStringsW (penv=0xa81fd0) returned 1 [0209.895] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x90) returned 0xa747e0 [0209.895] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x3e) returned 0xa7ac60 [0209.895] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x5c) returned 0xa78ab8 [0209.895] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x6e) returned 0xa748a8 [0209.895] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x78) returned 0xa83528 [0209.895] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x62) returned 0xa74c78 [0209.895] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x28) returned 0xa73db0 [0209.895] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x48) returned 0xa74000 [0209.896] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x1a) returned 0xa70570 [0209.896] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x3a) returned 0xa7ac18 [0209.896] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x62) returned 0xa73c10 [0209.896] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x2a) returned 0xa78a10 [0209.896] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x2e) returned 0xa787a8 [0209.896] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x1c) returned 0xa73de0 [0209.896] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x144) returned 0xa79cd0 [0209.896] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x7c) returned 0xa78318 [0209.896] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x36) returned 0xa7e558 [0209.896] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x3a) returned 0xa7aea0 [0209.896] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x90) returned 0xa74618 [0209.896] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x24) returned 0xa73930 [0209.896] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x30) returned 0xa78850 [0209.896] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x36) returned 0xa7e298 [0209.896] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x48) returned 0xa72918 [0209.896] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x52) returned 0xa704b8 [0209.896] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x3c) returned 0xa7b128 [0209.896] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0xd6) returned 0xa79e90 [0209.896] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x2e) returned 0xa78690 [0209.896] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x1e) returned 0xa72968 [0209.897] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x2c) returned 0xa786c8 [0209.897] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x54) returned 0xa73e28 [0209.897] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x52) returned 0xa74088 [0209.897] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x24) returned 0xa73e88 [0209.897] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x42) returned 0xa740e8 [0209.897] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x2c) returned 0xa788c0 [0209.897] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x44) returned 0xa79fc0 [0209.897] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x24) returned 0xa73960 [0209.898] HeapFree (in: hHeap=0xa70000, dwFlags=0x0, lpMem=0xa82a68 | out: hHeap=0xa70000) returned 1 [0209.898] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x8, Size=0x800) returned 0xa81fd0 [0209.899] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0209.899] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0209.899] GetStartupInfoW (in: lpStartupInfo=0x18f844 | out: lpStartupInfo=0x18f844*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0209.899] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumCertificateIds /fn_args=\"1\"" [0209.899] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumCertificateIds /fn_args=\"1\"", pNumArgs=0x18f830 | out: pNumArgs=0x18f830) returned 0xa82c20*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0209.899] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0209.903] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x0, Size=0x1000) returned 0xa84508 [0209.903] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x0, Size=0x4e) returned 0xa7a708 [0209.903] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_enumCertificateIds", cchWideChar=-1, lpMultiByteStr=0xa7a708, cbMultiByte=78, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_enumCertificateIds", lpUsedDefaultChar=0x0) returned 39 [0209.903] GetLastError () returned 0x0 [0209.903] SetLastError (dwErrCode=0x0) [0209.904] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_enumCertificateIdsW") returned 0x0 [0209.904] GetLastError () returned 0x7f [0209.904] SetLastError (dwErrCode=0x7f) [0209.904] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_enumCertificateIdsA") returned 0x0 [0209.904] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_enumCertificateIds") returned 0x647c9404 [0209.904] RtlAllocateHeap (HeapHandle=0xa70000, Flags=0x0, Size=0x4) returned 0xa73838 [0209.904] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0xa73838, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0209.904] GetActiveWindow () returned 0x0 [0209.905] GetLastError () returned 0x7f [0209.905] SetLastError (dwErrCode=0x7f) Thread: id = 643 os_tid = 0xeac Process: id = "306" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x217a0000" os_pid = "0xb3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "305" os_parent_pid = "0xee4" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumCertificateIds /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "307" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x1c5d6000" os_pid = "0xf6c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumTokenCertificateIds /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 22049 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 22050 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 22051 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 22052 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 22053 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 22054 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 22055 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 22056 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 22057 start_va = 0xd90000 end_va = 0xd91fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d90000" filename = "" Region: id = 22058 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 22059 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 22060 start_va = 0x7eda0000 end_va = 0x7edc2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eda0000" filename = "" Region: id = 22061 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 22062 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 22063 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 22064 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 22066 start_va = 0x400000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 22067 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 22068 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 22069 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 22070 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 22071 start_va = 0xda0000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 22072 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 22074 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 22075 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 22076 start_va = 0x7eca0000 end_va = 0x7ed9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eca0000" filename = "" Region: id = 22077 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 22078 start_va = 0x5a0000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 22079 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 22080 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 22081 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 22082 start_va = 0x5b0000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 22083 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 22084 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 22085 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 22087 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 22088 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 22089 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 22090 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 22091 start_va = 0xd90000 end_va = 0xd93fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d90000" filename = "" Region: id = 22092 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 22093 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 22094 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 22095 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 22096 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 22097 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 22098 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 22099 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 22100 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 22101 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 22104 start_va = 0x6b0000 end_va = 0x837fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006b0000" filename = "" Region: id = 22105 start_va = 0xda0000 end_va = 0xdc9fff monitored = 0 entry_point = 0xda5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 22106 start_va = 0xf40000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 22107 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 22109 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 22110 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 22111 start_va = 0x840000 end_va = 0x9c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 22112 start_va = 0xda0000 end_va = 0xeeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 22113 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 22114 start_va = 0xda0000 end_va = 0xe30fff monitored = 0 entry_point = 0xdd8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 22115 start_va = 0xee0000 end_va = 0xeeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 22120 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 22121 start_va = 0xda0000 end_va = 0xda0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 22122 start_va = 0xdb0000 end_va = 0xdb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 22123 start_va = 0xdb0000 end_va = 0xdb7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 22125 start_va = 0xdb0000 end_va = 0xdb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 22129 start_va = 0xdc0000 end_va = 0xdc1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dc0000" filename = "" Region: id = 22130 start_va = 0xdb0000 end_va = 0xdb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 22131 start_va = 0xdc0000 end_va = 0xdc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dc0000" filename = "" Region: id = 22132 start_va = 0xdb0000 end_va = 0xdb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 22133 start_va = 0xdc0000 end_va = 0xdc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dc0000" filename = "" Thread: id = 648 os_tid = 0xf70 [0212.094] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0212.095] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0212.095] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0212.095] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0212.095] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0212.095] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0212.096] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0212.096] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0212.096] GetProcessHeap () returned 0xf40000 [0212.096] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0212.096] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0212.096] GetLastError () returned 0x7e [0212.097] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0212.097] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0212.097] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x364) returned 0xf50a98 [0212.097] SetLastError (dwErrCode=0x7e) [0212.097] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0xe00) returned 0xf50e08 [0212.099] GetStartupInfoW (in: lpStartupInfo=0x18f8a4 | out: lpStartupInfo=0x18f8a4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0212.099] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0212.099] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0212.099] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0212.099] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumTokenCertificateIds /fn_args=\"1\"" [0212.099] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumTokenCertificateIds /fn_args=\"1\"" [0212.099] GetACP () returned 0x4e4 [0212.099] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x0, Size=0x220) returned 0xf51c10 [0212.099] IsValidCodePage (CodePage=0x4e4) returned 1 [0212.099] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f8c4 | out: lpCPInfo=0x18f8c4) returned 1 [0212.099] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f18c | out: lpCPInfo=0x18f18c) returned 1 [0212.099] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7a0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0212.099] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7a0, cbMultiByte=256, lpWideCharStr=0x18ef28, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0212.099] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f1a0 | out: lpCharType=0x18f1a0) returned 1 [0212.099] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7a0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0212.099] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7a0, cbMultiByte=256, lpWideCharStr=0x18eee8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0212.099] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0212.100] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0212.100] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0212.100] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ecd8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0212.100] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f6a0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿb\x11t(Üø\x18", lpUsedDefaultChar=0x0) returned 256 [0212.100] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7a0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0212.100] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7a0, cbMultiByte=256, lpWideCharStr=0x18eef8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0212.100] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0212.100] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ece8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0212.100] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f5a0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿb\x11t(Üø\x18", lpUsedDefaultChar=0x0) returned 256 [0212.100] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x0, Size=0x80) returned 0xf438a0 [0212.100] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0212.100] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x1aa) returned 0xf51e38 [0212.100] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0212.100] GetLastError () returned 0x0 [0212.100] SetLastError (dwErrCode=0x0) [0212.100] GetEnvironmentStringsW () returned 0xf51ff0* [0212.100] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x0, Size=0xa8c) returned 0xf52a88 [0212.198] FreeEnvironmentStringsW (penv=0xf51ff0) returned 1 [0212.198] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x90) returned 0xf447f0 [0212.198] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x3e) returned 0xf4aeb0 [0212.198] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x5c) returned 0xf48ac8 [0212.198] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x6e) returned 0xf448b8 [0212.198] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x78) returned 0xf53648 [0212.198] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x62) returned 0xf44c88 [0212.198] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x28) returned 0xf43dc0 [0212.198] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x48) returned 0xf44010 [0212.199] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x1a) returned 0xf40570 [0212.199] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x3a) returned 0xf4ab98 [0212.199] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x62) returned 0xf43c20 [0212.199] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x2a) returned 0xf48a20 [0212.199] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x2e) returned 0xf48860 [0212.199] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x1c) returned 0xf43df0 [0212.199] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x144) returned 0xf49ce0 [0212.199] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x7c) returned 0xf48328 [0212.199] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x36) returned 0xf4e728 [0212.199] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x3a) returned 0xf4aef8 [0212.199] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x90) returned 0xf44628 [0212.199] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x24) returned 0xf43940 [0212.199] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x30) returned 0xf48898 [0212.199] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x36) returned 0xf4e4a8 [0212.199] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x48) returned 0xf42920 [0212.199] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x52) returned 0xf404b8 [0212.199] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x3c) returned 0xf4ab50 [0212.199] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0xd6) returned 0xf49ea0 [0212.199] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x2e) returned 0xf488d0 [0212.199] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x1e) returned 0xf42970 [0212.199] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x2c) returned 0xf489e8 [0212.199] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x54) returned 0xf43e38 [0212.199] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x52) returned 0xf44098 [0212.199] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x24) returned 0xf43e98 [0212.199] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x42) returned 0xf440f8 [0212.199] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x2c) returned 0xf486a0 [0212.199] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x44) returned 0xf49fd0 [0212.199] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x24) returned 0xf43970 [0212.200] HeapFree (in: hHeap=0xf40000, dwFlags=0x0, lpMem=0xf52a88 | out: hHeap=0xf40000) returned 1 [0212.200] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x8, Size=0x800) returned 0xf51ff0 [0212.200] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0212.200] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0212.200] GetStartupInfoW (in: lpStartupInfo=0x18f908 | out: lpStartupInfo=0x18f908*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0212.200] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumTokenCertificateIds /fn_args=\"1\"" [0212.200] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumTokenCertificateIds /fn_args=\"1\"", pNumArgs=0x18f8f4 | out: pNumArgs=0x18f8f4) returned 0xf52c40*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0212.201] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0212.203] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x0, Size=0x1000) returned 0xf54528 [0212.203] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x0, Size=0x58) returned 0xf4a718 [0212.203] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_enumTokenCertificateIds", cchWideChar=-1, lpMultiByteStr=0xf4a718, cbMultiByte=88, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_enumTokenCertificateIds", lpUsedDefaultChar=0x0) returned 44 [0212.204] GetLastError () returned 0x0 [0212.204] SetLastError (dwErrCode=0x0) [0212.204] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_enumTokenCertificateIdsW") returned 0x0 [0212.204] GetLastError () returned 0x7f [0212.204] SetLastError (dwErrCode=0x7f) [0212.204] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_enumTokenCertificateIdsA") returned 0x0 [0212.204] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_enumTokenCertificateIds") returned 0x647c91d9 [0212.204] RtlAllocateHeap (HeapHandle=0xf40000, Flags=0x0, Size=0x4) returned 0xf43848 [0212.204] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0xf43848, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0212.204] GetActiveWindow () returned 0x0 [0212.205] GetLastError () returned 0x7f [0212.205] SetLastError (dwErrCode=0x7f) Thread: id = 650 os_tid = 0xfe4 Process: id = "308" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x1b064000" os_pid = "0x1038" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "307" os_parent_pid = "0xf6c" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumTokenCertificateIds /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "309" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x1bbee000" os_pid = "0x13ac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificate /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 22144 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 22145 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 22146 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 22147 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 22148 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 22149 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 22150 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 22151 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 22152 start_va = 0x7b0000 end_va = 0x7b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 22153 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 22154 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 22155 start_va = 0x7fd90000 end_va = 0x7fdb2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fd90000" filename = "" Region: id = 22156 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 22157 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 22158 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 22159 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 22162 start_va = 0x400000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 22163 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 22164 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 22165 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 22166 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 22167 start_va = 0x7c0000 end_va = 0x9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 22168 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 22169 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 22171 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 22172 start_va = 0x7fc90000 end_va = 0x7fd8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fc90000" filename = "" Region: id = 22173 start_va = 0x470000 end_va = 0x52dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 22174 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 22175 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 22176 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 22177 start_va = 0x530000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 22178 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 22179 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 22180 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 22181 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 22182 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 22183 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 22184 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 22185 start_va = 0x7b0000 end_va = 0x7b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 22186 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 22187 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 22188 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 22189 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 22190 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 22226 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 22227 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 22228 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 22229 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 22230 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 22231 start_va = 0x7c0000 end_va = 0x7e9fff monitored = 0 entry_point = 0x7c5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 22232 start_va = 0x8d0000 end_va = 0x9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008d0000" filename = "" Region: id = 22233 start_va = 0x9d0000 end_va = 0xb57fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 22234 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 22236 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 22237 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 22238 start_va = 0x460000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 22239 start_va = 0x7c0000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 22240 start_va = 0xb60000 end_va = 0xce0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b60000" filename = "" Region: id = 22241 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 22242 start_va = 0x810000 end_va = 0x8a0fff monitored = 0 entry_point = 0x848cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 22244 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 22245 start_va = 0x7c0000 end_va = 0x7c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 22246 start_va = 0x800000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 22247 start_va = 0x7d0000 end_va = 0x7d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 22248 start_va = 0x7d0000 end_va = 0x7d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 22272 start_va = 0x7d0000 end_va = 0x7d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 22276 start_va = 0x7e0000 end_va = 0x7e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 22277 start_va = 0x7d0000 end_va = 0x7d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 22278 start_va = 0x7e0000 end_va = 0x7e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 22279 start_va = 0x7d0000 end_va = 0x7d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 22280 start_va = 0x7e0000 end_va = 0x7e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Thread: id = 651 os_tid = 0xb90 [0213.393] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0213.394] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0213.394] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0213.394] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0213.394] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0213.394] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0213.395] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0213.395] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0213.395] GetProcessHeap () returned 0x8d0000 [0213.395] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0213.396] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0213.396] GetLastError () returned 0x7e [0213.396] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0213.396] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0213.396] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x364) returned 0x8e0a80 [0213.396] SetLastError (dwErrCode=0x7e) [0213.396] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0xe00) returned 0x8e0df0 [0213.399] GetStartupInfoW (in: lpStartupInfo=0x18fb50 | out: lpStartupInfo=0x18fb50*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0213.399] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0213.399] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0213.399] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0213.399] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificate /fn_args=\"1\"" [0213.399] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificate /fn_args=\"1\"" [0213.400] GetACP () returned 0x4e4 [0213.400] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x0, Size=0x220) returned 0x8e1bf8 [0213.400] IsValidCodePage (CodePage=0x4e4) returned 1 [0213.400] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fb70 | out: lpCPInfo=0x18fb70) returned 1 [0213.400] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f438 | out: lpCPInfo=0x18f438) returned 1 [0213.400] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa4c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0213.400] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa4c, cbMultiByte=256, lpWideCharStr=0x18f1d8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0213.400] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f44c | out: lpCharType=0x18f44c) returned 1 [0213.400] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa4c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0213.400] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa4c, cbMultiByte=256, lpWideCharStr=0x18f188, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0213.400] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0213.400] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0213.400] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0213.400] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ef78, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0213.400] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f94c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ zXF\x88û\x18", lpUsedDefaultChar=0x0) returned 256 [0213.400] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa4c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0213.400] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa4c, cbMultiByte=256, lpWideCharStr=0x18f1a8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0213.401] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0213.401] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ef98, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0213.401] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f84c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ zXF\x88û\x18", lpUsedDefaultChar=0x0) returned 256 [0213.401] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x0, Size=0x80) returned 0x8d3888 [0213.401] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0213.401] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x19a) returned 0x8e1e20 [0213.401] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0213.401] GetLastError () returned 0x0 [0213.401] SetLastError (dwErrCode=0x0) [0213.401] GetEnvironmentStringsW () returned 0x8e1fc8* [0213.401] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x0, Size=0xa8c) returned 0x8e2a60 [0213.401] FreeEnvironmentStringsW (penv=0x8e1fc8) returned 1 [0213.402] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x90) returned 0x8d4578 [0213.402] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x3e) returned 0x8dabc8 [0213.402] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x5c) returned 0x8d8850 [0213.402] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x6e) returned 0x8d4640 [0213.402] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x78) returned 0x8e43a0 [0213.402] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x62) returned 0x8d4a10 [0213.402] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x28) returned 0x8d3da8 [0213.402] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x48) returned 0x8d3ff8 [0213.402] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x1a) returned 0x8d0570 [0213.402] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x3a) returned 0x8db0d8 [0213.402] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x62) returned 0x8d3c08 [0213.402] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x2a) returned 0x8d8770 [0213.402] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x2e) returned 0x8d8578 [0213.402] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x1c) returned 0x8d3dd8 [0213.402] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x144) returned 0x8d9a68 [0213.402] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x7c) returned 0x8d80b0 [0213.402] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x36) returned 0x8de110 [0213.402] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x3a) returned 0x8daaa8 [0213.402] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x90) returned 0x8d43b0 [0213.402] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x24) returned 0x8d3928 [0213.402] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x30) returned 0x8d86c8 [0213.402] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x36) returned 0x8de210 [0213.402] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x48) returned 0x8d2910 [0213.402] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x52) returned 0x8d04b8 [0213.402] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x3c) returned 0x8dae98 [0213.403] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0xd6) returned 0x8d9e88 [0213.403] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x2e) returned 0x8d85b0 [0213.403] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x1e) returned 0x8d2960 [0213.403] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x2c) returned 0x8d87a8 [0213.403] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x54) returned 0x8d3e20 [0213.403] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x52) returned 0x8d4080 [0213.403] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x24) returned 0x8d3e80 [0213.403] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x42) returned 0x8d40e0 [0213.403] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x2c) returned 0x8d85e8 [0213.403] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x44) returned 0x8d9fb8 [0213.403] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x24) returned 0x8d3958 [0213.403] HeapFree (in: hHeap=0x8d0000, dwFlags=0x0, lpMem=0x8e2a60 | out: hHeap=0x8d0000) returned 1 [0213.403] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x8, Size=0x800) returned 0x8e1fc8 [0213.404] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0213.404] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0213.404] GetStartupInfoW (in: lpStartupInfo=0x18fbb4 | out: lpStartupInfo=0x18fbb4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0213.404] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificate /fn_args=\"1\"" [0213.404] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificate /fn_args=\"1\"", pNumArgs=0x18fba0 | out: pNumArgs=0x18fba0) returned 0x8e2c18*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0213.404] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0213.407] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x0, Size=0x1000) returned 0x8e4500 [0213.407] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x0, Size=0x48) returned 0x8da700 [0213.407] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_freeCertificate", cchWideChar=-1, lpMultiByteStr=0x8da700, cbMultiByte=72, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_freeCertificate", lpUsedDefaultChar=0x0) returned 36 [0213.407] GetLastError () returned 0x0 [0213.407] SetLastError (dwErrCode=0x0) [0213.408] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_freeCertificateW") returned 0x0 [0213.408] GetLastError () returned 0x7f [0213.408] SetLastError (dwErrCode=0x7f) [0213.408] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_freeCertificateA") returned 0x0 [0213.408] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_freeCertificate") returned 0x647c6e77 [0213.408] RtlAllocateHeap (HeapHandle=0x8d0000, Flags=0x0, Size=0x4) returned 0x8d3830 [0213.408] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x8d3830, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0213.408] GetActiveWindow () returned 0x0 [0213.409] GetLastError () returned 0x7f [0213.409] SetLastError (dwErrCode=0x7f) Thread: id = 653 os_tid = 0xc68 Process: id = "310" image_name = "wermgr.exe" filename = "c:\\windows\\syswow64\\wermgr.exe" page_root = "0x78a27000" os_pid = "0xa7c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "286" os_parent_pid = "0xfe8" cmd_line = "C:\\Windows\\SysWOW64\\wermgr.exe" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 22250 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 22251 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 22252 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 22253 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 22254 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 22255 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 22256 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 22257 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 22258 start_va = 0x490000 end_va = 0x491fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 22259 start_va = 0x910000 end_va = 0x935fff monitored = 0 entry_point = 0x919700 region_type = mapped_file name = "wermgr.exe" filename = "\\Windows\\SysWOW64\\wermgr.exe" (normalized: "c:\\windows\\syswow64\\wermgr.exe") Region: id = 22260 start_va = 0x940000 end_va = 0x493ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 22261 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 22262 start_va = 0x7ee90000 end_va = 0x7eeb2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ee90000" filename = "" Region: id = 22263 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 22264 start_va = 0x7fff0000 end_va = 0x7dfb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 22265 start_va = 0x7dfb201b0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfb201b0000" filename = "" Region: id = 22266 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 22267 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 22268 start_va = 0x4a0000 end_va = 0x4c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 22269 start_va = 0x4d0000 end_va = 0x4d1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 24860 start_va = 0x100000 end_va = 0x17ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 24861 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 24862 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 24863 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 24864 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 24865 start_va = 0x4e0000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 24866 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 24867 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 24868 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 24869 start_va = 0x7ed90000 end_va = 0x7ee8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed90000" filename = "" Region: id = 24870 start_va = 0x4e0000 end_va = 0x59dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 24871 start_va = 0x620000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 24873 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 24874 start_va = 0x100000 end_va = 0x13ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 24875 start_va = 0x170000 end_va = 0x17ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 24876 start_va = 0x180000 end_va = 0x1bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 24877 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 24878 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 24879 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 24880 start_va = 0x490000 end_va = 0x493fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 24881 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 24882 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 24883 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 24884 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 24885 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 24887 start_va = 0x6fb30000 end_va = 0x6fbb6fff monitored = 0 entry_point = 0x6fb9dbc0 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\SysWOW64\\wer.dll" (normalized: "c:\\windows\\syswow64\\wer.dll") Region: id = 24888 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 24889 start_va = 0x720000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 24890 start_va = 0x720000 end_va = 0x809fff monitored = 0 entry_point = 0x75d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 24891 start_va = 0x850000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 24892 start_va = 0x4940000 end_va = 0x4abffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004940000" filename = "" Region: id = 24894 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 24895 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 24896 start_va = 0x5a0000 end_va = 0x5c9fff monitored = 0 entry_point = 0x5a5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 24897 start_va = 0x4ac0000 end_va = 0x4c47fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004ac0000" filename = "" Region: id = 24898 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 24918 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 24919 start_va = 0x140000 end_va = 0x140fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 24920 start_va = 0x4c50000 end_va = 0x4dd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004c50000" filename = "" Region: id = 24921 start_va = 0x4de0000 end_va = 0x61dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004de0000" filename = "" Region: id = 24922 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 24923 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 24924 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 24932 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 24933 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 24934 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 24935 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 24936 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 24937 start_va = 0x4940000 end_va = 0x4a7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004940000" filename = "" Region: id = 24938 start_va = 0x4ab0000 end_va = 0x4abffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004ab0000" filename = "" Region: id = 24981 start_va = 0x743a0000 end_va = 0x743b2fff monitored = 0 entry_point = 0x743a1d20 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 24982 start_va = 0x6f9d0000 end_va = 0x6f9ebfff monitored = 0 entry_point = 0x6f9d4720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 25001 start_va = 0x6f9b0000 end_va = 0x6f9c4fff monitored = 0 entry_point = 0x6f9b5210 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\SysWOW64\\samcli.dll" (normalized: "c:\\windows\\syswow64\\samcli.dll") Region: id = 25002 start_va = 0x6f9a0000 end_va = 0x6f9a9fff monitored = 0 entry_point = 0x6f9a28d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 25003 start_va = 0x6f970000 end_va = 0x6f99efff monitored = 0 entry_point = 0x6f985140 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\SysWOW64\\logoncli.dll" (normalized: "c:\\windows\\syswow64\\logoncli.dll") Region: id = 25004 start_va = 0x6f960000 end_va = 0x6f96ffff monitored = 0 entry_point = 0x6f9634d0 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 25005 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 25006 start_va = 0x6f940000 end_va = 0x6f958fff monitored = 0 entry_point = 0x6f9447e0 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 25007 start_va = 0x77200000 end_va = 0x7725efff monitored = 0 entry_point = 0x77204af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 25030 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 25031 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Thread: id = 654 os_tid = 0x5c0 [0249.352] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x75820000 [0249.354] LoadLibraryA (lpLibFileName="msvcrt.dll") returned 0x754e0000 [0249.354] GetProcAddress (hModule=0x754e0000, lpProcName="_snprintf") returned 0x75555020 [0249.355] GetProcAddress (hModule=0x754e0000, lpProcName="memchr") returned 0x75568380 [0249.355] GetProcAddress (hModule=0x754e0000, lpProcName="malloc") returned 0x75527900 [0249.355] GetProcAddress (hModule=0x754e0000, lpProcName="_errno") returned 0x75515cd0 [0249.355] GetProcAddress (hModule=0x754e0000, lpProcName="_strtoi64") returned 0x75511e60 [0249.355] GetProcAddress (hModule=0x754e0000, lpProcName="_vsnprintf") returned 0x755563d0 [0249.355] GetProcAddress (hModule=0x754e0000, lpProcName="memset") returned 0x75568c80 [0249.355] GetProcAddress (hModule=0x754e0000, lpProcName="qsort") returned 0x7553c200 [0249.355] GetProcAddress (hModule=0x754e0000, lpProcName="_ftol2_sse") returned 0x7557a580 [0249.355] GetProcAddress (hModule=0x754e0000, lpProcName="_vsnwprintf") returned 0x75556840 [0249.355] GetProcAddress (hModule=0x754e0000, lpProcName="free") returned 0x75527740 [0249.356] GetProcAddress (hModule=0x754e0000, lpProcName="_time64") returned 0x7556ea10 [0249.356] GetProcAddress (hModule=0x754e0000, lpProcName="strncpy") returned 0x75569350 [0249.356] GetProcAddress (hModule=0x754e0000, lpProcName="strchr") returned 0x75568d90 [0249.356] GetProcAddress (hModule=0x754e0000, lpProcName="strtod") returned 0x75511ba0 [0249.356] GetProcAddress (hModule=0x754e0000, lpProcName="localeconv") returned 0x7553c100 [0249.356] GetProcAddress (hModule=0x754e0000, lpProcName="memcpy") returned 0x755684a0 [0249.356] GetProcAddress (hModule=0x754e0000, lpProcName="atol") returned 0x7550fe40 [0249.356] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x75820000 [0249.356] GetProcAddress (hModule=0x75820000, lpProcName="FindNextFileW") returned 0x758469a0 [0249.356] GetProcAddress (hModule=0x75820000, lpProcName="GetTickCount") returned 0x75845eb0 [0249.356] GetProcAddress (hModule=0x75820000, lpProcName="SetThreadPriority") returned 0x75839990 [0249.356] GetProcAddress (hModule=0x75820000, lpProcName="FlushFileBuffers") returned 0x758469b0 [0249.357] GetProcAddress (hModule=0x75820000, lpProcName="LocalAlloc") returned 0x75837a30 [0249.357] GetProcAddress (hModule=0x75820000, lpProcName="GetExitCodeProcess") returned 0x7583fdb0 [0249.357] GetProcAddress (hModule=0x75820000, lpProcName="GetSystemTimeAsFileTime") returned 0x75837620 [0249.357] GetProcAddress (hModule=0x75820000, lpProcName="GetFileAttributesW") returned 0x75846a50 [0249.357] GetProcAddress (hModule=0x75820000, lpProcName="MultiByteToWideChar") returned 0x75832ad0 [0249.357] GetProcAddress (hModule=0x75820000, lpProcName="SetCurrentDirectoryA") returned 0x75862290 [0249.357] GetProcAddress (hModule=0x75820000, lpProcName="Sleep") returned 0x75837990 [0249.357] GetProcAddress (hModule=0x75820000, lpProcName="lstrcmpiW") returned 0x75837590 [0249.357] GetProcAddress (hModule=0x75820000, lpProcName="GetDriveTypeW") returned 0x75846a10 [0249.357] GetProcAddress (hModule=0x75820000, lpProcName="GetLastError") returned 0x75833870 [0249.357] GetProcAddress (hModule=0x75820000, lpProcName="CreateDirectoryW") returned 0x75846860 [0249.357] GetProcAddress (hModule=0x75820000, lpProcName="lstrcatA") returned 0x7583f640 [0249.358] GetProcAddress (hModule=0x75820000, lpProcName="CreateMutexW") returned 0x758466f0 [0249.358] GetProcAddress (hModule=0x75820000, lpProcName="GetCurrentThread") returned 0x758375f0 [0249.358] GetProcAddress (hModule=0x75820000, lpProcName="GetProcessId") returned 0x7583a6a0 [0249.358] GetProcAddress (hModule=0x75820000, lpProcName="DisconnectNamedPipe") returned 0x75860990 [0249.358] GetProcAddress (hModule=0x75820000, lpProcName="lstrcmpA") returned 0x7583cc30 [0249.358] GetProcAddress (hModule=0x75820000, lpProcName="K32GetModuleFileNameExW") returned 0x758616a0 [0249.358] GetProcAddress (hModule=0x75820000, lpProcName="MoveFileW") returned 0x7583b1d0 [0249.358] GetProcAddress (hModule=0x75820000, lpProcName="ExitThread") returned 0x776b7a80 [0249.358] GetProcAddress (hModule=0x75820000, lpProcName="GetNumberFormatA") returned 0x75876060 [0249.358] GetProcAddress (hModule=0x75820000, lpProcName="GetCurrentProcessId") returned 0x758323e0 [0249.358] GetProcAddress (hModule=0x75820000, lpProcName="SwitchToThread") returned 0x7583a690 [0249.359] GetProcAddress (hModule=0x75820000, lpProcName="GetModuleHandleW") returned 0x75839bc0 [0249.359] GetProcAddress (hModule=0x75820000, lpProcName="GetProcAddress") returned 0x758378b0 [0249.359] GetProcAddress (hModule=0x75820000, lpProcName="HeapCreate") returned 0x7583a100 [0249.359] GetProcAddress (hModule=0x75820000, lpProcName="HeapFree") returned 0x75831ba0 [0249.359] GetProcAddress (hModule=0x75820000, lpProcName="HeapAlloc") returned 0x77682bd0 [0249.359] GetProcAddress (hModule=0x75820000, lpProcName="GetModuleHandleA") returned 0x758399f0 [0249.359] GetProcAddress (hModule=0x75820000, lpProcName="LoadLibraryA") returned 0x75844bf0 [0249.359] GetProcAddress (hModule=0x75820000, lpProcName="GetCurrentProcess") returned 0x758338c0 [0249.359] GetProcAddress (hModule=0x75820000, lpProcName="lstrcatW") returned 0x7585d170 [0249.359] GetProcAddress (hModule=0x75820000, lpProcName="WideCharToMultiByte") returned 0x75833880 [0249.359] GetProcAddress (hModule=0x75820000, lpProcName="FindFirstFileW") returned 0x75846960 [0249.359] GetProcAddress (hModule=0x75820000, lpProcName="GetWindowsDirectoryW") returned 0x75845120 [0249.359] GetProcAddress (hModule=0x75820000, lpProcName="SetFileAttributesW") returned 0x75846c20 [0249.360] GetProcAddress (hModule=0x75820000, lpProcName="lstrlenW") returned 0x75833690 [0249.360] GetProcAddress (hModule=0x75820000, lpProcName="LoadLibraryW") returned 0x7583a840 [0249.360] GetProcAddress (hModule=0x75820000, lpProcName="FreeLibrary") returned 0x75839f50 [0249.360] GetProcAddress (hModule=0x75820000, lpProcName="GetCommandLineW") returned 0x7583aba0 [0249.360] GetProcAddress (hModule=0x75820000, lpProcName="GetVersionExA") returned 0x7583a700 [0249.360] GetProcAddress (hModule=0x75820000, lpProcName="GetSystemInfo") returned 0x7583a0f0 [0249.360] GetProcAddress (hModule=0x75820000, lpProcName="GetCurrentDirectoryW") returned 0x7583a9a0 [0249.360] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x74ec0000 [0249.744] GetProcAddress (hModule=0x74ec0000, lpProcName="CharUpperBuffA") returned 0x74f4aba0 [0249.744] GetProcAddress (hModule=0x74ec0000, lpProcName="CharUpperBuffW") returned 0x74ef4d90 [0249.744] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x75e00000 [0249.875] GetProcAddress (hModule=0x75e00000, lpProcName="CommandLineToArgvW") returned 0x75fabf80 [0249.875] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75a90000 [0249.880] GetProcAddress (hModule=0x75a90000, lpProcName="CoCreateInstance") returned 0x75690060 [0249.881] GetProcAddress (hModule=0x75a90000, lpProcName="CoInitializeEx") returned 0x756688d0 [0249.881] GetProcAddress (hModule=0x75a90000, lpProcName="CoSetProxyBlanket") returned 0x756660a0 [0249.881] GetProcAddress (hModule=0x75a90000, lpProcName="CoInitializeSecurity") returned 0x756d3870 [0249.881] LoadLibraryA (lpLibFileName="OLEAUT32.dll") returned 0x74bb0000 [0249.881] GetProcAddress (hModule=0x74bb0000, lpProcName=0x14) returned 0x74bc2a10 [0249.882] GetProcAddress (hModule=0x74bb0000, lpProcName=0x6) returned 0x74bc9d40 [0249.882] GetProcAddress (hModule=0x74bb0000, lpProcName=0x2) returned 0x74bc9c90 [0249.882] GetProcAddress (hModule=0x74bb0000, lpProcName=0x9) returned 0x74bc9570 [0249.882] GetProcAddress (hModule=0x74bb0000, lpProcName=0x13) returned 0x74bc25b0 [0249.882] GetProcAddress (hModule=0x74bb0000, lpProcName=0x10) returned 0x74bc6200 [0249.882] GetProcAddress (hModule=0x74bb0000, lpProcName=0x19) returned 0x74bc5830 [0249.882] HeapCreate (flOptions=0x0, dwInitialSize=0x96000, dwMaximumSize=0x0) returned 0x49e0000 [0250.050] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0x100) returned 0x4a5f5a8 [0250.053] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0xd) returned 0x4a5f6b0 [0250.053] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x75820000 [0250.053] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0x144) returned 0x4a5f6c8 [0250.062] LoadLibraryA (lpLibFileName="NTDLL.dll") returned 0x77650000 [0250.062] GetProcAddress (hModule=0x77650000, lpProcName="RtlAddVectoredExceptionHandler") returned 0x77673f90 [0250.071] HeapFree (in: hHeap=0x49e0000, dwFlags=0x0, lpMem=0x4a5f6b0 | out: hHeap=0x49e0000) returned 1 [0250.071] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0xa) returned 0x4a5f6b0 [0250.071] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77650000 [0250.071] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0x40) returned 0x4a5f818 [0250.073] HeapFree (in: hHeap=0x49e0000, dwFlags=0x0, lpMem=0x4a5f6b0 | out: hHeap=0x49e0000) returned 1 [0250.073] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0xb) returned 0x4a5f6b0 [0250.073] LoadLibraryA (lpLibFileName="user32.dll") returned 0x74ec0000 [0250.073] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0x6c) returned 0x4a5f860 [0250.074] HeapFree (in: hHeap=0x49e0000, dwFlags=0x0, lpMem=0x4a5f6b0 | out: hHeap=0x49e0000) returned 1 [0250.074] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0xa) returned 0x4a5f6b0 [0250.074] LoadLibraryA (lpLibFileName="gdi32.dll") returned 0x74a60000 [0250.074] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0x24) returned 0x4a5f8d8 [0250.074] HeapFree (in: hHeap=0x49e0000, dwFlags=0x0, lpMem=0x4a5f6b0 | out: hHeap=0x49e0000) returned 1 [0250.074] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0xd) returned 0x4a5f6b0 [0250.074] LoadLibraryA (lpLibFileName="netapi32.dll") returned 0x743a0000 [0250.077] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0x18) returned 0x4a5f908 [0250.078] LoadLibraryA (lpLibFileName="SRVCLI.dll") returned 0x6f9d0000 [0250.082] GetProcAddress (hModule=0x6f9d0000, lpProcName="NetShareEnum") returned 0x6f9d4140 [0250.082] LoadLibraryA (lpLibFileName="SAMCLI.dll") returned 0x6f9b0000 [0250.173] GetProcAddress (hModule=0x6f9b0000, lpProcName="NetUserEnum") returned 0x6f9bc010 [0250.173] LoadLibraryA (lpLibFileName="NETUTILS.dll") returned 0x6f9a0000 [0250.176] GetProcAddress (hModule=0x6f9a0000, lpProcName="NetApiBufferFree") returned 0x6f9a16d0 [0250.176] LoadLibraryA (lpLibFileName="LOGONCLI.dll") returned 0x6f970000 [0250.180] GetProcAddress (hModule=0x6f970000, lpProcName="NetGetDCName") returned 0x6f98de00 [0250.180] LoadLibraryA (lpLibFileName="WKSCLI.dll") returned 0x6f960000 [0250.187] GetProcAddress (hModule=0x6f960000, lpProcName="NetGetJoinInformation") returned 0x6f962e90 [0250.187] HeapFree (in: hHeap=0x49e0000, dwFlags=0x0, lpMem=0x4a5f6b0 | out: hHeap=0x49e0000) returned 1 [0250.187] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0xd) returned 0x4a5f6b0 [0250.187] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77260000 [0250.187] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0xd4) returned 0x4a5f928 [0250.190] HeapFree (in: hHeap=0x49e0000, dwFlags=0x0, lpMem=0x4a5f6b0 | out: hHeap=0x49e0000) returned 1 [0250.190] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0xc) returned 0x4a5f6b0 [0250.190] LoadLibraryA (lpLibFileName="shlwapi.dll") returned 0x75a40000 [0250.190] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0x2c) returned 0x4a5fa08 [0250.190] HeapFree (in: hHeap=0x49e0000, dwFlags=0x0, lpMem=0x4a5f6b0 | out: hHeap=0x49e0000) returned 1 [0250.190] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0xc) returned 0x4a5f6b0 [0250.190] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75e00000 [0250.190] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0x8) returned 0x4a5fa40 [0250.190] HeapFree (in: hHeap=0x49e0000, dwFlags=0x0, lpMem=0x4a5f6b0 | out: hHeap=0x49e0000) returned 1 [0250.190] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0xc) returned 0x4a5f6b0 [0250.190] LoadLibraryA (lpLibFileName="userenv.dll") returned 0x6f940000 [0250.194] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0x4) returned 0x4a5fa50 [0250.194] HeapFree (in: hHeap=0x49e0000, dwFlags=0x0, lpMem=0x4a5f6b0 | out: hHeap=0x49e0000) returned 1 [0250.194] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0xb) returned 0x4a5f6b0 [0250.194] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x77200000 [0250.198] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0x10) returned 0x4a5fa60 [0250.198] HeapFree (in: hHeap=0x49e0000, dwFlags=0x0, lpMem=0x4a5f6b0 | out: hHeap=0x49e0000) returned 1 [0250.201] GetCurrentProcess () returned 0xffffffff [0250.202] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0xcfe70 | out: TokenHandle=0xcfe70*=0x1c0) returned 1 [0250.202] GetTokenInformation (in: TokenHandle=0x1c0, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xcfe50 | out: TokenInformation=0x0, ReturnLength=0xcfe50) returned 0 [0250.202] GetLastError () returned 0x7a [0250.202] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0x24) returned 0x4a5fa78 [0250.202] GetTokenInformation (in: TokenHandle=0x1c0, TokenInformationClass=0x1, TokenInformation=0x4a5fa78, TokenInformationLength=0x24, ReturnLength=0xcfe60 | out: TokenInformation=0x4a5fa78, ReturnLength=0xcfe60) returned 1 [0250.202] CloseHandle (hObject=0x1c0) returned 1 [0250.202] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4d1644, nSize=0x105 | out: lpFilename="C:\\Windows\\SysWOW64\\wermgr.exe" (normalized: "c:\\windows\\syswow64\\wermgr.exe")) returned 0x1e [0250.202] GetVersionExA (in: lpVersionInformation=0x4d0000*(dwOSVersionInfoSize=0x9c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x4d0000*(dwOSVersionInfoSize=0x9c, dwMajorVersion=0xa, dwMinorVersion=0x0, dwBuildNumber=0x295a, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0250.202] GetCurrentProcessId () returned 0xa7c [0250.202] NetGetDCName (in: servername=0x0, domainname=0x0, bufptr=0xcfe70 | out: bufptr=0xcfe70) returned 0x995 [0250.252] NetGetJoinInformation (in: lpServer=0x0, lpNameBuffer=0xcfe70, BufferType=0xcfe6c | out: lpNameBuffer=0xcfe70*="WORKGROUP", BufferType=0xcfe6c) returned 0x0 [0250.366] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0x14) returned 0x4a5faa8 [0250.366] lstrlenW (lpString="䉁䑃䙅￿") returned 4 [0250.367] lstrlenW (lpString="䉁䑃䙅￿") returned 4 [0250.367] lstrlenW (lpString="䉁䑃䙅￿") returned 4 [0250.367] lstrlenW (lpString="䉁䑃䙅￿") returned 4 [0250.367] lstrlenW (lpString="䉁䑃䙅￿") returned 4 [0250.367] lstrlenW (lpString="䉁䑃䙅￿") returned 4 [0250.367] lstrlenW (lpString="䉁䑃䙅￿") returned 4 [0250.367] lstrlenW (lpString="䉁䑃䙅￿") returned 4 [0250.367] lstrlenW (lpString="䉁䑃䙅￿") returned 4 [0250.367] lstrlenW (lpString="䉁䑃䙅￿") returned 4 [0250.367] lstrlenW (lpString="䉁䑃䙅￿") returned 4 [0250.367] lstrlenW (lpString="䉁䑃䙅￿") returned 4 [0250.367] lstrlenW (lpString="䉁䑃䙅￿") returned 4 [0250.368] lstrlenW (lpString="䉁䑃䙅￿") returned 4 [0250.368] lstrlenW (lpString="䉁䑃䙅￿") returned 4 [0250.368] lstrlenW (lpString="䉁䑃䙅￿") returned 4 [0250.368] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0x47) returned 0x4a5fac8 [0250.368] _vsnprintf (in: _DstBuf=0xcfe60, _MaxCount=0x28, _Format="{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}", _ArgList=0xcf410 | out: _DstBuf="{A310C111-CEDF-4B1D-9A50-2B2447874BB3}") returned 38 [0250.370] HeapFree (in: hHeap=0x49e0000, dwFlags=0x0, lpMem=0x4a5fac8 | out: hHeap=0x49e0000) returned 1 [0250.370] OpenEventA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="{A310C111-CEDF-4B1D-9A50-2B2447874BB3}") returned 0x1e4 [0250.370] SetEvent (hEvent=0x1e4) returned 1 [0250.370] CloseHandle (hObject=0x1e4) returned 1 [0250.370] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0x5) returned 0x4a5f6b0 [0250.370] SetCurrentDirectoryA (lpPathName="c:\\\\" (normalized: "c:")) returned 1 [0250.371] HeapFree (in: hHeap=0x49e0000, dwFlags=0x0, lpMem=0x4a5f6b0 | out: hHeap=0x49e0000) returned 1 [0250.371] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0x110) returned 0x4a5fac8 [0250.371] lstrlenW (lpString="䉁䑃䙅\x0c") returned 4 [0250.371] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0x21) returned 0x4a5fbe0 [0250.371] lstrlenW (lpString="䉁䑃䙅Jﯠҥמ") returned 7 [0250.371] lstrlenW (lpString="䉁䑃䙅J") returned 4 [0250.371] lstrlenW (lpString="䉁䑃䙅J") returned 4 [0250.371] lstrlenW (lpString="䉁䑃䙅J") returned 4 [0250.371] lstrlenW (lpString="䉁䑃䙅J") returned 4 [0250.371] lstrlenW (lpString="䉁䑃䙅J") returned 4 [0250.371] lstrlenW (lpString="䉁䑃䙅J") returned 4 [0250.371] lstrlenW (lpString="䉁䑃䙅J") returned 4 [0250.371] lstrlenW (lpString="䉁䑃䙅J") returned 4 [0250.371] lstrlenW (lpString="䉁䑃䙅J") returned 4 [0250.371] lstrlenW (lpString="䉁䑃䙅J") returned 4 [0250.371] lstrlenW (lpString="䉁䑃䙅J") returned 4 [0250.371] lstrlenW (lpString="䉁䑃䙅J") returned 4 [0250.372] HeapFree (in: hHeap=0x49e0000, dwFlags=0x0, lpMem=0x4a5fbe0 | out: hHeap=0x49e0000) returned 1 [0250.372] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0x13) returned 0x4a5fbe0 [0250.372] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0x21) returned 0x4a5fc00 [0250.372] lstrcatA (in: lpString1="", lpString2="Software\\Microsoft" | out: lpString1="Software\\Microsoft") returned="Software\\Microsoft" [0250.372] lstrcatA (in: lpString1="Software\\Microsoft", lpString2="\\" | out: lpString1="Software\\Microsoft\\") returned="Software\\Microsoft\\" [0250.372] lstrcatA (in: lpString1="Software\\Microsoft\\", lpString2="Fdircmnenyyey" | out: lpString1="Software\\Microsoft\\Fdircmnenyyey") returned="Software\\Microsoft\\Fdircmnenyyey" [0250.372] HeapFree (in: hHeap=0x49e0000, dwFlags=0x0, lpMem=0x4a5fbe0 | out: hHeap=0x49e0000) returned 1 [0250.372] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x20019, phkResult=0xcfe28 | out: phkResult=0xcfe28*=0x1e8) returned 0x0 [0250.373] RegCloseKey (hKey=0x1e8) returned 0x0 [0250.373] HeapFree (in: hHeap=0x49e0000, dwFlags=0x0, lpMem=0x4a5fc00 | out: hHeap=0x49e0000) returned 1 [0250.377] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0x10) returned 0x4a5f6b0 [0250.377] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1e8 [0250.377] GetFileSize (in: hFile=0x1e8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1ce00 [0250.377] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0x1ce01) returned 0x49e04a0 [0250.378] ReadFile (in: hFile=0x1e8, lpBuffer=0x49e04a0, nNumberOfBytesToRead=0x1ce00, lpNumberOfBytesRead=0xcfe1c, lpOverlapped=0x0 | out: lpBuffer=0x49e04a0*, lpNumberOfBytesRead=0xcfe1c*=0x1ce00, lpOverlapped=0x0) returned 1 [0250.381] ReadFile (in: hFile=0x1e8, lpBuffer=0x49fd2a0, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0xcfe1c, lpOverlapped=0x0 | out: lpBuffer=0x49fd2a0*, lpNumberOfBytesRead=0xcfe1c*=0x0, lpOverlapped=0x0) returned 1 [0250.381] CloseHandle (hObject=0x1e8) returned 1 [0250.381] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0x5) returned 0x4a5fbe0 [0250.381] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0x5) returned 0x4a5fbf0 [0250.381] HeapFree (in: hHeap=0x49e0000, dwFlags=0x0, lpMem=0x4a5fbe0 | out: hHeap=0x49e0000) returned 1 [0250.384] lstrlenW (lpString="䉁䑃䙅䡇䩉䱋 ") returned 7 [0250.385] GetNumberFormatA (in: Locale=0x7d3, dwFlags=0xb4, lpValue="electricmadness", lpFormat=0x0, lpNumberStr=0xcfdcc, cchNumber=34 | out: lpNumberStr="á\x81î\x11ø¶£\x0fMNm ¿)rg\x99¹}K\x07F²8d\x1d6íÛØ\x0c[q$µVtGæÂv×´2éÔ·kâõU34\x94ÌÝlÈ\x1f0b\x96\x08û`Õ*ÿ¼=¥ßÇ®è\x84½+\x98\x0e¨øK") returned 0 [0250.386] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0x5c) returned 0x4a5fc00 [0250.386] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0x3fff) returned 0x4a5fc68 [0250.386] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0x800) returned 0x4a63c70 [0250.386] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x2001f, phkResult=0xcfe20 | out: phkResult=0xcfe20*=0x1ec) returned 0x0 [0250.386] RegQueryInfoKeyW (in: hKey=0x1ec, lpClass=0xcfbe8, lpcchClass=0xcfe0c, lpReserved=0x0, lpcSubKeys=0x0, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xcfe10, lpcbMaxValueNameLen=0xcfdf8, lpcbMaxValueLen=0xcfdfc, lpcbSecurityDescriptor=0xcfe00, lpftLastWriteTime=0xcfdf0 | out: lpClass="", lpcchClass=0xcfe0c, lpcSubKeys=0x0, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0xcfe10*=0x0, lpcbMaxValueNameLen=0xcfdf8, lpcbMaxValueLen=0xcfdfc, lpcbSecurityDescriptor=0xcfe00, lpftLastWriteTime=0xcfdf0) returned 0x0 [0250.386] RegCloseKey (hKey=0x1ec) returned 0x0 [0250.387] HeapFree (in: hHeap=0x49e0000, dwFlags=0x0, lpMem=0x4a5fc68 | out: hHeap=0x49e0000) returned 1 [0250.389] HeapFree (in: hHeap=0x49e0000, dwFlags=0x0, lpMem=0x4a63c70 | out: hHeap=0x49e0000) returned 1 [0250.390] HeapFree (in: hHeap=0x49e0000, dwFlags=0x0, lpMem=0x4a5fc00 | out: hHeap=0x49e0000) returned 1 [0250.390] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0x21) returned 0x4a5fc00 [0250.391] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Fdircmnenyyey", ulOptions=0x0, samDesired=0x20019, phkResult=0xcfc9c | out: phkResult=0xcfc9c*=0x1ec) returned 0x0 [0250.391] RegQueryValueExA (in: hKey=0x1ec, lpValueName="3665b42c", lpReserved=0x0, lpType=0xcfc94, lpData=0x0, lpcbData=0xcfc98*=0x0 | out: lpType=0xcfc94*=0x0, lpData=0x0, lpcbData=0xcfc98*=0x0) returned 0x2 [0250.391] RegCloseKey (hKey=0x1ec) returned 0x0 [0250.391] HeapFree (in: hHeap=0x49e0000, dwFlags=0x0, lpMem=0x4a5fc00 | out: hHeap=0x49e0000) returned 1 [0250.391] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4a26b2, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0xcfe50 | out: lpThreadId=0xcfe50*=0xd38) returned 0x1ec [0250.392] lstrlenW (lpString="䉁䑃䙅\\User\x0c䬇K\x0c") returned 14 [0250.392] lstrlenW (lpString="䉁䑃䙅\\") returned 4 [0250.392] lstrlenW (lpString="䉁䑃䙅\\") returned 4 [0250.392] lstrlenW (lpString="䉁䑃䙅\\") returned 4 [0250.392] lstrlenW (lpString="䉁䑃䙅\\") returned 4 [0250.392] lstrlenW (lpString="䉁䑃䙅\\") returned 4 [0250.392] lstrlenW (lpString="䉁䑃䙅\\") returned 4 [0250.392] lstrlenW (lpString="䉁䑃䙅\\") returned 4 [0250.392] lstrlenW (lpString="䉁䑃䙅\\") returned 4 [0250.392] lstrlenW (lpString="䉁䑃䙅\\") returned 4 [0250.392] lstrlenW (lpString="䉁䑃䙅\\") returned 4 [0250.392] lstrlenW (lpString="䉁䑃䙅\\") returned 4 [0250.392] lstrlenW (lpString="䉁䑃䙅\\") returned 4 [0250.392] lstrlenW (lpString="䉁䑃䙅\\") returned 4 [0250.392] lstrlenW (lpString="䉁䑃䙅\\") returned 4 [0250.392] lstrlenW (lpString="䉁䑃䙅\\") returned 4 [0250.393] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0x47) returned 0x4a5fc00 [0250.393] _vsnprintf (in: _DstBuf=0xcfe2c, _MaxCount=0x28, _Format="{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}", _ArgList=0xcf3d8 | out: _DstBuf="{5085B591-93ED-4978-9582-6C11B50A806A}") returned 38 [0250.393] HeapFree (in: hHeap=0x49e0000, dwFlags=0x0, lpMem=0x4a5fc00 | out: hHeap=0x49e0000) returned 1 [0250.393] OpenEventA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="{5085B591-93ED-4978-9582-6C11B50A806A}") returned 0x0 [0250.393] lstrlenW (lpString="䉁䑃䙅ҟ(") returned 5 [0250.393] lstrlenW (lpString="䉁䑃䙅ҟ") returned 4 [0250.393] lstrlenW (lpString="䉁䑃䙅ҟ") returned 4 [0250.393] lstrlenW (lpString="䉁䑃䙅ҟ") returned 4 [0250.393] lstrlenW (lpString="䉁䑃䙅ҟ") returned 4 [0250.393] lstrlenW (lpString="䉁䑃䙅ҟ") returned 4 [0250.393] lstrlenW (lpString="䉁䑃䙅ҟ") returned 4 [0250.393] lstrlenW (lpString="䉁䑃䙅ҟ") returned 4 [0250.393] lstrlenW (lpString="䉁䑃䙅ҟ") returned 4 [0250.394] lstrlenW (lpString="䉁䑃䙅ҟ") returned 4 [0250.394] lstrlenW (lpString="䉁䑃䙅ҟ") returned 4 [0250.394] lstrlenW (lpString="䉁䑃䙅ҟ") returned 4 [0250.394] lstrlenW (lpString="䉁䑃䙅ҟ") returned 4 [0250.394] lstrlenW (lpString="䉁䑃䙅ҟ") returned 4 [0250.394] lstrlenW (lpString="䉁䑃䙅ҟ") returned 4 [0250.394] lstrlenW (lpString="䉁䑃䙅ҟ") returned 4 [0250.394] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0x47) returned 0x4a5fc00 [0250.394] _vsnprintf (in: _DstBuf=0xcfdf0, _MaxCount=0x28, _Format="{%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%02X}", _ArgList=0xcf398 | out: _DstBuf="{DE3A2553-AB1B-4C85-9686-F3F136EBACE2}") returned 38 [0250.394] HeapFree (in: hHeap=0x49e0000, dwFlags=0x0, lpMem=0x4a5fc00 | out: hHeap=0x49e0000) returned 1 [0250.394] RtlAllocateHeap (HeapHandle=0x49e0000, Flags=0x8, Size=0x2e) returned 0x4a5fc00 [0250.394] lstrcatA (in: lpString1="", lpString2="Global" | out: lpString1="Global") returned="Global" [0250.394] lstrcatA (in: lpString1="Global", lpString2="\\" | out: lpString1="Global\\") returned="Global\\" [0250.394] lstrcatA (in: lpString1="Global\\", lpString2="{DE3A2553-AB1B-4C85-9686-F3F136EBACE2}" | out: lpString1="Global\\{DE3A2553-AB1B-4C85-9686-F3F136EBACE2}") returned="Global\\{DE3A2553-AB1B-4C85-9686-F3F136EBACE2}" [0250.394] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=1, lpName="Global\\{DE3A2553-AB1B-4C85-9686-F3F136EBACE2}") returned 0x1e8 [0250.395] GetLastError () returned 0x0 [0250.395] CloseHandle (hObject=0x1e8) returned 1 [0250.395] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=1, lpName="{DE3A2553-AB1B-4C85-9686-F3F136EBACE2}") returned 0x1e8 [0250.395] GetLastError () returned 0xb7 [0250.395] WaitForSingleObject (hHandle=0x1e8, dwMilliseconds=0x0) returned 0x102 [0250.395] CloseHandle (hObject=0x1e8) returned 1 [0250.395] HeapFree (in: hHeap=0x49e0000, dwFlags=0x0, lpMem=0x4a5fc00 | out: hHeap=0x49e0000) returned 1 [0250.395] ExitProcess (uExitCode=0x0) Thread: id = 743 os_tid = 0x11b8 Thread: id = 747 os_tid = 0xd38 Process: id = "311" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x1644f000" os_pid = "0x1120" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "309" os_parent_pid = "0x13ac" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificate /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "312" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x12a04000" os_pid = "0x1114" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateId /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 22291 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 22292 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 22293 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 22294 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 22295 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 22296 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 22297 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 22298 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 22299 start_va = 0xae0000 end_va = 0xae1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 22300 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 22301 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 22302 start_va = 0x7eec0000 end_va = 0x7eee2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eec0000" filename = "" Region: id = 22303 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 22304 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 22305 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 22306 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 22311 start_va = 0x400000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 22312 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 22313 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 22314 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 22315 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 22316 start_va = 0xaf0000 end_va = 0xd0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 22319 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 22320 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 22321 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 22322 start_va = 0x7edc0000 end_va = 0x7eebffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007edc0000" filename = "" Region: id = 22323 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 22324 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 22325 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 22326 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 22327 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 22328 start_va = 0x4f0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 22329 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 22330 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 22331 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 22332 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 22333 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 22334 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 22337 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 22338 start_va = 0xae0000 end_va = 0xae3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 22339 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 22340 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 22341 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 22342 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 22343 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 22344 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 22345 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 22346 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 22347 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 22348 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 22349 start_va = 0x5f0000 end_va = 0x777fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 22350 start_va = 0xaf0000 end_va = 0xb19fff monitored = 0 entry_point = 0xaf5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 22351 start_va = 0xc10000 end_va = 0xd0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 22352 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 22355 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 22356 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 22357 start_va = 0x780000 end_va = 0x900fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 22358 start_va = 0xaf0000 end_va = 0xbbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 22359 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 22360 start_va = 0xaf0000 end_va = 0xb80fff monitored = 0 entry_point = 0xb28cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 22361 start_va = 0xbb0000 end_va = 0xbbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bb0000" filename = "" Region: id = 22363 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 22364 start_va = 0xaf0000 end_va = 0xaf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 22365 start_va = 0xb00000 end_va = 0xb00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b00000" filename = "" Region: id = 22366 start_va = 0xb00000 end_va = 0xb07fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b00000" filename = "" Region: id = 22370 start_va = 0xb00000 end_va = 0xb00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 22371 start_va = 0xb10000 end_va = 0xb11fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b10000" filename = "" Region: id = 22372 start_va = 0xb00000 end_va = 0xb00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 22373 start_va = 0xb10000 end_va = 0xb10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b10000" filename = "" Region: id = 22376 start_va = 0xb00000 end_va = 0xb00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b00000" filename = "" Region: id = 22377 start_va = 0xb10000 end_va = 0xb10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Thread: id = 655 os_tid = 0x10f4 [0214.550] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0214.550] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0214.550] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0214.550] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0214.551] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0214.551] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0214.551] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0214.551] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0214.552] GetProcessHeap () returned 0xc10000 [0214.552] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0214.552] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0214.552] GetLastError () returned 0x7e [0214.552] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0214.552] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0214.552] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x364) returned 0xc20a50 [0214.553] SetLastError (dwErrCode=0x7e) [0214.553] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0xe00) returned 0xc20dc0 [0214.554] GetStartupInfoW (in: lpStartupInfo=0x18fbdc | out: lpStartupInfo=0x18fbdc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0214.554] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0214.554] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0214.554] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0214.554] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateId /fn_args=\"1\"" [0214.554] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateId /fn_args=\"1\"" [0214.555] GetACP () returned 0x4e4 [0214.555] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x0, Size=0x220) returned 0xc21bc8 [0214.555] IsValidCodePage (CodePage=0x4e4) returned 1 [0214.555] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fbfc | out: lpCPInfo=0x18fbfc) returned 1 [0214.555] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f4c4 | out: lpCPInfo=0x18f4c4) returned 1 [0214.555] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fad8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0214.555] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fad8, cbMultiByte=256, lpWideCharStr=0x18f268, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0214.555] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f4d8 | out: lpCharType=0x18f4d8) returned 1 [0214.555] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fad8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0214.555] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fad8, cbMultiByte=256, lpWideCharStr=0x18f218, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0214.555] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0214.555] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0214.555] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0214.555] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f008, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0214.555] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f9d8, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ¯»ÉX\x14ü\x18", lpUsedDefaultChar=0x0) returned 256 [0214.555] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fad8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0214.555] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fad8, cbMultiByte=256, lpWideCharStr=0x18f238, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0214.555] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0214.556] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f028, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0214.556] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f8d8, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ¯»ÉX\x14ü\x18", lpUsedDefaultChar=0x0) returned 256 [0214.556] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x0, Size=0x80) returned 0xc13890 [0214.556] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0214.556] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x19e) returned 0xc21df0 [0214.556] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0214.556] GetLastError () returned 0x0 [0214.556] SetLastError (dwErrCode=0x0) [0214.556] GetEnvironmentStringsW () returned 0xc21f98* [0214.556] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x0, Size=0xa8c) returned 0xc22a30 [0214.556] FreeEnvironmentStringsW (penv=0xc21f98) returned 1 [0214.556] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x90) returned 0xc14580 [0214.556] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x3e) returned 0xc1aeb0 [0214.556] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x5c) returned 0xc18a80 [0214.556] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x6e) returned 0xc14878 [0214.557] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x78) returned 0xc236f0 [0214.557] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x62) returned 0xc14000 [0214.557] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x28) returned 0xc19e58 [0214.557] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x48) returned 0xc13db0 [0214.557] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x1a) returned 0xc14648 [0214.557] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x3a) returned 0xc1af88 [0214.557] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x62) returned 0xc147e8 [0214.557] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x2a) returned 0xc18888 [0214.557] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x2e) returned 0xc18930 [0214.557] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x1c) returned 0xc14670 [0214.557] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x144) returned 0xc19c98 [0214.557] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x7c) returned 0xc182e0 [0214.557] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x36) returned 0xc1e5e0 [0214.557] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x3a) returned 0xc1a9a0 [0214.557] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x90) returned 0xc1a2a8 [0214.557] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x24) returned 0xc13c10 [0214.557] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x30) returned 0xc18968 [0214.557] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x36) returned 0xc1e260 [0214.557] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x48) returned 0xc13930 [0214.557] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x52) returned 0xc12918 [0214.557] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x3c) returned 0xc1ab50 [0214.557] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0xd6) returned 0xc104a0 [0214.557] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x2e) returned 0xc189d8 [0214.557] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x1e) returned 0xc10580 [0214.558] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x2c) returned 0xc18700 [0214.558] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x54) returned 0xc143b8 [0214.558] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x52) returned 0xc13e28 [0214.558] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x24) returned 0xc14418 [0214.558] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x42) returned 0xc14088 [0214.558] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x2c) returned 0xc18770 [0214.558] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x44) returned 0xc140d8 [0214.558] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x24) returned 0xc13e88 [0214.558] HeapFree (in: hHeap=0xc10000, dwFlags=0x0, lpMem=0xc22a30 | out: hHeap=0xc10000) returned 1 [0214.558] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x800) returned 0xc21f98 [0214.558] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0214.558] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0214.559] GetStartupInfoW (in: lpStartupInfo=0x18fc40 | out: lpStartupInfo=0x18fc40*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0214.559] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateId /fn_args=\"1\"" [0214.559] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateId /fn_args=\"1\"", pNumArgs=0x18fc2c | out: pNumArgs=0x18fc2c) returned 0xc22be8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0214.559] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0214.561] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x0, Size=0x1000) returned 0xc244d0 [0214.561] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x0, Size=0x4c) returned 0xc1a3c0 [0214.561] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_freeCertificateId", cchWideChar=-1, lpMultiByteStr=0xc1a3c0, cbMultiByte=76, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_freeCertificateId", lpUsedDefaultChar=0x0) returned 38 [0214.562] GetLastError () returned 0x0 [0214.562] SetLastError (dwErrCode=0x0) [0214.562] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_freeCertificateIdW") returned 0x0 [0214.562] GetLastError () returned 0x7f [0214.562] SetLastError (dwErrCode=0x7f) [0214.562] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_freeCertificateIdA") returned 0x0 [0214.562] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_freeCertificateId") returned 0x647c69cb [0214.562] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x0, Size=0x4) returned 0xc14128 [0214.562] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0xc14128, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0214.562] GetActiveWindow () returned 0x0 [0214.563] GetLastError () returned 0x7f [0214.563] SetLastError (dwErrCode=0x7f) Thread: id = 657 os_tid = 0x10f8 Process: id = "313" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x12724000" os_pid = "0xb48" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "312" os_parent_pid = "0x1114" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateId /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "314" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x1211a000" os_pid = "0x10fc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateIdList /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 22407 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 22408 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 22409 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 22410 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 22411 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 22412 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 22413 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 22414 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 22415 start_va = 0xf40000 end_va = 0xf41fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 22416 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 22417 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 22418 start_va = 0x7f2f0000 end_va = 0x7f312fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f2f0000" filename = "" Region: id = 22419 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 22420 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 22421 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 22422 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 22424 start_va = 0x400000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 22425 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 22426 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 22427 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 22428 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 22429 start_va = 0xf50000 end_va = 0x11fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f50000" filename = "" Region: id = 22430 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 22431 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 22433 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 22434 start_va = 0x7f1f0000 end_va = 0x7f2effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f1f0000" filename = "" Region: id = 22435 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 22436 start_va = 0x590000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 22437 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 22438 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 22439 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 22440 start_va = 0x5a0000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 22441 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 22442 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 22443 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 22444 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 22445 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 22446 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 22447 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 22448 start_va = 0xf40000 end_va = 0xf43fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 22449 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 22450 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 22451 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 22453 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 22454 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 22455 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 22456 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 22457 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 22458 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 22459 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 22460 start_va = 0x6a0000 end_va = 0x827fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 22461 start_va = 0xf50000 end_va = 0xf79fff monitored = 0 entry_point = 0xf55680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 22462 start_va = 0x1100000 end_va = 0x11fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 22463 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 22465 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 22466 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 22467 start_va = 0x830000 end_va = 0x9b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 22468 start_va = 0xf50000 end_va = 0xf7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f50000" filename = "" Region: id = 22469 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 22470 start_va = 0xf80000 end_va = 0x1010fff monitored = 0 entry_point = 0xfb8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 22472 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 22473 start_va = 0xf50000 end_va = 0xf50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f50000" filename = "" Region: id = 22474 start_va = 0xf70000 end_va = 0xf7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f70000" filename = "" Region: id = 22475 start_va = 0xf60000 end_va = 0xf60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f60000" filename = "" Region: id = 22476 start_va = 0xf60000 end_va = 0xf67fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f60000" filename = "" Region: id = 22480 start_va = 0xf60000 end_va = 0xf60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f60000" filename = "" Region: id = 22484 start_va = 0xf80000 end_va = 0xf81fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f80000" filename = "" Region: id = 22485 start_va = 0xf60000 end_va = 0xf60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f60000" filename = "" Region: id = 22486 start_va = 0xf80000 end_va = 0xf80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f80000" filename = "" Region: id = 22487 start_va = 0xf60000 end_va = 0xf60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f60000" filename = "" Region: id = 22488 start_va = 0xf80000 end_va = 0xf80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f80000" filename = "" Thread: id = 659 os_tid = 0x1318 [0216.286] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0216.287] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0216.287] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0216.287] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0216.287] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0216.287] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0216.288] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0216.288] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0216.290] GetProcessHeap () returned 0x1100000 [0216.290] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0216.290] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0216.290] GetLastError () returned 0x7e [0216.290] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0216.290] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0216.290] RtlAllocateHeap (HeapHandle=0x1100000, Flags=0x8, Size=0x364) returned 0x1110a90 [0216.291] SetLastError (dwErrCode=0x7e) [0216.291] RtlAllocateHeap (HeapHandle=0x1100000, Flags=0x8, Size=0xe00) returned 0x1110e00 [0216.292] GetStartupInfoW (in: lpStartupInfo=0x18f93c | out: lpStartupInfo=0x18f93c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0216.292] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0216.293] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0216.293] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0216.293] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateIdList /fn_args=\"1\"" [0216.293] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_freeCertificateIdList /fn_args=\"1\"" [0216.293] GetACP () returned 0x4e4 [0216.293] RtlAllocateHeap (HeapHandle=0x1100000, Flags=0x0, Size=0x220) returned 0x1111c08 [0216.293] IsValidCodePage (CodePage=0x4e4) returned 1 [0216.293] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f95c | out: lpCPInfo=0x18f95c) returned 1 [0216.293] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f224 | out: lpCPInfo=0x18f224) returned 1 [0216.293] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f838, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0216.293] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f838, cbMultiByte=256, lpWideCharStr=0x18efc8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0216.293] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f238 | out: lpCharType=0x18f238) returned 1 [0216.293] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f838, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0216.293] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f838, cbMultiByte=256, lpWideCharStr=0x18ef78, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0216.293] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0216.293] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0216.293] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0216.294] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ed68, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0216.294] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f738, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x09\x90?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0216.294] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0216.294] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ed88, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0216.294] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f638, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x09\x90?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0218.328] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f290 | out: lpCharType=0x18f290) returned 1 [0218.328] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f890, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0218.328] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f890, cbMultiByte=256, lpWideCharStr=0x18efd8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0218.328] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0218.328] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0218.328] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0218.328] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18edc8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0218.328] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f790, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ(¦.¾Ìù\x18", lpUsedDefaultChar=0x0) returned 256 [0218.328] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f890, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0218.328] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f890, cbMultiByte=256, lpWideCharStr=0x18efe8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0218.328] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0218.328] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18edd8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0218.328] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f690, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ(¦.¾Ìù\x18", lpUsedDefaultChar=0x0) returned 256 [0218.328] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x80) returned 0x763890 [0218.328] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0218.329] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x1a0) returned 0x771df0 [0218.329] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0218.329] GetLastError () returned 0x0 [0218.329] SetLastError (dwErrCode=0x0) [0218.329] GetEnvironmentStringsW () returned 0x771f98* [0218.329] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0xa8c) returned 0x772a30 [0218.329] FreeEnvironmentStringsW (penv=0x771f98) returned 1 [0218.329] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x90) returned 0x764580 [0218.329] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x3e) returned 0x76ab50 [0218.329] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x5c) returned 0x768a80 [0218.329] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x6e) returned 0x764878 [0218.329] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x78) returned 0x773ef0 [0218.329] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x62) returned 0x764000 [0218.330] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x28) returned 0x769e58 [0218.330] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x48) returned 0x763db0 [0218.330] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x1a) returned 0x764648 [0218.330] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x3a) returned 0x76ae68 [0218.330] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x62) returned 0x7647e8 [0218.330] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x2a) returned 0x768930 [0218.330] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x2e) returned 0x768850 [0218.330] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x1c) returned 0x764670 [0218.330] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x144) returned 0x769c98 [0218.330] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x7c) returned 0x7682e0 [0218.330] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x36) returned 0x76df60 [0218.330] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x3a) returned 0x76a9e8 [0218.330] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x90) returned 0x76a2a8 [0218.330] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x24) returned 0x763c10 [0218.330] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x30) returned 0x768658 [0218.330] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x36) returned 0x76e4a0 [0218.330] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x48) returned 0x763930 [0218.330] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x52) returned 0x762918 [0218.330] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x3c) returned 0x76ad90 [0218.330] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xd6) returned 0x7604a0 [0218.330] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x2e) returned 0x7686c8 [0218.330] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x1e) returned 0x760580 [0218.330] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x2c) returned 0x768888 [0218.330] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x54) returned 0x7643b8 [0218.330] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x52) returned 0x763e28 [0218.330] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x24) returned 0x764418 [0218.330] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x42) returned 0x764088 [0218.330] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x2c) returned 0x7687a8 [0218.330] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x44) returned 0x7640d8 [0218.330] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x24) returned 0x763e88 [0218.332] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x772a30 | out: hHeap=0x760000) returned 1 [0218.332] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x800) returned 0x771f98 [0218.332] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0218.332] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0218.332] GetStartupInfoW (in: lpStartupInfo=0x18f9f8 | out: lpStartupInfo=0x18f9f8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0218.333] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateBlob /fn_args=\"1\"" [0218.333] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateBlob /fn_args=\"1\"", pNumArgs=0x18f9e4 | out: pNumArgs=0x18f9e4) returned 0x772be8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0218.333] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0218.517] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x1000) returned 0x7744d0 [0218.517] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x4e) returned 0x76a3c0 [0218.517] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_getCertificateBlob", cchWideChar=-1, lpMultiByteStr=0x76a3c0, cbMultiByte=78, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_getCertificateBlob", lpUsedDefaultChar=0x0) returned 39 [0218.517] GetLastError () returned 0x0 [0218.517] SetLastError (dwErrCode=0x0) [0218.518] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_getCertificateBlobW") returned 0x0 [0218.518] GetLastError () returned 0x7f [0218.518] SetLastError (dwErrCode=0x7f) [0218.518] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_getCertificateBlobA") returned 0x0 [0218.518] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_getCertificateBlob") returned 0x647c8232 [0218.518] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x4) returned 0x764128 [0218.518] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x764128, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0218.518] GetActiveWindow () returned 0x0 [0218.520] GetLastError () returned 0x7f [0218.520] SetLastError (dwErrCode=0x7f) Thread: id = 664 os_tid = 0x13c0 Process: id = "317" image_name = "werfault.exe" filename = "c:\\windows\\syswow64\\werfault.exe" page_root = "0x1046b000" os_pid = "0x1140" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "316" os_parent_pid = "0xa6c" cmd_line = "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 2668 -s 364" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 22610 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 22611 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 22612 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 22613 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 22614 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 22615 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 22616 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 22617 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 22618 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 22619 start_va = 0x10e0000 end_va = 0x1122fff monitored = 0 entry_point = 0x1100f50 region_type = mapped_file name = "werfault.exe" filename = "\\Windows\\SysWOW64\\WerFault.exe" (normalized: "c:\\windows\\syswow64\\werfault.exe") Region: id = 22620 start_va = 0x1130000 end_va = 0x512ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 22621 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 22622 start_va = 0x7f240000 end_va = 0x7f262fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f240000" filename = "" Region: id = 22623 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 22624 start_va = 0x7fff0000 end_va = 0x7dfb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 22625 start_va = 0x7dfb201b0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfb201b0000" filename = "" Region: id = 22626 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 22627 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 22628 start_va = 0x100000 end_va = 0x1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 22629 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 22630 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 22631 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 22632 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 22633 start_va = 0x410000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 22634 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 22635 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 22636 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 22637 start_va = 0x7f140000 end_va = 0x7f23ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f140000" filename = "" Region: id = 22638 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 22639 start_va = 0x1c0000 end_va = 0x1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 22640 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 22641 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 22642 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 22643 start_va = 0x5d0000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 22644 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 22645 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 22646 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 22647 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 22648 start_va = 0x480000 end_va = 0x483fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 22649 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 22650 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 22651 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 22652 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 22653 start_va = 0x6fb30000 end_va = 0x6fbb6fff monitored = 0 entry_point = 0x6fb9dbc0 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\SysWOW64\\wer.dll" (normalized: "c:\\windows\\syswow64\\wer.dll") Region: id = 22654 start_va = 0x6fbc0000 end_va = 0x6fcfefff monitored = 0 entry_point = 0x6fbed880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 22673 start_va = 0x6fb00000 end_va = 0x6fb21fff monitored = 0 entry_point = 0x6fb091f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 22674 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 22675 start_va = 0x6faa0000 end_va = 0x6faf3fff monitored = 0 entry_point = 0x6fad10d0 region_type = mapped_file name = "faultrep.dll" filename = "\\Windows\\SysWOW64\\Faultrep.dll" (normalized: "c:\\windows\\syswow64\\faultrep.dll") Region: id = 22676 start_va = 0x6fa70000 end_va = 0x6fa90fff monitored = 0 entry_point = 0x6fa8a910 region_type = mapped_file name = "dbgcore.dll" filename = "\\Windows\\SysWOW64\\dbgcore.dll" (normalized: "c:\\windows\\syswow64\\dbgcore.dll") Region: id = 22677 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 22678 start_va = 0x490000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 22679 start_va = 0x6d0000 end_va = 0x7effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 22680 start_va = 0x490000 end_va = 0x493fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 22681 start_va = 0x540000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 22689 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 22690 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 22703 start_va = 0x4a0000 end_va = 0x4c9fff monitored = 0 entry_point = 0x4a5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 22704 start_va = 0x7f0000 end_va = 0x977fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 22705 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 22706 start_va = 0x980000 end_va = 0xb00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000980000" filename = "" Region: id = 22707 start_va = 0x5130000 end_va = 0x652ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005130000" filename = "" Region: id = 22708 start_va = 0x4a0000 end_va = 0x4a3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werfault.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\WerFault.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werfault.exe.mui") Region: id = 22709 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 22710 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 22711 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 22712 start_va = 0xb10000 end_va = 0xc3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 22751 start_va = 0x4b0000 end_va = 0x4b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 22752 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 22753 start_va = 0x4d0000 end_va = 0x4d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 22754 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 22755 start_va = 0x4d0000 end_va = 0x4d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 22756 start_va = 0x6530000 end_va = 0x6d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006530000" filename = "" Region: id = 22757 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 22758 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 22759 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 22760 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 22761 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 22762 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 22763 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 22764 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 22765 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 22766 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 22767 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 22768 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 22769 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 22770 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 22771 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 22772 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 22773 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 22774 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 22775 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 22776 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 22777 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 22778 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 22779 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 22780 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 22781 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 22782 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 22783 start_va = 0x4d0000 end_va = 0x4d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 22792 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 22793 start_va = 0x550000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 22794 start_va = 0x6d0000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 22795 start_va = 0x7e0000 end_va = 0x7effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 22800 start_va = 0x4d0000 end_va = 0x4d1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "faultrep.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\faultrep.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\faultrep.dll.mui") Region: id = 22801 start_va = 0x4e0000 end_va = 0x4e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 22802 start_va = 0x6ee90000 end_va = 0x6f2adfff monitored = 0 entry_point = 0x6ef8ee80 region_type = mapped_file name = "dbgeng.dll" filename = "\\Windows\\SysWOW64\\dbgeng.dll" (normalized: "c:\\windows\\syswow64\\dbgeng.dll") Region: id = 22803 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 22804 start_va = 0x6f840000 end_va = 0x6f8affff monitored = 0 entry_point = 0x6f894b90 region_type = mapped_file name = "dbgmodel.dll" filename = "\\Windows\\SysWOW64\\DbgModel.dll" (normalized: "c:\\windows\\syswow64\\dbgmodel.dll") Region: id = 22805 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 22807 start_va = 0xb10000 end_va = 0xbf9fff monitored = 0 entry_point = 0xb4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 22808 start_va = 0xc30000 end_va = 0xc3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 22809 start_va = 0x70050000 end_va = 0x70059fff monitored = 0 entry_point = 0x70053200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 22810 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 22811 start_va = 0x6f5d0000 end_va = 0x6f5d7fff monitored = 0 entry_point = 0x6f5d17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 22812 start_va = 0xb10000 end_va = 0xc0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 22813 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 22816 start_va = 0xc40000 end_va = 0xf76fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 22817 start_va = 0x4e0000 end_va = 0x4e1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 22818 start_va = 0x4e0000 end_va = 0x4e3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 22819 start_va = 0x4e0000 end_va = 0x4e5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 22820 start_va = 0x4e0000 end_va = 0x4e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 22821 start_va = 0xf80000 end_va = 0x107ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f80000" filename = "" Region: id = 22822 start_va = 0x4e0000 end_va = 0x4e9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 22823 start_va = 0x4e0000 end_va = 0x4ebfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 22824 start_va = 0x4e0000 end_va = 0x4edfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 22825 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 22826 start_va = 0x4e0000 end_va = 0x4f1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 22827 start_va = 0x4e0000 end_va = 0x4f3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 22828 start_va = 0x4e0000 end_va = 0x4f5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 22829 start_va = 0x4e0000 end_va = 0x4f7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 22830 start_va = 0x4e0000 end_va = 0x4f9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 22831 start_va = 0x4e0000 end_va = 0x4fbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 22832 start_va = 0x4e0000 end_va = 0x4fdfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 22833 start_va = 0x4e0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 22860 start_va = 0x6530000 end_va = 0x660ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 22921 start_va = 0x6610000 end_va = 0x66e1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006610000" filename = "" Region: id = 22923 start_va = 0x66f0000 end_va = 0x67a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000066f0000" filename = "" Region: id = 22926 start_va = 0x67b0000 end_va = 0x685dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000067b0000" filename = "" Region: id = 22964 start_va = 0x4e0000 end_va = 0x4e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 22965 start_va = 0x4f0000 end_va = 0x4f2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wer.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wer.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wer.dll.mui") Region: id = 22980 start_va = 0x500000 end_va = 0x503fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 22981 start_va = 0x6610000 end_va = 0x6e0ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006610000" filename = "" Region: id = 22982 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 22983 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 22984 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 22985 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 22986 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 22987 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 22988 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 22989 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 22990 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 22991 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 22992 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 23010 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 23011 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 23012 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 23013 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 23014 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 23015 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 23016 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 23017 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 23018 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 23019 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 23020 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 23021 start_va = 0x6610000 end_va = 0x670ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006610000" filename = "" Region: id = 23022 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 23033 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 23034 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 23035 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 23036 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 23037 start_va = 0x6fa00000 end_va = 0x6fa63fff monitored = 0 entry_point = 0x6fa3e270 region_type = mapped_file name = "werui.dll" filename = "\\Windows\\SysWOW64\\werui.dll" (normalized: "c:\\windows\\syswow64\\werui.dll") Region: id = 23038 start_va = 0x1e0000 end_va = 0x1e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 23039 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 23040 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 23041 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 23042 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 23043 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 23089 start_va = 0x731b0000 end_va = 0x733befff monitored = 0 entry_point = 0x7325b0a0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 23090 start_va = 0x6f460000 end_va = 0x6f5c6fff monitored = 0 entry_point = 0x6f4db9d0 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\SysWOW64\\dui70.dll" (normalized: "c:\\windows\\syswow64\\dui70.dll") Region: id = 23091 start_va = 0x1f0000 end_va = 0x1f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 23092 start_va = 0x6f430000 end_va = 0x6f457fff monitored = 0 entry_point = 0x6f437820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 23093 start_va = 0x510000 end_va = 0x510fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 23094 start_va = 0x520000 end_va = 0x521fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 23095 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 23096 start_va = 0x759b0000 end_va = 0x75a33fff monitored = 0 entry_point = 0x759d6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 23097 start_va = 0x530000 end_va = 0x530fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 23099 start_va = 0x6f800000 end_va = 0x6f833fff monitored = 0 entry_point = 0x6f818280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 23403 start_va = 0x590000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 23404 start_va = 0x750000 end_va = 0x78ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 23405 start_va = 0x790000 end_va = 0x7cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 23406 start_va = 0x1080000 end_va = 0x10bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001080000" filename = "" Region: id = 23407 start_va = 0x6710000 end_va = 0x674ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006710000" filename = "" Region: id = 23408 start_va = 0x6750000 end_va = 0x678ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006750000" filename = "" Region: id = 23545 start_va = 0x6f8b0000 end_va = 0x6f8b8fff monitored = 0 entry_point = 0x6f8b3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 23884 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 23885 start_va = 0x6f800000 end_va = 0x6f833fff monitored = 0 entry_point = 0x6f818280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 24085 start_va = 0x6f8b0000 end_va = 0x6f8b8fff monitored = 0 entry_point = 0x6f8b3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 24345 start_va = 0x510000 end_va = 0x514fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werui.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\werui.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werui.dll.mui") Region: id = 24346 start_va = 0x550000 end_va = 0x550fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 24347 start_va = 0x6f800000 end_va = 0x6f833fff monitored = 0 entry_point = 0x6f818280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 24469 start_va = 0x6f8b0000 end_va = 0x6f8b8fff monitored = 0 entry_point = 0x6f8b3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 24653 start_va = 0x6790000 end_va = 0x67cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006790000" filename = "" Region: id = 24654 start_va = 0x67d0000 end_va = 0x680ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000067d0000" filename = "" Region: id = 24663 start_va = 0x550000 end_va = 0x550fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 24664 start_va = 0x6f800000 end_va = 0x6f833fff monitored = 0 entry_point = 0x6f818280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 24802 start_va = 0x6f8b0000 end_va = 0x6f8b8fff monitored = 0 entry_point = 0x6f8b3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 25032 start_va = 0x550000 end_va = 0x551fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 25033 start_va = 0x6f6c0000 end_va = 0x6f73afff monitored = 0 entry_point = 0x6f6e4d80 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\SysWOW64\\duser.dll" (normalized: "c:\\windows\\syswow64\\duser.dll") Region: id = 25034 start_va = 0x6810000 end_va = 0x684ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006810000" filename = "" Region: id = 25035 start_va = 0x6850000 end_va = 0x688ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006850000" filename = "" Region: id = 25036 start_va = 0x6f630000 end_va = 0x6f6b0fff monitored = 0 entry_point = 0x6f636310 region_type = mapped_file name = "riched20.dll" filename = "\\Windows\\SysWOW64\\riched20.dll" (normalized: "c:\\windows\\syswow64\\riched20.dll") Region: id = 25037 start_va = 0x6f790000 end_va = 0x6f7a5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 25038 start_va = 0x6f750000 end_va = 0x6f780fff monitored = 0 entry_point = 0x6f7622d0 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\SysWOW64\\msls31.dll" (normalized: "c:\\windows\\syswow64\\msls31.dll") Region: id = 25039 start_va = 0x560000 end_va = 0x560fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 25040 start_va = 0x6890000 end_va = 0x694bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006890000" filename = "" Region: id = 25041 start_va = 0x560000 end_va = 0x563fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 25042 start_va = 0x74230000 end_va = 0x7424cfff monitored = 0 entry_point = 0x74233b10 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 25043 start_va = 0x570000 end_va = 0x573fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 25044 start_va = 0x580000 end_va = 0x580fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 25045 start_va = 0x7d0000 end_va = 0x7d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 25047 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 25064 start_va = 0xc10000 end_va = 0xc10fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "duser.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\duser.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\duser.dll.mui") Region: id = 25065 start_va = 0x6f9f0000 end_va = 0x6f9fcfff monitored = 0 entry_point = 0x6f9f7d80 region_type = mapped_file name = "atlthunk.dll" filename = "\\Windows\\SysWOW64\\atlthunk.dll" (normalized: "c:\\windows\\syswow64\\atlthunk.dll") Region: id = 25066 start_va = 0xc20000 end_va = 0xc22fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui") Region: id = 25067 start_va = 0x10d0000 end_va = 0x10d2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010d0000" filename = "" Region: id = 25089 start_va = 0x6950000 end_va = 0x6e41fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006950000" filename = "" Region: id = 25090 start_va = 0x6e50000 end_va = 0x7e8ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 25114 start_va = 0x7e90000 end_va = 0x7ed1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007e90000" filename = "" Region: id = 25221 start_va = 0x10c0000 end_va = 0x10c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010c0000" filename = "" Region: id = 25222 start_va = 0x77500000 end_va = 0x7761efff monitored = 0 entry_point = 0x77545980 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Thread: id = 665 os_tid = 0x1050 Thread: id = 666 os_tid = 0x5f0 Thread: id = 670 os_tid = 0x13b4 Thread: id = 691 os_tid = 0x49c Thread: id = 692 os_tid = 0xe4c Thread: id = 693 os_tid = 0x6a8 Thread: id = 733 os_tid = 0x13e0 Thread: id = 748 os_tid = 0x358 Process: id = "318" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x67276000" os_pid = "0xbf4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "316" os_parent_pid = "0xa6c" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateBlob /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "319" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x10547000" os_pid = "0x1090" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateId /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 22655 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 22656 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 22657 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 22658 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 22659 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 22660 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 22661 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 22662 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 22663 start_va = 0x9d0000 end_va = 0x9d1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 22664 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 22665 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 22666 start_va = 0x7f0e0000 end_va = 0x7f102fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f0e0000" filename = "" Region: id = 22667 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 22668 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 22669 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 22670 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 22682 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 22683 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 22684 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 22685 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 22686 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 22687 start_va = 0x9e0000 end_va = 0xbeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 22688 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 22691 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 22692 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 22693 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 22694 start_va = 0x480000 end_va = 0x53dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 22695 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 22696 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 22697 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 22698 start_va = 0x540000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 22699 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 22700 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 22701 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 22702 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 22714 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 22715 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 22716 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 22717 start_va = 0x9d0000 end_va = 0x9d3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 22718 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 22719 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 22720 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 22721 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 22722 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 22723 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 22724 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 22725 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 22726 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 22727 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 22728 start_va = 0x640000 end_va = 0x7c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 22729 start_va = 0x9e0000 end_va = 0xa09fff monitored = 0 entry_point = 0x9e5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 22730 start_va = 0xaf0000 end_va = 0xbeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 22731 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 22732 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 22733 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 22734 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 22735 start_va = 0x7d0000 end_va = 0x950fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 22736 start_va = 0x9e0000 end_va = 0xa4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 22737 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 22738 start_va = 0xa50000 end_va = 0xae0fff monitored = 0 entry_point = 0xa88cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 22746 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 22747 start_va = 0x9e0000 end_va = 0x9e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 22748 start_va = 0xa40000 end_va = 0xa4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 22749 start_va = 0x9f0000 end_va = 0x9f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 22750 start_va = 0x9f0000 end_va = 0x9f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 22786 start_va = 0x9f0000 end_va = 0x9f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 22787 start_va = 0xa00000 end_va = 0xa01fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a00000" filename = "" Region: id = 22788 start_va = 0x9f0000 end_va = 0x9f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 22789 start_va = 0xa00000 end_va = 0xa00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a00000" filename = "" Region: id = 22790 start_va = 0x9f0000 end_va = 0x9f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 22791 start_va = 0xa00000 end_va = 0xa00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Thread: id = 667 os_tid = 0x10bc [0220.480] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0220.480] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0220.481] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0220.481] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0220.481] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0220.481] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0220.482] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0220.482] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0220.482] GetProcessHeap () returned 0xaf0000 [0220.482] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0220.483] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0220.483] GetLastError () returned 0x7e [0220.483] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0220.483] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0220.483] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x364) returned 0xb00a88 [0220.483] SetLastError (dwErrCode=0x7e) [0220.484] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0xe00) returned 0xb00df8 [0220.485] GetStartupInfoW (in: lpStartupInfo=0x18f92c | out: lpStartupInfo=0x18f92c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0220.486] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0220.486] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0220.486] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0220.486] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateId /fn_args=\"1\"" [0220.486] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateId /fn_args=\"1\"" [0220.486] GetACP () returned 0x4e4 [0220.486] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x0, Size=0x220) returned 0xb01c00 [0220.486] IsValidCodePage (CodePage=0x4e4) returned 1 [0220.486] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f94c | out: lpCPInfo=0x18f94c) returned 1 [0220.486] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f214 | out: lpCPInfo=0x18f214) returned 1 [0220.486] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f828, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0220.486] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f828, cbMultiByte=256, lpWideCharStr=0x18efb8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0220.486] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f228 | out: lpCharType=0x18f228) returned 1 [0220.486] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f828, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0220.486] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f828, cbMultiByte=256, lpWideCharStr=0x18ef68, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0220.486] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0220.487] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0220.487] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0220.487] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ed58, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0220.487] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f728, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿEÒãìdù\x18", lpUsedDefaultChar=0x0) returned 256 [0220.487] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f828, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0220.487] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f828, cbMultiByte=256, lpWideCharStr=0x18ef88, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0220.487] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0220.487] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ed78, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0220.487] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f628, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿEÒãìdù\x18", lpUsedDefaultChar=0x0) returned 256 [0220.487] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x0, Size=0x80) returned 0xaf3890 [0220.487] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0220.487] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x19c) returned 0xb01e28 [0220.487] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0220.487] GetLastError () returned 0x0 [0220.487] SetLastError (dwErrCode=0x0) [0220.487] GetEnvironmentStringsW () returned 0xb01fd0* [0220.488] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x0, Size=0xa8c) returned 0xb02a68 [0220.488] FreeEnvironmentStringsW (penv=0xb01fd0) returned 1 [0220.488] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x90) returned 0xaf47e0 [0220.488] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x3e) returned 0xafafc0 [0220.488] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x5c) returned 0xaf8ab8 [0220.488] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x6e) returned 0xaf48a8 [0220.488] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x78) returned 0xb03da8 [0220.489] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x62) returned 0xaf4c78 [0220.489] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x28) returned 0xaf3db0 [0220.489] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x48) returned 0xaf4000 [0220.489] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x1a) returned 0xaf0570 [0220.489] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x3a) returned 0xafacf0 [0220.489] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x62) returned 0xaf3c10 [0220.489] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x2a) returned 0xaf86c8 [0220.489] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x2e) returned 0xaf87e0 [0220.489] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x1c) returned 0xaf3de0 [0220.489] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x144) returned 0xaf9cd0 [0220.489] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x7c) returned 0xaf8318 [0220.489] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x36) returned 0xafe698 [0220.489] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x3a) returned 0xafabd0 [0220.489] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x90) returned 0xaf4618 [0220.489] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x24) returned 0xaf3930 [0220.489] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x30) returned 0xaf8700 [0220.489] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x36) returned 0xafe6d8 [0220.489] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x48) returned 0xaf2918 [0220.489] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x52) returned 0xaf04b8 [0220.489] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x3c) returned 0xafad38 [0220.489] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0xd6) returned 0xaf9e90 [0220.489] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x2e) returned 0xaf8930 [0220.489] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x1e) returned 0xaf2968 [0220.489] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x2c) returned 0xaf87a8 [0220.490] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x54) returned 0xaf3e28 [0220.490] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x52) returned 0xaf4088 [0220.490] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x24) returned 0xaf3e88 [0220.490] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x42) returned 0xaf40e8 [0220.490] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x2c) returned 0xaf8818 [0220.490] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x44) returned 0xaf9fc0 [0220.490] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x24) returned 0xaf3960 [0220.490] HeapFree (in: hHeap=0xaf0000, dwFlags=0x0, lpMem=0xb02a68 | out: hHeap=0xaf0000) returned 1 [0220.490] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x8, Size=0x800) returned 0xb01fd0 [0220.491] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0220.491] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0220.491] GetStartupInfoW (in: lpStartupInfo=0x18f990 | out: lpStartupInfo=0x18f990*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0220.491] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateId /fn_args=\"1\"" [0220.491] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateId /fn_args=\"1\"", pNumArgs=0x18f97c | out: pNumArgs=0x18f97c) returned 0xb02c20*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0220.493] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0220.496] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x0, Size=0x1000) returned 0xb04508 [0220.496] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x0, Size=0x4a) returned 0xafa708 [0220.496] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_getCertificateId", cchWideChar=-1, lpMultiByteStr=0xafa708, cbMultiByte=74, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_getCertificateId", lpUsedDefaultChar=0x0) returned 37 [0220.496] GetLastError () returned 0x0 [0220.496] SetLastError (dwErrCode=0x0) [0220.497] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_getCertificateIdW") returned 0x0 [0220.497] GetLastError () returned 0x7f [0220.497] SetLastError (dwErrCode=0x7f) [0220.497] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_getCertificateIdA") returned 0x0 [0220.497] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_getCertificateId") returned 0x647c8109 [0220.497] RtlAllocateHeap (HeapHandle=0xaf0000, Flags=0x0, Size=0x4) returned 0xaf3838 [0220.497] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0xaf3838, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0220.497] GetActiveWindow () returned 0x0 [0220.498] GetLastError () returned 0x7f [0220.498] SetLastError (dwErrCode=0x7f) Thread: id = 669 os_tid = 0xdcc Process: id = "320" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x1002b000" os_pid = "0xdc8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "319" os_parent_pid = "0x1090" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getCertificateId /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "321" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0xf95d000" os_pid = "0x108c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getPromptMask /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 22834 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 22835 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 22836 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 22837 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 22838 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 22839 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 22840 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 22841 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 22842 start_va = 0x980000 end_va = 0x981fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 22843 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 22844 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 22845 start_va = 0x7f7c0000 end_va = 0x7f7e2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f7c0000" filename = "" Region: id = 22846 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 22847 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 22848 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 22849 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 22851 start_va = 0x400000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 22852 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 22853 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 22854 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 22855 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 22856 start_va = 0x990000 end_va = 0xbdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 22857 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 22861 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 22862 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 22863 start_va = 0x7f6c0000 end_va = 0x7f7bffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6c0000" filename = "" Region: id = 22864 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 22865 start_va = 0x5e0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 22866 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 22867 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 22868 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 22869 start_va = 0x4c0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 22870 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 22871 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 22872 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 22873 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 22874 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 22875 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 22876 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 22882 start_va = 0x980000 end_va = 0x983fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 22883 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 22884 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 22885 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 22886 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 22887 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 22888 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 22889 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 22890 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 22891 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 22892 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 22893 start_va = 0x5f0000 end_va = 0x777fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 22894 start_va = 0x990000 end_va = 0x9b9fff monitored = 0 entry_point = 0x995680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 22895 start_va = 0xae0000 end_va = 0xbdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 22896 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 22897 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 22898 start_va = 0x5c0000 end_va = 0x5c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 22899 start_va = 0x780000 end_va = 0x900fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 22900 start_va = 0xbe0000 end_va = 0xd4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000be0000" filename = "" Region: id = 22901 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 22902 start_va = 0x990000 end_va = 0xa20fff monitored = 0 entry_point = 0x9c8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 22905 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 22906 start_va = 0x990000 end_va = 0x990fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 22907 start_va = 0x9a0000 end_va = 0x9a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009a0000" filename = "" Region: id = 22908 start_va = 0x9a0000 end_va = 0x9a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009a0000" filename = "" Region: id = 22912 start_va = 0x9a0000 end_va = 0x9a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 22913 start_va = 0x9b0000 end_va = 0x9b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009b0000" filename = "" Region: id = 22914 start_va = 0x9a0000 end_va = 0x9a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 22915 start_va = 0x9b0000 end_va = 0x9b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009b0000" filename = "" Region: id = 22917 start_va = 0x9a0000 end_va = 0x9a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009a0000" filename = "" Region: id = 22918 start_va = 0x9b0000 end_va = 0x9b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Thread: id = 671 os_tid = 0x10d8 [0222.358] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0222.358] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0222.358] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0222.358] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0222.358] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0222.358] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0222.359] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0222.359] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0222.360] GetProcessHeap () returned 0xae0000 [0222.360] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0222.360] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0222.360] GetLastError () returned 0x7e [0222.360] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0222.360] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0222.360] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x364) returned 0xaf0d08 [0222.360] SetLastError (dwErrCode=0x7e) [0222.360] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0xe00) returned 0xaf1078 [0222.362] GetStartupInfoW (in: lpStartupInfo=0x18f6bc | out: lpStartupInfo=0x18f6bc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0222.362] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0222.362] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0222.362] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0222.362] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getPromptMask /fn_args=\"1\"" [0222.362] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getPromptMask /fn_args=\"1\"" [0222.362] GetACP () returned 0x4e4 [0222.362] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x0, Size=0x220) returned 0xaf1e80 [0222.362] IsValidCodePage (CodePage=0x4e4) returned 1 [0222.362] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f6dc | out: lpCPInfo=0x18f6dc) returned 1 [0222.362] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18efa4 | out: lpCPInfo=0x18efa4) returned 1 [0222.362] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f5b8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0222.362] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f5b8, cbMultiByte=256, lpWideCharStr=0x18ed48, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0222.363] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18efb8 | out: lpCharType=0x18efb8) returned 1 [0222.363] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f5b8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0222.363] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f5b8, cbMultiByte=256, lpWideCharStr=0x18ecf8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0222.363] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0222.363] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0222.363] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0222.363] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18eae8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0222.363] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f4b8, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x06Ýé©ôö\x18", lpUsedDefaultChar=0x0) returned 256 [0222.363] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f5b8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0222.363] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f5b8, cbMultiByte=256, lpWideCharStr=0x18ed18, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0222.363] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0222.363] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18eb08, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0222.363] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f3b8, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x06Ýé©ôö\x18", lpUsedDefaultChar=0x0) returned 256 [0222.363] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x0, Size=0x80) returned 0xae3880 [0222.364] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0222.364] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x196) returned 0xaf20a8 [0222.364] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0222.364] GetLastError () returned 0x0 [0222.364] SetLastError (dwErrCode=0x0) [0222.364] GetEnvironmentStringsW () returned 0xaf2248* [0222.364] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x0, Size=0xa8c) returned 0xaf2ce0 [0222.364] FreeEnvironmentStringsW (penv=0xaf2248) returned 1 [0222.364] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x90) returned 0xae4570 [0222.364] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x3e) returned 0xaeafc0 [0222.364] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x5c) returned 0xae8aa0 [0222.364] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x6e) returned 0xaea718 [0222.364] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x78) returned 0xaf4620 [0222.364] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x62) returned 0xae4a08 [0222.364] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x28) returned 0xae0578 [0222.364] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x48) returned 0xaea638 [0222.364] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x1a) returned 0xae3da0 [0222.365] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x3a) returned 0xaeaee8 [0222.365] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x62) returned 0xae3ff0 [0222.365] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x2a) returned 0xae86b0 [0222.365] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x2e) returned 0xae8870 [0222.365] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x1c) returned 0xae3dc8 [0222.365] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x144) returned 0xae9cb8 [0222.365] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x7c) returned 0xae8300 [0222.365] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x36) returned 0xaee258 [0222.365] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x3a) returned 0xaeb200 [0222.365] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x90) returned 0xae43a8 [0222.365] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x24) returned 0xae4868 [0222.365] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x30) returned 0xae8800 [0222.365] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x36) returned 0xaee218 [0222.365] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x48) returned 0xae4638 [0222.365] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x52) returned 0xae47d8 [0222.365] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x3c) returned 0xaeb248 [0222.365] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0xd6) returned 0xae9e78 [0222.365] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x2e) returned 0xae8950 [0222.365] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x1e) returned 0xae4688 [0222.365] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x2c) returned 0xae86e8 [0222.365] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x54) returned 0xae3c00 [0222.365] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x52) returned 0xae3920 [0222.365] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x24) returned 0xae4898 [0222.365] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x42) returned 0xae2910 [0222.365] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x2c) returned 0xae8758 [0222.365] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x44) returned 0xae8188 [0222.365] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x24) returned 0xae81d8 [0222.366] HeapFree (in: hHeap=0xae0000, dwFlags=0x0, lpMem=0xaf2ce0 | out: hHeap=0xae0000) returned 1 [0222.366] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x8, Size=0x800) returned 0xaf2248 [0222.504] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0222.504] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0222.505] GetStartupInfoW (in: lpStartupInfo=0x18f720 | out: lpStartupInfo=0x18f720*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0222.505] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getPromptMask /fn_args=\"1\"" [0222.505] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getPromptMask /fn_args=\"1\"", pNumArgs=0x18f70c | out: pNumArgs=0x18f70c) returned 0xaf2e98*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0222.506] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0222.510] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x0, Size=0x1000) returned 0xaf4780 [0222.510] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x0, Size=0x44) returned 0xae4078 [0222.510] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_getPromptMask", cchWideChar=-1, lpMultiByteStr=0xae4078, cbMultiByte=68, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_getPromptMask", lpUsedDefaultChar=0x0) returned 34 [0222.510] GetLastError () returned 0x0 [0222.510] SetLastError (dwErrCode=0x0) [0222.511] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_getPromptMaskW") returned 0x0 [0222.511] GetLastError () returned 0x7f [0222.511] SetLastError (dwErrCode=0x7f) [0222.511] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_getPromptMaskA") returned 0x0 [0222.511] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_getPromptMask") returned 0x647c8041 [0222.511] RtlAllocateHeap (HeapHandle=0xae0000, Flags=0x0, Size=0x4) returned 0xaea8a0 [0222.511] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0xaea8a0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0222.511] GetActiveWindow () returned 0x0 [0222.512] GetLastError () returned 0x7f [0222.512] SetLastError (dwErrCode=0x7f) Thread: id = 673 os_tid = 0x1130 Process: id = "322" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0xf38b000" os_pid = "0xc0c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "321" os_parent_pid = "0x108c" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getPromptMask /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "323" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x2e873000" os_pid = "0xc70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getUserData /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 22939 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 22940 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 22941 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 22942 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 22943 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 22944 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 22945 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 22946 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 22947 start_va = 0xd10000 end_va = 0xd11fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d10000" filename = "" Region: id = 22948 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 22949 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 22950 start_va = 0x7f060000 end_va = 0x7f082fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f060000" filename = "" Region: id = 22951 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 22952 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 22953 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 22954 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 22956 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 22957 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 22958 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 22959 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 22960 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 22961 start_va = 0xd20000 end_va = 0xe5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 22962 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 22963 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 22967 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 22968 start_va = 0x7ef60000 end_va = 0x7f05ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ef60000" filename = "" Region: id = 22969 start_va = 0x480000 end_va = 0x53dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 22970 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 22971 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 22972 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 22973 start_va = 0x540000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 22974 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 22975 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 22976 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 22977 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 22978 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 22979 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 22994 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 22995 start_va = 0xd10000 end_va = 0xd13fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d10000" filename = "" Region: id = 22996 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 22997 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 22998 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 22999 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 23000 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 23001 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 23002 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 23003 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 23004 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 23005 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 23006 start_va = 0x640000 end_va = 0x7c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 23007 start_va = 0xd20000 end_va = 0xd49fff monitored = 0 entry_point = 0xd25680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 23008 start_va = 0xd60000 end_va = 0xe5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d60000" filename = "" Region: id = 23009 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 23025 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 23026 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 23027 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 23028 start_va = 0x7d0000 end_va = 0x950fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 23029 start_va = 0xe60000 end_va = 0xf9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e60000" filename = "" Region: id = 23030 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 23031 start_va = 0xe60000 end_va = 0xef0fff monitored = 0 entry_point = 0xe98cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 23032 start_va = 0xf90000 end_va = 0xf9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 23085 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 23086 start_va = 0xd20000 end_va = 0xd20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 23087 start_va = 0xd30000 end_va = 0xd30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d30000" filename = "" Region: id = 23088 start_va = 0xd30000 end_va = 0xd37fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d30000" filename = "" Region: id = 23103 start_va = 0xd30000 end_va = 0xd30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d30000" filename = "" Region: id = 23104 start_va = 0xd40000 end_va = 0xd41fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d40000" filename = "" Region: id = 23105 start_va = 0xd30000 end_va = 0xd30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d30000" filename = "" Region: id = 23106 start_va = 0xd40000 end_va = 0xd40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d40000" filename = "" Region: id = 23107 start_va = 0xd30000 end_va = 0xd30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d30000" filename = "" Region: id = 23109 start_va = 0xd40000 end_va = 0xd40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d40000" filename = "" Thread: id = 675 os_tid = 0xe18 [0225.117] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0225.117] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0225.117] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0225.117] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0225.118] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0225.118] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0225.119] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0225.119] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0225.119] GetProcessHeap () returned 0xd60000 [0225.120] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0225.120] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0225.120] GetLastError () returned 0x7e [0225.120] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0225.120] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0225.120] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x364) returned 0xd70968 [0225.121] SetLastError (dwErrCode=0x7e) [0225.121] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0xe00) returned 0xd70cd8 [0225.122] GetStartupInfoW (in: lpStartupInfo=0x18f95c | out: lpStartupInfo=0x18f95c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0225.123] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0225.123] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0225.123] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0225.123] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getUserData /fn_args=\"1\"" [0225.123] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getUserData /fn_args=\"1\"" [0225.123] GetACP () returned 0x4e4 [0225.123] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x0, Size=0x220) returned 0xd71ae0 [0225.123] IsValidCodePage (CodePage=0x4e4) returned 1 [0225.123] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f97c | out: lpCPInfo=0x18f97c) returned 1 [0225.123] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f244 | out: lpCPInfo=0x18f244) returned 1 [0225.123] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f858, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0225.123] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f858, cbMultiByte=256, lpWideCharStr=0x18efe8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0225.123] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f258 | out: lpCharType=0x18f258) returned 1 [0225.123] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f858, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0225.123] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f858, cbMultiByte=256, lpWideCharStr=0x18ef98, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0225.123] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0225.123] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0225.123] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0225.124] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ed88, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0225.124] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f758, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ'{\x89", lpUsedDefaultChar=0x0) returned 256 [0225.124] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f858, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0225.124] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f858, cbMultiByte=256, lpWideCharStr=0x18efb8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0225.124] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0225.124] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18eda8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0225.124] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f658, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ'{\x89", lpUsedDefaultChar=0x0) returned 256 [0225.124] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x0, Size=0x80) returned 0xd63878 [0225.124] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0225.124] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x192) returned 0xd71d08 [0225.124] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0225.124] GetLastError () returned 0x0 [0225.124] SetLastError (dwErrCode=0x0) [0225.124] GetEnvironmentStringsW () returned 0xd71ea8* [0225.124] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x0, Size=0xa8c) returned 0xd72940 [0225.125] FreeEnvironmentStringsW (penv=0xd71ea8) returned 1 [0225.125] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x90) returned 0xd64568 [0225.125] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x3e) returned 0xd6a988 [0225.125] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x5c) returned 0xd68a68 [0225.125] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x6e) returned 0xd64860 [0225.125] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x78) returned 0xd74100 [0225.125] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x62) returned 0xd63fe8 [0225.125] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x28) returned 0xd69e40 [0225.125] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x48) returned 0xd63d98 [0225.125] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x1a) returned 0xd64630 [0225.125] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x3a) returned 0xd6b0d8 [0225.125] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x62) returned 0xd647d0 [0225.125] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x2a) returned 0xd68758 [0225.125] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x2e) returned 0xd68790 [0225.125] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x1c) returned 0xd64658 [0225.125] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x144) returned 0xd69c80 [0225.125] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x7c) returned 0xd682c8 [0225.125] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x36) returned 0xd6df38 [0225.125] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x3a) returned 0xd6aca0 [0225.125] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x90) returned 0xd6a290 [0225.125] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x24) returned 0xd63bf8 [0225.126] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x30) returned 0xd68988 [0225.126] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x36) returned 0xd6df78 [0225.126] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x48) returned 0xd63918 [0225.126] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x52) returned 0xd62908 [0225.126] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x3c) returned 0xd6aaf0 [0225.126] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0xd6) returned 0xd604a0 [0225.126] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x2e) returned 0xd68800 [0225.126] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x1e) returned 0xd60580 [0225.126] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x2c) returned 0xd68640 [0225.126] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x54) returned 0xd643a0 [0225.126] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x52) returned 0xd63e10 [0225.126] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x24) returned 0xd64400 [0225.126] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x42) returned 0xd64070 [0225.126] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x2c) returned 0xd68838 [0225.126] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x44) returned 0xd640c0 [0225.126] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x24) returned 0xd63e70 [0225.127] HeapFree (in: hHeap=0xd60000, dwFlags=0x0, lpMem=0xd72940 | out: hHeap=0xd60000) returned 1 [0225.127] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x8, Size=0x800) returned 0xd71ea8 [0225.127] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0225.127] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0225.127] GetStartupInfoW (in: lpStartupInfo=0x18f9c0 | out: lpStartupInfo=0x18f9c0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0225.127] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getUserData /fn_args=\"1\"" [0225.127] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getUserData /fn_args=\"1\"", pNumArgs=0x18f9ac | out: pNumArgs=0x18f9ac) returned 0xd72af8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0225.128] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0225.130] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x0, Size=0x1000) returned 0xd743e0 [0225.130] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x0, Size=0x40) returned 0xd6a9d0 [0225.130] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_getUserData", cchWideChar=-1, lpMultiByteStr=0xd6a9d0, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_getUserData", lpUsedDefaultChar=0x0) returned 32 [0225.131] GetLastError () returned 0x0 [0225.131] SetLastError (dwErrCode=0x0) [0225.131] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_getUserDataW") returned 0x0 [0225.131] GetLastError () returned 0x7f [0225.131] SetLastError (dwErrCode=0x7f) [0225.131] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_getUserDataA") returned 0x0 [0225.131] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_getUserData") returned 0x647c80a5 [0225.131] RtlAllocateHeap (HeapHandle=0xd60000, Flags=0x0, Size=0x4) returned 0xd64110 [0225.131] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0xd64110, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0225.131] GetActiveWindow () returned 0x0 [0225.133] GetLastError () returned 0x7f [0225.133] SetLastError (dwErrCode=0x7f) Thread: id = 677 os_tid = 0x130c Process: id = "324" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0xece7000" os_pid = "0x1390" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "323" os_parent_pid = "0xc70" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_getUserData /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "325" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0xec8b000" os_pid = "0xdfc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_lockSession /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 23116 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 23117 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 23118 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 23119 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 23120 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 23121 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 23122 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 23123 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 23124 start_va = 0xea0000 end_va = 0xea1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 23125 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 23126 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 23127 start_va = 0x7e4f0000 end_va = 0x7e512fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e4f0000" filename = "" Region: id = 23128 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 23129 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 23130 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 23131 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 23132 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 23133 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 23134 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 23135 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 23136 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 23137 start_va = 0xeb0000 end_va = 0x100ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 23138 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 23139 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 23142 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 23143 start_va = 0x7e3f0000 end_va = 0x7e4effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e3f0000" filename = "" Region: id = 23144 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 23145 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 23146 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 23147 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 23148 start_va = 0x500000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 23149 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 23150 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 23151 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 23152 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 23153 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 23154 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 23155 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 23156 start_va = 0xea0000 end_va = 0xea3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 23157 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 23158 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 23159 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 23161 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 23162 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 23163 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 23164 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 23165 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 23166 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 23167 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 23168 start_va = 0x600000 end_va = 0x787fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 23169 start_va = 0xeb0000 end_va = 0xed9fff monitored = 0 entry_point = 0xeb5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 23170 start_va = 0xf10000 end_va = 0x100ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f10000" filename = "" Region: id = 23171 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 23173 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 23174 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 23175 start_va = 0x1f0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 23176 start_va = 0x790000 end_va = 0x910fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 23177 start_va = 0xeb0000 end_va = 0xf0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 23178 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 23179 start_va = 0x1010000 end_va = 0x10a0fff monitored = 0 entry_point = 0x1048cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 23180 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 23181 start_va = 0xeb0000 end_va = 0xeb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 23182 start_va = 0xf00000 end_va = 0xf0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 23183 start_va = 0xec0000 end_va = 0xec0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ec0000" filename = "" Region: id = 23184 start_va = 0xec0000 end_va = 0xec7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ec0000" filename = "" Region: id = 23187 start_va = 0xec0000 end_va = 0xec0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ec0000" filename = "" Region: id = 23188 start_va = 0xed0000 end_va = 0xed1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ed0000" filename = "" Region: id = 23189 start_va = 0xec0000 end_va = 0xec0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ec0000" filename = "" Region: id = 23190 start_va = 0xed0000 end_va = 0xed0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ed0000" filename = "" Region: id = 23195 start_va = 0xec0000 end_va = 0xec0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ec0000" filename = "" Region: id = 23196 start_va = 0xed0000 end_va = 0xed0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ed0000" filename = "" Thread: id = 678 os_tid = 0xc30 [0226.768] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0226.768] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0226.769] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0226.769] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0226.769] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0226.769] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0226.769] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0226.770] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0226.770] GetProcessHeap () returned 0xf10000 [0226.770] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0226.770] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0226.770] GetLastError () returned 0x7e [0226.770] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0226.770] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0226.771] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x364) returned 0xf209a0 [0226.771] SetLastError (dwErrCode=0x7e) [0226.771] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0xe00) returned 0xf20d10 [0226.772] GetStartupInfoW (in: lpStartupInfo=0x18f7f4 | out: lpStartupInfo=0x18f7f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0226.772] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0226.772] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0226.772] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0226.772] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_lockSession /fn_args=\"1\"" [0226.773] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_lockSession /fn_args=\"1\"" [0226.773] GetACP () returned 0x4e4 [0226.773] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x0, Size=0x220) returned 0xf21b18 [0226.773] IsValidCodePage (CodePage=0x4e4) returned 1 [0226.773] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f814 | out: lpCPInfo=0x18f814) returned 1 [0226.773] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f0dc | out: lpCPInfo=0x18f0dc) returned 1 [0226.773] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6f0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0226.773] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6f0, cbMultiByte=256, lpWideCharStr=0x18ee78, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0226.773] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f0f0 | out: lpCharType=0x18f0f0) returned 1 [0226.773] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6f0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0226.773] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6f0, cbMultiByte=256, lpWideCharStr=0x18ee38, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0226.773] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0226.773] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0226.773] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0226.773] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ec28, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0226.773] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f5f0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿxM\x9c[,ø\x18", lpUsedDefaultChar=0x0) returned 256 [0226.773] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6f0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0226.773] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6f0, cbMultiByte=256, lpWideCharStr=0x18ee48, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0226.774] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0226.774] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ec38, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0226.774] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f4f0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿxM\x9c[,ø\x18", lpUsedDefaultChar=0x0) returned 256 [0226.774] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x0, Size=0x80) returned 0xf13878 [0226.774] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0226.774] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x192) returned 0xf21d40 [0226.774] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0226.774] GetLastError () returned 0x0 [0226.774] SetLastError (dwErrCode=0x0) [0226.774] GetEnvironmentStringsW () returned 0xf21ee0* [0226.774] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x0, Size=0xa8c) returned 0xf22978 [0226.774] FreeEnvironmentStringsW (penv=0xf21ee0) returned 1 [0226.775] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x90) returned 0xf14568 [0226.775] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x3e) returned 0xf1ad20 [0226.775] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x5c) returned 0xf18840 [0226.775] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x6e) returned 0xf14630 [0226.775] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x78) returned 0xf240b8 [0226.775] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x62) returned 0xf14a00 [0226.775] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x28) returned 0xf13d98 [0226.775] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x48) returned 0xf13fe8 [0226.775] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x1a) returned 0xf10570 [0226.775] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x3a) returned 0xf1afa8 [0226.775] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x62) returned 0xf13bf8 [0226.775] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x2a) returned 0xf18648 [0226.775] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x2e) returned 0xf184c0 [0226.775] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x1c) returned 0xf13dc8 [0226.775] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x144) returned 0xf19cb8 [0226.775] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x7c) returned 0xf180a0 [0226.775] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x36) returned 0xf1e0f0 [0226.775] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x3a) returned 0xf1ab28 [0226.775] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x90) returned 0xf143a0 [0226.775] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x24) returned 0xf13918 [0226.775] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x30) returned 0xf18610 [0226.775] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x36) returned 0xf1e0b0 [0226.775] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x48) returned 0xf12908 [0226.776] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x52) returned 0xf104b8 [0226.776] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x3c) returned 0xf1ad68 [0226.776] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0xd6) returned 0xf19e78 [0226.776] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x2e) returned 0xf186f0 [0226.776] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x1e) returned 0xf12958 [0226.776] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x2c) returned 0xf18680 [0226.776] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x54) returned 0xf13e10 [0226.776] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x52) returned 0xf14070 [0226.776] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x24) returned 0xf13e70 [0226.776] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x42) returned 0xf140d0 [0226.776] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x2c) returned 0xf186b8 [0226.776] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x44) returned 0xf19fa8 [0226.776] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x24) returned 0xf13948 [0226.777] HeapFree (in: hHeap=0xf10000, dwFlags=0x0, lpMem=0xf22978 | out: hHeap=0xf10000) returned 1 [0226.873] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x800) returned 0xf21ee0 [0226.874] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0226.874] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0226.874] GetStartupInfoW (in: lpStartupInfo=0x18f858 | out: lpStartupInfo=0x18f858*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0226.874] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_lockSession /fn_args=\"1\"" [0226.874] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_lockSession /fn_args=\"1\"", pNumArgs=0x18f844 | out: pNumArgs=0x18f844) returned 0xf22b30*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0226.875] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0226.878] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x0, Size=0x1000) returned 0xf24418 [0226.878] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x0, Size=0x40) returned 0xf1ac90 [0226.878] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_lockSession", cchWideChar=-1, lpMultiByteStr=0xf1ac90, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_lockSession", lpUsedDefaultChar=0x0) returned 32 [0226.878] GetLastError () returned 0x0 [0226.878] SetLastError (dwErrCode=0x0) [0226.878] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_lockSessionW") returned 0x0 [0226.878] GetLastError () returned 0x7f [0226.878] SetLastError (dwErrCode=0x7f) [0226.878] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_lockSessionA") returned 0x0 [0226.878] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_lockSession") returned 0x647c6f74 [0226.878] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x0, Size=0x4) returned 0xf13820 [0226.878] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0xf13820, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0226.878] GetActiveWindow () returned 0x0 [0226.879] GetLastError () returned 0x7f [0226.879] SetLastError (dwErrCode=0x7f) Thread: id = 680 os_tid = 0xc8c Process: id = "326" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0xed1c000" os_pid = "0x11a8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "325" os_parent_pid = "0xdfc" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_lockSession /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "327" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0xdba3000" os_pid = "0xca4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_releaseSession /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 23198 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 23199 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 23200 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 23201 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 23202 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 23203 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 23204 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 23205 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 23206 start_va = 0xac0000 end_va = 0xac1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 23207 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 23208 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 23209 start_va = 0x7f090000 end_va = 0x7f0b2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f090000" filename = "" Region: id = 23210 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 23211 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 23212 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 23213 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 23215 start_va = 0x400000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 23216 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 23217 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 23218 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 23219 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 23220 start_va = 0xad0000 end_va = 0xd0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 23221 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 23222 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 23223 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 23224 start_va = 0x7ef90000 end_va = 0x7f08ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ef90000" filename = "" Region: id = 23225 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 23226 start_va = 0x510000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 23227 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 23228 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 23229 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 23230 start_va = 0x520000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 23231 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 23232 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 23233 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 23234 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 23235 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 23236 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 23237 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 23238 start_va = 0xac0000 end_va = 0xac3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 23239 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 23240 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 23241 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 23242 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 23243 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 23244 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 23245 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 23246 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 23247 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 23248 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 23249 start_va = 0x620000 end_va = 0x7a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 23250 start_va = 0xad0000 end_va = 0xaf9fff monitored = 0 entry_point = 0xad5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 23251 start_va = 0xc10000 end_va = 0xd0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 23252 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 23253 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 23254 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 23255 start_va = 0x7b0000 end_va = 0x930fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007b0000" filename = "" Region: id = 23256 start_va = 0xd10000 end_va = 0xe7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d10000" filename = "" Region: id = 23257 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 23258 start_va = 0xad0000 end_va = 0xb60fff monitored = 0 entry_point = 0xb08cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 23259 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 23260 start_va = 0xad0000 end_va = 0xad0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 23261 start_va = 0xae0000 end_va = 0xae0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ae0000" filename = "" Region: id = 23262 start_va = 0xae0000 end_va = 0xae7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ae0000" filename = "" Region: id = 23263 start_va = 0xae0000 end_va = 0xae0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 23264 start_va = 0xaf0000 end_va = 0xaf1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000af0000" filename = "" Region: id = 23265 start_va = 0xae0000 end_va = 0xae0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 23266 start_va = 0xaf0000 end_va = 0xaf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000af0000" filename = "" Region: id = 23267 start_va = 0xae0000 end_va = 0xae0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ae0000" filename = "" Region: id = 23268 start_va = 0xaf0000 end_va = 0xaf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Thread: id = 684 os_tid = 0x414 [0228.420] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0228.420] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0228.420] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0228.420] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0228.420] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0228.421] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0228.421] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0228.421] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0228.422] GetProcessHeap () returned 0xc10000 [0228.422] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0228.422] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0228.422] GetLastError () returned 0x7e [0228.422] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0228.422] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0228.422] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x364) returned 0xc209a8 [0228.422] SetLastError (dwErrCode=0x7e) [0228.423] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0xe00) returned 0xc20d18 [0228.424] GetStartupInfoW (in: lpStartupInfo=0x18fc40 | out: lpStartupInfo=0x18fc40*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0228.424] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0228.424] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0228.424] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0228.424] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_releaseSession /fn_args=\"1\"" [0228.425] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_releaseSession /fn_args=\"1\"" [0228.425] GetACP () returned 0x4e4 [0228.425] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x0, Size=0x220) returned 0xc21b20 [0228.425] IsValidCodePage (CodePage=0x4e4) returned 1 [0228.425] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fc60 | out: lpCPInfo=0x18fc60) returned 1 [0228.425] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f528 | out: lpCPInfo=0x18f528) returned 1 [0228.425] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb3c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0228.425] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb3c, cbMultiByte=256, lpWideCharStr=0x18f2c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0228.425] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f53c | out: lpCharType=0x18f53c) returned 1 [0228.425] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb3c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0228.425] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb3c, cbMultiByte=256, lpWideCharStr=0x18f278, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0228.425] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0228.425] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0228.425] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0228.425] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f068, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0228.425] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fa3c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿx\x03¨\x8exü\x18", lpUsedDefaultChar=0x0) returned 256 [0228.426] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb3c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0228.426] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb3c, cbMultiByte=256, lpWideCharStr=0x18f298, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0228.426] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0228.426] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f088, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0228.426] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f93c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿx\x03¨\x8exü\x18", lpUsedDefaultChar=0x0) returned 256 [0228.426] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x0, Size=0x80) returned 0xc13880 [0228.426] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0228.426] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x198) returned 0xc21d48 [0228.426] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0228.426] GetLastError () returned 0x0 [0228.426] SetLastError (dwErrCode=0x0) [0228.426] GetEnvironmentStringsW () returned 0xc21ee8* [0228.426] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x0, Size=0xa8c) returned 0xc22980 [0228.427] FreeEnvironmentStringsW (penv=0xc21ee8) returned 1 [0228.427] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x90) returned 0xc147d0 [0228.427] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x3e) returned 0xc1b088 [0228.456] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x5c) returned 0xc18aa8 [0228.456] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x6e) returned 0xc14898 [0228.456] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x78) returned 0xc23440 [0228.456] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x62) returned 0xc14c68 [0228.456] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x28) returned 0xc13da0 [0228.456] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x48) returned 0xc13ff0 [0228.457] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x1a) returned 0xc10570 [0228.457] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x3a) returned 0xc1ae48 [0228.457] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x62) returned 0xc13c00 [0228.457] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x2a) returned 0xc18760 [0228.457] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x2e) returned 0xc18680 [0228.457] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x1c) returned 0xc13dd0 [0228.457] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x144) returned 0xc19cc0 [0228.457] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x7c) returned 0xc18308 [0228.457] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x36) returned 0xc1e538 [0228.457] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x3a) returned 0xc1b0d0 [0228.457] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x90) returned 0xc14608 [0228.457] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x24) returned 0xc13920 [0228.457] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x30) returned 0xc18798 [0228.457] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x36) returned 0xc1e2f8 [0228.457] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x48) returned 0xc12910 [0228.457] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x52) returned 0xc104b8 [0228.457] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x3c) returned 0xc1ae90 [0228.457] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0xd6) returned 0xc19e80 [0228.457] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x2e) returned 0xc188e8 [0228.457] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x1e) returned 0xc12960 [0228.457] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x2c) returned 0xc18878 [0228.457] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x54) returned 0xc13e18 [0228.457] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x52) returned 0xc14078 [0228.457] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x24) returned 0xc13e78 [0228.457] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x42) returned 0xc140d8 [0228.457] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x2c) returned 0xc186b8 [0228.457] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x44) returned 0xc19fb0 [0228.457] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x24) returned 0xc13950 [0228.458] HeapFree (in: hHeap=0xc10000, dwFlags=0x0, lpMem=0xc22980 | out: hHeap=0xc10000) returned 1 [0228.458] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x800) returned 0xc21ee8 [0228.458] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0228.458] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0228.459] GetStartupInfoW (in: lpStartupInfo=0x18fca4 | out: lpStartupInfo=0x18fca4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0228.459] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_releaseSession /fn_args=\"1\"" [0228.459] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_releaseSession /fn_args=\"1\"", pNumArgs=0x18fc90 | out: pNumArgs=0x18fc90) returned 0xc22b38*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0228.459] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0228.462] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x0, Size=0x1000) returned 0xc24420 [0228.462] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x0, Size=0x46) returned 0xc1a7e0 [0228.462] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_releaseSession", cchWideChar=-1, lpMultiByteStr=0xc1a7e0, cbMultiByte=70, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_releaseSession", lpUsedDefaultChar=0x0) returned 35 [0228.463] GetLastError () returned 0x0 [0228.463] SetLastError (dwErrCode=0x0) [0228.463] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_releaseSessionW") returned 0x0 [0228.463] GetLastError () returned 0x7f [0228.463] SetLastError (dwErrCode=0x7f) [0228.463] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_releaseSessionA") returned 0x0 [0228.463] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_releaseSession") returned 0x647c7018 [0228.463] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x0, Size=0x4) returned 0xc13828 [0228.463] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0xc13828, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0228.463] GetActiveWindow () returned 0x0 [0228.464] GetLastError () returned 0x7f [0228.464] SetLastError (dwErrCode=0x7f) Thread: id = 686 os_tid = 0x9f8 Process: id = "328" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0xd083000" os_pid = "0xe64" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "327" os_parent_pid = "0xca4" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_releaseSession /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "329" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0xccbb000" os_pid = "0xb68" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_serializeCertificateId /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 23326 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 23327 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 23328 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 23329 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 23330 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 23331 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 23332 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 23333 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 23334 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 23335 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 23336 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 23337 start_va = 0x7eea0000 end_va = 0x7eec2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eea0000" filename = "" Region: id = 23338 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 23339 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 23340 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 23341 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 23344 start_va = 0x410000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 23345 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 23346 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 23347 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 23348 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 23349 start_va = 0x4a0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 23350 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 23353 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 23354 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 23355 start_va = 0x7eda0000 end_va = 0x7ee9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eda0000" filename = "" Region: id = 23356 start_va = 0x5f0000 end_va = 0x6adfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 23357 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 23358 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 23359 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 23360 start_va = 0x6b0000 end_va = 0x7affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 23361 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 23362 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 23363 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 23364 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 23365 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 23366 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 23367 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 23368 start_va = 0x400000 end_va = 0x403fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 23370 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 23371 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 23372 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 23373 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 23374 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 23375 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 23376 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 23377 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 23378 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 23379 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 23380 start_va = 0x410000 end_va = 0x439fff monitored = 0 entry_point = 0x415680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 23381 start_va = 0x490000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 23382 start_va = 0x7b0000 end_va = 0x937fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007b0000" filename = "" Region: id = 23383 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 23385 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 23386 start_va = 0x410000 end_va = 0x410fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 23387 start_va = 0x940000 end_va = 0xac0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 23388 start_va = 0xad0000 end_va = 0xc4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 23389 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 23392 start_va = 0xad0000 end_va = 0xb60fff monitored = 0 entry_point = 0xb08cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 23393 start_va = 0xc40000 end_va = 0xc4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 23397 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 23398 start_va = 0x420000 end_va = 0x420fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 23399 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 23400 start_va = 0x430000 end_va = 0x437fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 23409 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 23410 start_va = 0x440000 end_va = 0x441fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 23413 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 23414 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 23415 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 23416 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Thread: id = 688 os_tid = 0xcbc [0230.808] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0230.809] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0230.809] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0230.809] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0230.809] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0230.809] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0230.810] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0230.810] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0230.810] GetProcessHeap () returned 0x4f0000 [0230.810] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0230.811] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0230.811] GetLastError () returned 0x7e [0230.811] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0230.811] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0230.811] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x364) returned 0x500a98 [0230.811] SetLastError (dwErrCode=0x7e) [0230.811] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xe00) returned 0x500e08 [0230.813] GetStartupInfoW (in: lpStartupInfo=0x18f96c | out: lpStartupInfo=0x18f96c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0230.813] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0230.813] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0230.813] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0230.813] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_serializeCertificateId /fn_args=\"1\"" [0230.813] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_serializeCertificateId /fn_args=\"1\"" [0230.813] GetACP () returned 0x4e4 [0230.813] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x220) returned 0x501c10 [0230.813] IsValidCodePage (CodePage=0x4e4) returned 1 [0230.813] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f98c | out: lpCPInfo=0x18f98c) returned 1 [0230.813] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f254 | out: lpCPInfo=0x18f254) returned 1 [0230.813] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f868, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0230.813] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f868, cbMultiByte=256, lpWideCharStr=0x18eff8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0230.813] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f268 | out: lpCharType=0x18f268) returned 1 [0230.813] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f868, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0230.813] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f868, cbMultiByte=256, lpWideCharStr=0x18efa8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0230.813] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0230.814] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0230.814] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0230.814] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ed98, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0230.814] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f768, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ¥O×ɤù\x18", lpUsedDefaultChar=0x0) returned 256 [0230.814] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f868, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0230.814] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f868, cbMultiByte=256, lpWideCharStr=0x18efc8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0230.814] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0230.814] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18edb8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0230.814] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f668, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ¥O×ɤù\x18", lpUsedDefaultChar=0x0) returned 256 [0230.814] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x80) returned 0x4f3898 [0230.814] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0230.814] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x1a8) returned 0x501e38 [0230.814] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0230.814] GetLastError () returned 0x0 [0230.814] SetLastError (dwErrCode=0x0) [0230.814] GetEnvironmentStringsW () returned 0x501fe8* [0230.815] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0xa8c) returned 0x502a80 [0230.815] FreeEnvironmentStringsW (penv=0x501fe8) returned 1 [0230.815] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x90) returned 0x4f4588 [0230.815] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x3e) returned 0x4fabe0 [0230.815] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x5c) returned 0x4f8ac8 [0230.815] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x6e) returned 0x4f4880 [0230.815] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x78) returned 0x504140 [0230.815] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x62) returned 0x4f4a20 [0230.815] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x28) returned 0x4f3db8 [0230.815] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x48) returned 0x4f4008 [0230.815] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x1a) returned 0x4f3de8 [0230.815] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x3a) returned 0x4faf40 [0230.815] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x62) returned 0x4f4650 [0230.815] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x2a) returned 0x4f8748 [0230.815] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x2e) returned 0x4f89e8 [0230.815] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x1c) returned 0x4f47f0 [0230.815] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x144) returned 0x4f9ce0 [0230.815] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x7c) returned 0x4f43c0 [0230.816] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x36) returned 0x4fe128 [0230.816] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x3a) returned 0x4fac28 [0230.816] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x90) returned 0x4f3e30 [0230.816] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x24) returned 0x4f4818 [0230.816] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x30) returned 0x4f86d8 [0230.816] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x36) returned 0x4fe1e8 [0230.816] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x48) returned 0x4f3c18 [0230.816] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x52) returned 0x4f3938 [0230.816] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x3c) returned 0x4faf88 [0230.816] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xd6) returned 0x4f9ea0 [0230.816] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x2e) returned 0x4f8828 [0230.816] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x1e) returned 0x4f3c68 [0230.816] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x2c) returned 0x4f8860 [0230.816] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x54) returned 0x4f2920 [0230.816] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x52) returned 0x4f04b8 [0230.816] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x24) returned 0x4f4090 [0230.816] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x42) returned 0x4f40c0 [0230.816] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x2c) returned 0x4f8898 [0230.816] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x44) returned 0x4f9fd0 [0230.816] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x24) returned 0x4f4110 [0230.817] HeapFree (in: hHeap=0x4f0000, dwFlags=0x0, lpMem=0x502a80 | out: hHeap=0x4f0000) returned 1 [0230.817] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x800) returned 0x501fe8 [0230.817] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0230.817] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0230.817] GetStartupInfoW (in: lpStartupInfo=0x18f9d0 | out: lpStartupInfo=0x18f9d0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0230.817] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_serializeCertificateId /fn_args=\"1\"" [0230.817] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_serializeCertificateId /fn_args=\"1\"", pNumArgs=0x18f9bc | out: pNumArgs=0x18f9bc) returned 0x502c38*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0230.824] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0230.827] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x1000) returned 0x504520 [0230.827] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x56) returned 0x4f8300 [0230.827] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_serializeCertificateId", cchWideChar=-1, lpMultiByteStr=0x4f8300, cbMultiByte=86, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_serializeCertificateId", lpUsedDefaultChar=0x0) returned 43 [0230.827] GetLastError () returned 0x0 [0230.827] SetLastError (dwErrCode=0x0) [0230.827] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_serializeCertificateIdW") returned 0x0 [0230.827] GetLastError () returned 0x7f [0230.827] SetLastError (dwErrCode=0x7f) [0230.827] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_serializeCertificateIdA") returned 0x0 [0230.827] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_serializeCertificateId") returned 0x647cdb79 [0230.827] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x4) returned 0x4f3ec8 [0230.827] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x4f3ec8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0230.827] GetActiveWindow () returned 0x0 [0230.829] GetLastError () returned 0x7f [0230.829] SetLastError (dwErrCode=0x7f) Thread: id = 690 os_tid = 0x11fc Process: id = "330" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6b9d9000" os_pid = "0x13d0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "329" os_parent_pid = "0xb68" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_serializeCertificateId /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "331" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0xc9d3000" os_pid = "0xe48" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setCertificateIdCertificateBlob /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 23421 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 23422 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 23423 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 23424 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 23425 start_va = 0x70000 end_va = 0x71fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 23426 start_va = 0x80000 end_va = 0xbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 23427 start_va = 0xc0000 end_va = 0x1bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 23428 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 23429 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 23430 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 23431 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 23432 start_va = 0x7f960000 end_va = 0x7f982fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f960000" filename = "" Region: id = 23433 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 23434 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 23435 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 23436 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 23439 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 23440 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 23441 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 23442 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 23443 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 23444 start_va = 0x480000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 23445 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 23446 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 23448 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 23449 start_va = 0x7f860000 end_va = 0x7f95ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f860000" filename = "" Region: id = 23450 start_va = 0x480000 end_va = 0x53dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 23451 start_va = 0x540000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 23452 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 23453 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 23454 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 23455 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 23456 start_va = 0x640000 end_va = 0x73ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 23457 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 23458 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 23459 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 23460 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 23461 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 23463 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 23464 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 23465 start_va = 0x70000 end_va = 0x73fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 23466 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 23467 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 23468 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 23469 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 23470 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 23471 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 23472 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 23473 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 23474 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 23475 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 23476 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 23477 start_va = 0x740000 end_va = 0x8c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 23478 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 23480 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 23481 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 23482 start_va = 0x8d0000 end_va = 0xa50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008d0000" filename = "" Region: id = 23483 start_va = 0xa60000 end_va = 0xb3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 23484 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 23485 start_va = 0xa60000 end_va = 0xaf0fff monitored = 0 entry_point = 0xa98cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 23486 start_va = 0xb30000 end_va = 0xb3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 23491 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 23492 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 23493 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 23494 start_va = 0x1f0000 end_va = 0x1f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 23508 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 23509 start_va = 0x440000 end_va = 0x441fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 23510 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 23511 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 23512 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 23513 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Thread: id = 694 os_tid = 0x12a8 [0231.890] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0231.890] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0231.890] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0231.890] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0231.890] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0231.890] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0231.891] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0231.891] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0231.891] GetProcessHeap () returned 0x540000 [0231.891] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0231.892] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0231.892] GetLastError () returned 0x7e [0231.892] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0231.892] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0231.892] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x364) returned 0x550ab0 [0231.892] SetLastError (dwErrCode=0x7e) [0231.892] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0xe00) returned 0x550e20 [0231.894] GetStartupInfoW (in: lpStartupInfo=0x1bfd48 | out: lpStartupInfo=0x1bfd48*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0231.894] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0231.894] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0231.894] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0231.894] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setCertificateIdCertificateBlob /fn_args=\"1\"" [0231.894] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setCertificateIdCertificateBlob /fn_args=\"1\"" [0231.894] GetACP () returned 0x4e4 [0231.894] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x0, Size=0x220) returned 0x551c28 [0231.894] IsValidCodePage (CodePage=0x4e4) returned 1 [0231.894] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1bfd68 | out: lpCPInfo=0x1bfd68) returned 1 [0231.894] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1bf630 | out: lpCPInfo=0x1bf630) returned 1 [0231.894] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1bfc44, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0231.894] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1bfc44, cbMultiByte=256, lpWideCharStr=0x1bf3d8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0231.894] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x1bf644 | out: lpCharType=0x1bf644) returned 1 [0231.895] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1bfc44, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0231.895] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1bfc44, cbMultiByte=256, lpWideCharStr=0x1bf388, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0231.895] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0231.895] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0231.895] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0231.895] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x1bf178, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0231.895] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x1bfb44, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿh{\x18#\x80ý\x1b", lpUsedDefaultChar=0x0) returned 256 [0231.895] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1bfc44, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0231.895] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1bfc44, cbMultiByte=256, lpWideCharStr=0x1bf3a8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0231.895] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0231.895] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x1bf198, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0231.895] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x1bfa44, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿh{\x18#\x80ý\x1b", lpUsedDefaultChar=0x0) returned 256 [0231.895] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x0, Size=0x80) returned 0x5438b8 [0231.895] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0231.895] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x1ba) returned 0x551e50 [0231.897] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0231.897] GetLastError () returned 0x0 [0231.897] SetLastError (dwErrCode=0x0) [0231.897] GetEnvironmentStringsW () returned 0x552018* [0231.897] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x0, Size=0xa8c) returned 0x552ab0 [0231.898] FreeEnvironmentStringsW (penv=0x552018) returned 1 [0231.898] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x90) returned 0x5445a8 [0231.898] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x3e) returned 0x54aa48 [0231.898] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x5c) returned 0x548ae0 [0231.898] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x6e) returned 0x544670 [0231.898] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x78) returned 0x553870 [0231.898] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x62) returned 0x544ca0 [0231.898] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x28) returned 0x543dd8 [0231.898] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x48) returned 0x544028 [0231.898] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x1a) returned 0x540570 [0231.898] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x3a) returned 0x54abf8 [0231.898] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x62) returned 0x543c38 [0231.898] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x2a) returned 0x548840 [0231.898] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x2e) returned 0x5488e8 [0231.898] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x1c) returned 0x543e08 [0231.898] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x144) returned 0x549cf8 [0231.898] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x7c) returned 0x548340 [0231.898] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x36) returned 0x54e740 [0231.898] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x3a) returned 0x54abb0 [0231.898] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x90) returned 0x5443e0 [0231.898] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x24) returned 0x543958 [0231.898] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x30) returned 0x5487d0 [0231.898] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x36) returned 0x54e680 [0231.898] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x48) returned 0x542930 [0231.898] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x52) returned 0x5404b8 [0231.898] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x3c) returned 0x54afe8 [0231.898] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0xd6) returned 0x549eb8 [0231.899] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x2e) returned 0x548958 [0231.899] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x1e) returned 0x542980 [0231.899] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x2c) returned 0x548920 [0231.899] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x54) returned 0x543e50 [0231.899] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x52) returned 0x5440b0 [0231.899] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x24) returned 0x543eb0 [0231.899] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x42) returned 0x544110 [0231.899] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x2c) returned 0x548878 [0231.899] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x44) returned 0x549fe8 [0231.899] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x24) returned 0x543988 [0231.899] HeapFree (in: hHeap=0x540000, dwFlags=0x0, lpMem=0x552ab0 | out: hHeap=0x540000) returned 1 [0231.899] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x800) returned 0x552018 [0231.899] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0231.899] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0231.900] GetStartupInfoW (in: lpStartupInfo=0x1bfdac | out: lpStartupInfo=0x1bfdac*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0231.900] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setCertificateIdCertificateBlob /fn_args=\"1\"" [0231.900] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setCertificateIdCertificateBlob /fn_args=\"1\"", pNumArgs=0x1bfd98 | out: pNumArgs=0x1bfd98) returned 0x552c68*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0231.900] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0231.903] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x0, Size=0x1000) returned 0x554550 [0231.903] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x0, Size=0x68) returned 0x54a730 [0231.903] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_setCertificateIdCertificateBlob", cchWideChar=-1, lpMultiByteStr=0x54a730, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_setCertificateIdCertificateBlob", lpUsedDefaultChar=0x0) returned 52 [0231.903] GetLastError () returned 0x0 [0231.903] SetLastError (dwErrCode=0x0) [0231.903] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_setCertificateIdCertificateBlobW") returned 0x0 [0231.903] GetLastError () returned 0x7f [0231.903] SetLastError (dwErrCode=0x7f) [0231.903] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_setCertificateIdCertificateBlobA") returned 0x0 [0231.904] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_setCertificateIdCertificateBlob") returned 0x647c6cfd [0231.904] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x0, Size=0x4) returned 0x543860 [0231.904] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x543860, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0231.904] GetActiveWindow () returned 0x0 [0231.905] GetLastError () returned 0x7f [0231.905] SetLastError (dwErrCode=0x7f) Thread: id = 696 os_tid = 0xb70 Process: id = "332" image_name = "werfault.exe" filename = "c:\\windows\\syswow64\\werfault.exe" page_root = "0x45d74000" os_pid = "0x1384" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "331" os_parent_pid = "0xe48" cmd_line = "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 3656 -s 364" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 23524 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 23525 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 23526 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 23527 start_va = 0x90000 end_va = 0x90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 23528 start_va = 0xa0000 end_va = 0xdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 23529 start_va = 0xe0000 end_va = 0xe3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 23530 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 23531 start_va = 0x100000 end_va = 0x101fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 23532 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 23533 start_va = 0x10e0000 end_va = 0x1122fff monitored = 0 entry_point = 0x1100f50 region_type = mapped_file name = "werfault.exe" filename = "\\Windows\\SysWOW64\\WerFault.exe" (normalized: "c:\\windows\\syswow64\\werfault.exe") Region: id = 23534 start_va = 0x1130000 end_va = 0x512ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 23535 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 23536 start_va = 0x7e550000 end_va = 0x7e572fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e550000" filename = "" Region: id = 23537 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 23538 start_va = 0x7fff0000 end_va = 0x7dfb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 23539 start_va = 0x7dfb201b0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfb201b0000" filename = "" Region: id = 23540 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 23541 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 23542 start_va = 0x400000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 23543 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 23544 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 23546 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 23547 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 23548 start_va = 0x580000 end_va = 0x7affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 23549 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 23553 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 23554 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 23555 start_va = 0x7e450000 end_va = 0x7e54ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e450000" filename = "" Region: id = 23556 start_va = 0x110000 end_va = 0x1cdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 23557 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 23558 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 23559 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 23560 start_va = 0x570000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 23561 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 23563 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 23564 start_va = 0x6fb30000 end_va = 0x6fbb6fff monitored = 0 entry_point = 0x6fb9dbc0 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\SysWOW64\\wer.dll" (normalized: "c:\\windows\\syswow64\\wer.dll") Region: id = 23565 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 23566 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 23567 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 23568 start_va = 0x90000 end_va = 0x93fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 23569 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 23570 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 23571 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 23572 start_va = 0x6fbc0000 end_va = 0x6fcfefff monitored = 0 entry_point = 0x6fbed880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 23573 start_va = 0x6fb00000 end_va = 0x6fb21fff monitored = 0 entry_point = 0x6fb091f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 23574 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 23575 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 23576 start_va = 0x6faa0000 end_va = 0x6faf3fff monitored = 0 entry_point = 0x6fad10d0 region_type = mapped_file name = "faultrep.dll" filename = "\\Windows\\SysWOW64\\Faultrep.dll" (normalized: "c:\\windows\\syswow64\\faultrep.dll") Region: id = 23577 start_va = 0x6fa70000 end_va = 0x6fa90fff monitored = 0 entry_point = 0x6fa8a910 region_type = mapped_file name = "dbgcore.dll" filename = "\\Windows\\SysWOW64\\dbgcore.dll" (normalized: "c:\\windows\\syswow64\\dbgcore.dll") Region: id = 23578 start_va = 0x1d0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 23598 start_va = 0x480000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 23599 start_va = 0x1d0000 end_va = 0x1d3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 23600 start_va = 0x1f0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 23601 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 23602 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 23603 start_va = 0x480000 end_va = 0x4a9fff monitored = 0 entry_point = 0x485680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 23604 start_va = 0x4b0000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 23605 start_va = 0x7b0000 end_va = 0x937fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007b0000" filename = "" Region: id = 23606 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 23607 start_va = 0x940000 end_va = 0xac0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 23608 start_va = 0x5130000 end_va = 0x652ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005130000" filename = "" Region: id = 23609 start_va = 0x1e0000 end_va = 0x1e3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werfault.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\WerFault.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werfault.exe.mui") Region: id = 23619 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 23620 start_va = 0x480000 end_va = 0x480fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 23621 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 23622 start_va = 0x580000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 23623 start_va = 0x6b0000 end_va = 0x7affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 23663 start_va = 0x490000 end_va = 0x490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 23664 start_va = 0x4a0000 end_va = 0x4a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 23665 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 23666 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 23667 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 23668 start_va = 0x6530000 end_va = 0x6d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006530000" filename = "" Region: id = 23669 start_va = 0x4c0000 end_va = 0x4c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 23670 start_va = 0x4c0000 end_va = 0x4c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 23671 start_va = 0x4c0000 end_va = 0x4c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 23672 start_va = 0x4c0000 end_va = 0x4c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 23673 start_va = 0x4c0000 end_va = 0x4c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 23674 start_va = 0x4c0000 end_va = 0x4c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 23675 start_va = 0x4c0000 end_va = 0x4c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 23676 start_va = 0x4c0000 end_va = 0x4c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 23677 start_va = 0x4c0000 end_va = 0x4c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 23678 start_va = 0x4c0000 end_va = 0x4c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 23679 start_va = 0x4c0000 end_va = 0x4c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 23680 start_va = 0x4c0000 end_va = 0x4c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 23681 start_va = 0x4c0000 end_va = 0x4c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 23682 start_va = 0x4c0000 end_va = 0x4c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 23683 start_va = 0x4c0000 end_va = 0x4c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 23684 start_va = 0x4c0000 end_va = 0x4c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 23685 start_va = 0x4c0000 end_va = 0x4c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 23686 start_va = 0x4c0000 end_va = 0x4c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 23687 start_va = 0x4c0000 end_va = 0x4c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 23688 start_va = 0x4c0000 end_va = 0x4c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 23689 start_va = 0x4c0000 end_va = 0x4c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 23690 start_va = 0x4c0000 end_va = 0x4c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 23691 start_va = 0x4c0000 end_va = 0x4c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 23692 start_va = 0x4c0000 end_va = 0x4c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 23693 start_va = 0x4c0000 end_va = 0x4c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 23694 start_va = 0x4c0000 end_va = 0x4c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 23702 start_va = 0x4c0000 end_va = 0x4c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 23704 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 23705 start_va = 0x500000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 23706 start_va = 0x580000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 23707 start_va = 0x650000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 23742 start_va = 0x4c0000 end_va = 0x4c1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "faultrep.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\faultrep.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\faultrep.dll.mui") Region: id = 23743 start_va = 0x4d0000 end_va = 0x4d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 23744 start_va = 0x6ee90000 end_va = 0x6f2adfff monitored = 0 entry_point = 0x6ef8ee80 region_type = mapped_file name = "dbgeng.dll" filename = "\\Windows\\SysWOW64\\dbgeng.dll" (normalized: "c:\\windows\\syswow64\\dbgeng.dll") Region: id = 23745 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 23746 start_va = 0x6f840000 end_va = 0x6f8affff monitored = 0 entry_point = 0x6f894b90 region_type = mapped_file name = "dbgmodel.dll" filename = "\\Windows\\SysWOW64\\DbgModel.dll" (normalized: "c:\\windows\\syswow64\\dbgmodel.dll") Region: id = 23747 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 23748 start_va = 0xad0000 end_va = 0xbb9fff monitored = 0 entry_point = 0xb0d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 23771 start_va = 0x70050000 end_va = 0x70059fff monitored = 0 entry_point = 0x70053200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 23772 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 23773 start_va = 0x6f5d0000 end_va = 0x6f5d7fff monitored = 0 entry_point = 0x6f5d17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 23774 start_va = 0xad0000 end_va = 0xbcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 23775 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 23801 start_va = 0xbd0000 end_va = 0xf06fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 23802 start_va = 0x4d0000 end_va = 0x4d1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 23803 start_va = 0x4d0000 end_va = 0x4d3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 23804 start_va = 0x4d0000 end_va = 0x4d5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 23805 start_va = 0x4d0000 end_va = 0x4d7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 23806 start_va = 0xf10000 end_va = 0x100ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f10000" filename = "" Region: id = 23807 start_va = 0x4d0000 end_va = 0x4d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 23808 start_va = 0x4d0000 end_va = 0x4dbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 23809 start_va = 0x4d0000 end_va = 0x4ddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 23810 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 23811 start_va = 0x4d0000 end_va = 0x4e1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 23812 start_va = 0x4d0000 end_va = 0x4e3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 23813 start_va = 0x4d0000 end_va = 0x4e5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 23837 start_va = 0x4d0000 end_va = 0x4e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 23838 start_va = 0x4d0000 end_va = 0x4e9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 23839 start_va = 0x4d0000 end_va = 0x4ebfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 23840 start_va = 0x4d0000 end_va = 0x4edfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 23841 start_va = 0x4d0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 23891 start_va = 0x6530000 end_va = 0x660ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 23969 start_va = 0x1010000 end_va = 0x10defff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001010000" filename = "" Region: id = 23970 start_va = 0x6610000 end_va = 0x66bcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006610000" filename = "" Region: id = 24000 start_va = 0x66c0000 end_va = 0x6766fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000066c0000" filename = "" Region: id = 24069 start_va = 0x4d0000 end_va = 0x4d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 24070 start_va = 0x4e0000 end_va = 0x4e2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wer.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wer.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wer.dll.mui") Region: id = 24071 start_va = 0x4f0000 end_va = 0x4f3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 24072 start_va = 0x6610000 end_va = 0x6e0ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006610000" filename = "" Region: id = 24073 start_va = 0x500000 end_va = 0x506fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 24074 start_va = 0x500000 end_va = 0x506fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 24075 start_va = 0x500000 end_va = 0x506fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 24076 start_va = 0x500000 end_va = 0x506fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 24077 start_va = 0x500000 end_va = 0x506fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 24078 start_va = 0x500000 end_va = 0x506fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 24079 start_va = 0x500000 end_va = 0x506fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 24080 start_va = 0x500000 end_va = 0x506fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 24081 start_va = 0x500000 end_va = 0x506fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 24082 start_va = 0x500000 end_va = 0x506fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 24083 start_va = 0x500000 end_va = 0x506fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 24084 start_va = 0x500000 end_va = 0x506fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 24086 start_va = 0x500000 end_va = 0x506fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 24087 start_va = 0x500000 end_va = 0x506fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 24088 start_va = 0x500000 end_va = 0x506fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 24089 start_va = 0x500000 end_va = 0x506fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 24090 start_va = 0x500000 end_va = 0x506fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 24091 start_va = 0x500000 end_va = 0x506fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 24092 start_va = 0x500000 end_va = 0x506fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 24093 start_va = 0x500000 end_va = 0x506fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 24094 start_va = 0x500000 end_va = 0x506fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 24095 start_va = 0x500000 end_va = 0x506fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 24096 start_va = 0x6610000 end_va = 0x670ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006610000" filename = "" Region: id = 24097 start_va = 0x500000 end_va = 0x506fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 24098 start_va = 0x500000 end_va = 0x506fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 24099 start_va = 0x500000 end_va = 0x506fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 24100 start_va = 0x500000 end_va = 0x506fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 24117 start_va = 0x500000 end_va = 0x506fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 24118 start_va = 0x6fa00000 end_va = 0x6fa63fff monitored = 0 entry_point = 0x6fa3e270 region_type = mapped_file name = "werui.dll" filename = "\\Windows\\SysWOW64\\werui.dll" (normalized: "c:\\windows\\syswow64\\werui.dll") Region: id = 24119 start_va = 0x500000 end_va = 0x501fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 24120 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 24121 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 24122 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 24130 start_va = 0x731b0000 end_va = 0x733befff monitored = 0 entry_point = 0x7325b0a0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 24131 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 24132 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 24133 start_va = 0x6f460000 end_va = 0x6f5c6fff monitored = 0 entry_point = 0x6f4db9d0 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\SysWOW64\\dui70.dll" (normalized: "c:\\windows\\syswow64\\dui70.dll") Region: id = 24134 start_va = 0x510000 end_va = 0x511fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 24135 start_va = 0x6f430000 end_va = 0x6f457fff monitored = 0 entry_point = 0x6f437820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 24136 start_va = 0x520000 end_va = 0x520fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 24137 start_va = 0x530000 end_va = 0x531fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 24138 start_va = 0x520000 end_va = 0x520fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 24139 start_va = 0x759b0000 end_va = 0x75a33fff monitored = 0 entry_point = 0x759d6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 24140 start_va = 0x540000 end_va = 0x540fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 24141 start_va = 0x6f800000 end_va = 0x6f833fff monitored = 0 entry_point = 0x6f818280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 24546 start_va = 0x600000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 24547 start_va = 0x660000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 24548 start_va = 0x1010000 end_va = 0x104ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001010000" filename = "" Region: id = 24549 start_va = 0x1050000 end_va = 0x108ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 24550 start_va = 0x1090000 end_va = 0x10cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 24551 start_va = 0x6710000 end_va = 0x674ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006710000" filename = "" Region: id = 24667 start_va = 0x6f8b0000 end_va = 0x6f8b8fff monitored = 0 entry_point = 0x6f8b3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 24849 start_va = 0x520000 end_va = 0x520fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 24850 start_va = 0x6f800000 end_va = 0x6f833fff monitored = 0 entry_point = 0x6f818280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 25046 start_va = 0x6f8b0000 end_va = 0x6f8b8fff monitored = 0 entry_point = 0x6f8b3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 25199 start_va = 0x520000 end_va = 0x524fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werui.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\werui.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werui.dll.mui") Region: id = 25200 start_va = 0x550000 end_va = 0x550fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 25201 start_va = 0x6f800000 end_va = 0x6f833fff monitored = 0 entry_point = 0x6f818280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 25553 start_va = 0x6f8b0000 end_va = 0x6f8b8fff monitored = 0 entry_point = 0x6f8b3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 25918 start_va = 0x6750000 end_va = 0x678ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006750000" filename = "" Region: id = 25919 start_va = 0x6790000 end_va = 0x67cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006790000" filename = "" Region: id = 25920 start_va = 0x550000 end_va = 0x550fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 25921 start_va = 0x6f800000 end_va = 0x6f833fff monitored = 0 entry_point = 0x6f818280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 26441 start_va = 0x6f840000 end_va = 0x6f848fff monitored = 0 entry_point = 0x6f843830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 26856 start_va = 0x550000 end_va = 0x551fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 26857 start_va = 0x6f6c0000 end_va = 0x6f73afff monitored = 0 entry_point = 0x6f6e4d80 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\SysWOW64\\duser.dll" (normalized: "c:\\windows\\syswow64\\duser.dll") Region: id = 26874 start_va = 0x67d0000 end_va = 0x680ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000067d0000" filename = "" Region: id = 26875 start_va = 0x6810000 end_va = 0x684ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006810000" filename = "" Region: id = 26876 start_va = 0x6f630000 end_va = 0x6f6b0fff monitored = 0 entry_point = 0x6f636310 region_type = mapped_file name = "riched20.dll" filename = "\\Windows\\SysWOW64\\riched20.dll" (normalized: "c:\\windows\\syswow64\\riched20.dll") Region: id = 26877 start_va = 0x6f790000 end_va = 0x6f7a5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 26878 start_va = 0x6f750000 end_va = 0x6f780fff monitored = 0 entry_point = 0x6f7622d0 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\SysWOW64\\msls31.dll" (normalized: "c:\\windows\\syswow64\\msls31.dll") Region: id = 26879 start_va = 0x560000 end_va = 0x560fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 26880 start_va = 0x6850000 end_va = 0x690bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006850000" filename = "" Region: id = 26881 start_va = 0x560000 end_va = 0x563fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 26882 start_va = 0x74230000 end_va = 0x7424cfff monitored = 0 entry_point = 0x74233b10 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 26883 start_va = 0x640000 end_va = 0x643fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 26884 start_va = 0x6a0000 end_va = 0x6a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 26885 start_va = 0x10d0000 end_va = 0x10d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010d0000" filename = "" Region: id = 26891 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 26892 start_va = 0x6910000 end_va = 0x6910fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "duser.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\duser.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\duser.dll.mui") Region: id = 26896 start_va = 0x6f9f0000 end_va = 0x6f9fcfff monitored = 0 entry_point = 0x6f9f7d80 region_type = mapped_file name = "atlthunk.dll" filename = "\\Windows\\SysWOW64\\atlthunk.dll" (normalized: "c:\\windows\\syswow64\\atlthunk.dll") Region: id = 26897 start_va = 0x6920000 end_va = 0x6922fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui") Region: id = 26898 start_va = 0x6940000 end_va = 0x6942fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006940000" filename = "" Region: id = 26918 start_va = 0x6950000 end_va = 0x6e41fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006950000" filename = "" Region: id = 26919 start_va = 0x6e50000 end_va = 0x7e8ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 26920 start_va = 0x7e90000 end_va = 0x7ed1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007e90000" filename = "" Region: id = 26939 start_va = 0x6930000 end_va = 0x6930fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006930000" filename = "" Region: id = 26940 start_va = 0x77500000 end_va = 0x7761efff monitored = 0 entry_point = 0x77545980 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Thread: id = 698 os_tid = 0xc7c Thread: id = 699 os_tid = 0x980 Thread: id = 703 os_tid = 0x310 Thread: id = 726 os_tid = 0x714 Thread: id = 727 os_tid = 0x12c4 Thread: id = 728 os_tid = 0x864 Thread: id = 764 os_tid = 0xb9c Thread: id = 778 os_tid = 0x13c4 Process: id = "333" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0xc586000" os_pid = "0xf14" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "331" os_parent_pid = "0xe48" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setCertificateIdCertificateBlob /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "334" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x74ceb000" os_pid = "0x734" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setPromptMask /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 23581 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 23582 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 23583 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 23584 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 23585 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 23586 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 23587 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 23588 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 23589 start_va = 0x430000 end_va = 0x431fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 23590 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 23591 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 23592 start_va = 0x7f020000 end_va = 0x7f042fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f020000" filename = "" Region: id = 23593 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 23594 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 23595 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 23596 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 23610 start_va = 0x440000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 23611 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 23612 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 23613 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 23614 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 23615 start_va = 0x440000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 23616 start_va = 0x600000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 23617 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 23624 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 23625 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 23626 start_va = 0x7ef20000 end_va = 0x7f01ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ef20000" filename = "" Region: id = 23627 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 23628 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 23629 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 23630 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 23631 start_va = 0x610000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 23632 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 23633 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 23634 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 23635 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 23636 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 23637 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 23638 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 23639 start_va = 0x4c0000 end_va = 0x4c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 23640 start_va = 0x4f0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 23642 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 23643 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 23644 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 23645 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 23646 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 23647 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 23648 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 23649 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 23650 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 23651 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 23652 start_va = 0x710000 end_va = 0x897fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 23653 start_va = 0x8a0000 end_va = 0x8c9fff monitored = 0 entry_point = 0x8a5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 23654 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 23656 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 23657 start_va = 0x4d0000 end_va = 0x4d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 23658 start_va = 0x8a0000 end_va = 0xa20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 23659 start_va = 0xa30000 end_va = 0xc2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 23660 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 23661 start_va = 0xa30000 end_va = 0xac0fff monitored = 0 entry_point = 0xa68cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 23662 start_va = 0xc20000 end_va = 0xc2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 23696 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 23697 start_va = 0x4e0000 end_va = 0x4e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 23698 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 23699 start_va = 0x5f0000 end_va = 0x5f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 23709 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 23710 start_va = 0xa30000 end_va = 0xa31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 23711 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 23712 start_va = 0xa30000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 23713 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 23714 start_va = 0xa30000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Thread: id = 700 os_tid = 0x5b4 [0234.067] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0234.068] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0234.068] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0234.068] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0234.068] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0234.068] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0234.069] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0234.069] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0234.069] GetProcessHeap () returned 0x4f0000 [0234.069] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0234.069] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0234.070] GetLastError () returned 0x7e [0234.070] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0234.070] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0234.070] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x364) returned 0x5009b0 [0234.070] SetLastError (dwErrCode=0x7e) [0234.070] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xe00) returned 0x500d20 [0234.191] GetStartupInfoW (in: lpStartupInfo=0x18fca8 | out: lpStartupInfo=0x18fca8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0234.191] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0234.191] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0234.191] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0234.191] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setPromptMask /fn_args=\"1\"" [0234.191] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setPromptMask /fn_args=\"1\"" [0234.191] GetACP () returned 0x4e4 [0234.191] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x220) returned 0x501b28 [0234.192] IsValidCodePage (CodePage=0x4e4) returned 1 [0234.192] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fcc8 | out: lpCPInfo=0x18fcc8) returned 1 [0234.192] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f590 | out: lpCPInfo=0x18f590) returned 1 [0234.192] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fba4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0234.192] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fba4, cbMultiByte=256, lpWideCharStr=0x18f338, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0234.192] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f5a4 | out: lpCharType=0x18f5a4) returned 1 [0234.192] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fba4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0234.192] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fba4, cbMultiByte=256, lpWideCharStr=0x18f2e8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0234.192] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0234.192] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0234.193] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0234.193] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f0d8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0234.193] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18faa4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x8aÉi®àü\x18", lpUsedDefaultChar=0x0) returned 256 [0234.193] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fba4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0234.193] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fba4, cbMultiByte=256, lpWideCharStr=0x18f308, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0234.193] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0234.193] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f0f8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0234.193] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f9a4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x8aÉi®àü\x18", lpUsedDefaultChar=0x0) returned 256 [0234.193] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x80) returned 0x4f3880 [0234.193] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0234.193] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x196) returned 0x501d50 [0234.193] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0234.193] GetLastError () returned 0x0 [0234.193] SetLastError (dwErrCode=0x0) [0234.193] GetEnvironmentStringsW () returned 0x501ef0* [0234.194] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0xa8c) returned 0x502988 [0234.194] FreeEnvironmentStringsW (penv=0x501ef0) returned 1 [0234.194] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x90) returned 0x4f4570 [0234.194] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x3e) returned 0x4fac10 [0234.194] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x5c) returned 0x4f8ab0 [0234.194] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x6e) returned 0x4f4868 [0234.194] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x78) returned 0x5035c8 [0234.194] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x62) returned 0x4f4a08 [0234.194] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x28) returned 0x4f3da0 [0234.194] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x48) returned 0x4f3ff0 [0234.194] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x1a) returned 0x4f3dd0 [0234.194] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x3a) returned 0x4fad30 [0234.195] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x62) returned 0x4f4638 [0234.195] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x2a) returned 0x4f8960 [0234.195] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x2e) returned 0x4f8a08 [0234.195] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x1c) returned 0x4f47d8 [0234.195] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x144) returned 0x4f9cc8 [0234.195] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x7c) returned 0x4f43a8 [0234.195] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x36) returned 0x4fe1c0 [0234.195] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x3a) returned 0x4fae50 [0234.195] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x90) returned 0x4f3e18 [0234.195] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x24) returned 0x4f4800 [0234.195] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x30) returned 0x4f89d0 [0234.195] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x36) returned 0x4fe280 [0234.195] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x48) returned 0x4f3c00 [0234.195] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x52) returned 0x4f3920 [0234.195] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x3c) returned 0x4fb0d8 [0234.195] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0xd6) returned 0x4f9e88 [0234.195] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x2e) returned 0x4f86c0 [0234.195] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x1e) returned 0x4f3c50 [0234.195] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x2c) returned 0x4f86f8 [0234.195] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x54) returned 0x4f2910 [0234.195] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x52) returned 0x4f04b8 [0234.195] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x24) returned 0x4f4078 [0234.195] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x42) returned 0x4f40a8 [0234.195] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x2c) returned 0x4f8880 [0234.195] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x44) returned 0x4f9fb8 [0234.195] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x24) returned 0x4f40f8 [0234.196] HeapFree (in: hHeap=0x4f0000, dwFlags=0x0, lpMem=0x502988 | out: hHeap=0x4f0000) returned 1 [0234.197] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x8, Size=0x800) returned 0x501ef0 [0234.197] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0234.197] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0234.198] GetStartupInfoW (in: lpStartupInfo=0x18fd0c | out: lpStartupInfo=0x18fd0c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0234.198] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setPromptMask /fn_args=\"1\"" [0234.198] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setPromptMask /fn_args=\"1\"", pNumArgs=0x18fcf8 | out: pNumArgs=0x18fcf8) returned 0x502b40*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0234.199] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0234.202] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x1000) returned 0x504428 [0234.202] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x44) returned 0x4f82e8 [0234.202] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_setPromptMask", cchWideChar=-1, lpMultiByteStr=0x4f82e8, cbMultiByte=68, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_setPromptMask", lpUsedDefaultChar=0x0) returned 34 [0234.202] GetLastError () returned 0x0 [0234.203] SetLastError (dwErrCode=0x0) [0234.203] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_setPromptMaskW") returned 0x0 [0234.203] GetLastError () returned 0x7f [0234.203] SetLastError (dwErrCode=0x7f) [0234.203] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_setPromptMaskA") returned 0x0 [0234.203] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_setPromptMask") returned 0x647c8071 [0234.203] RtlAllocateHeap (HeapHandle=0x4f0000, Flags=0x0, Size=0x4) returned 0x4f3eb0 [0234.203] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x4f3eb0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0234.203] GetActiveWindow () returned 0x0 [0234.205] GetLastError () returned 0x7f [0234.206] SetLastError (dwErrCode=0x7f) Thread: id = 702 os_tid = 0xb5c Process: id = "335" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0xbe4c000" os_pid = "0xc20" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "334" os_parent_pid = "0x734" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setPromptMask /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "336" image_name = "werfault.exe" filename = "c:\\windows\\syswow64\\werfault.exe" page_root = "0xbc7a000" os_pid = "0x101c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "334" os_parent_pid = "0x734" cmd_line = "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 1844 -s 364" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 23750 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 23751 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 23752 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 23753 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 23754 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 23755 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 23756 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 23757 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 23758 start_va = 0x980000 end_va = 0x980fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 23759 start_va = 0x10e0000 end_va = 0x1122fff monitored = 0 entry_point = 0x1100f50 region_type = mapped_file name = "werfault.exe" filename = "\\Windows\\SysWOW64\\WerFault.exe" (normalized: "c:\\windows\\syswow64\\werfault.exe") Region: id = 23760 start_va = 0x1130000 end_va = 0x512ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 23761 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 23762 start_va = 0x7f030000 end_va = 0x7f052fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f030000" filename = "" Region: id = 23763 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 23764 start_va = 0x7fff0000 end_va = 0x7dfb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 23765 start_va = 0x7dfb201b0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfb201b0000" filename = "" Region: id = 23766 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 23767 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 23768 start_va = 0x400000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 23769 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 23770 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 23777 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 23778 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 23779 start_va = 0x990000 end_va = 0xc0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 23780 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 23781 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 23782 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 23783 start_va = 0x7ef30000 end_va = 0x7f02ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ef30000" filename = "" Region: id = 23784 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 23814 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 23815 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 23816 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 23817 start_va = 0x520000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 23818 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 23819 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 23820 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 23821 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 23822 start_va = 0x980000 end_va = 0x983fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 23823 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 23824 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 23825 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 23826 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 23827 start_va = 0x6fb30000 end_va = 0x6fbb6fff monitored = 0 entry_point = 0x6fb9dbc0 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\SysWOW64\\wer.dll" (normalized: "c:\\windows\\syswow64\\wer.dll") Region: id = 23828 start_va = 0x6fbc0000 end_va = 0x6fcfefff monitored = 0 entry_point = 0x6fbed880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 23842 start_va = 0x6fb00000 end_va = 0x6fb21fff monitored = 0 entry_point = 0x6fb091f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 23843 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 23866 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 23867 start_va = 0x480000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 23868 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 23869 start_va = 0x6faa0000 end_va = 0x6faf3fff monitored = 0 entry_point = 0x6fad10d0 region_type = mapped_file name = "faultrep.dll" filename = "\\Windows\\SysWOW64\\Faultrep.dll" (normalized: "c:\\windows\\syswow64\\faultrep.dll") Region: id = 23870 start_va = 0x6fa70000 end_va = 0x6fa90fff monitored = 0 entry_point = 0x6fa8a910 region_type = mapped_file name = "dbgcore.dll" filename = "\\Windows\\SysWOW64\\dbgcore.dll" (normalized: "c:\\windows\\syswow64\\dbgcore.dll") Region: id = 23871 start_va = 0x990000 end_va = 0x9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 23872 start_va = 0xb10000 end_va = 0xc0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 23873 start_va = 0x990000 end_va = 0x99ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 23874 start_va = 0x9c0000 end_va = 0x9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 23875 start_va = 0x9a0000 end_va = 0x9a3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 23876 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 23877 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 23878 start_va = 0x530000 end_va = 0x6b7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 23879 start_va = 0x9d0000 end_va = 0x9f9fff monitored = 0 entry_point = 0x9d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 23880 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 23881 start_va = 0x6c0000 end_va = 0x840fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 23882 start_va = 0x5130000 end_va = 0x652ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005130000" filename = "" Region: id = 23883 start_va = 0x9b0000 end_va = 0x9b3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werfault.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\WerFault.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werfault.exe.mui") Region: id = 23895 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 23896 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 23897 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 23898 start_va = 0xc10000 end_va = 0xe0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 23916 start_va = 0x9d0000 end_va = 0x9d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 23917 start_va = 0x9e0000 end_va = 0x9e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 23918 start_va = 0x9f0000 end_va = 0x9f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 23919 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 23920 start_va = 0x9f0000 end_va = 0x9f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 23921 start_va = 0x6530000 end_va = 0x6d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006530000" filename = "" Region: id = 23922 start_va = 0x9f0000 end_va = 0x9f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 23923 start_va = 0x9f0000 end_va = 0x9f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 23924 start_va = 0x9f0000 end_va = 0x9f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 23925 start_va = 0x9f0000 end_va = 0x9f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 23926 start_va = 0x9f0000 end_va = 0x9f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 23927 start_va = 0x9f0000 end_va = 0x9f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 23928 start_va = 0x9f0000 end_va = 0x9f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 23929 start_va = 0x9f0000 end_va = 0x9f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 23930 start_va = 0x9f0000 end_va = 0x9f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 23931 start_va = 0x9f0000 end_va = 0x9f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 23932 start_va = 0x9f0000 end_va = 0x9f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 23933 start_va = 0x9f0000 end_va = 0x9f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 23934 start_va = 0x9f0000 end_va = 0x9f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 23935 start_va = 0x9f0000 end_va = 0x9f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 23936 start_va = 0x9f0000 end_va = 0x9f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 23937 start_va = 0x9f0000 end_va = 0x9f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 23938 start_va = 0x9f0000 end_va = 0x9f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 23939 start_va = 0x9f0000 end_va = 0x9f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 23940 start_va = 0x9f0000 end_va = 0x9f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 23941 start_va = 0x9f0000 end_va = 0x9f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 23942 start_va = 0x9f0000 end_va = 0x9f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 23943 start_va = 0x9f0000 end_va = 0x9f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 23944 start_va = 0x9f0000 end_va = 0x9f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 23945 start_va = 0x9f0000 end_va = 0x9f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 23946 start_va = 0x9f0000 end_va = 0x9f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 23947 start_va = 0x9f0000 end_va = 0x9f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 23948 start_va = 0x9f0000 end_va = 0x9f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 23975 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 23976 start_va = 0x850000 end_va = 0x88ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 23977 start_va = 0x9f0000 end_va = 0xa6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 24002 start_va = 0xa70000 end_va = 0xa71fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "faultrep.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\faultrep.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\faultrep.dll.mui") Region: id = 24003 start_va = 0xa80000 end_va = 0xa80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 24004 start_va = 0x6ee90000 end_va = 0x6f2adfff monitored = 0 entry_point = 0x6ef8ee80 region_type = mapped_file name = "dbgeng.dll" filename = "\\Windows\\SysWOW64\\dbgeng.dll" (normalized: "c:\\windows\\syswow64\\dbgeng.dll") Region: id = 24005 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 24006 start_va = 0x6f840000 end_va = 0x6f8affff monitored = 0 entry_point = 0x6f894b90 region_type = mapped_file name = "dbgmodel.dll" filename = "\\Windows\\SysWOW64\\DbgModel.dll" (normalized: "c:\\windows\\syswow64\\dbgmodel.dll") Region: id = 24007 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 24008 start_va = 0xc10000 end_va = 0xcf9fff monitored = 0 entry_point = 0xc4d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 24009 start_va = 0xe00000 end_va = 0xe0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Region: id = 24027 start_va = 0x70050000 end_va = 0x70059fff monitored = 0 entry_point = 0x70053200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 24028 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 24029 start_va = 0x6f5d0000 end_va = 0x6f5d7fff monitored = 0 entry_point = 0x6f5d17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 24030 start_va = 0xc10000 end_va = 0xd0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 24031 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 24040 start_va = 0x6530000 end_va = 0x6866fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 24041 start_va = 0xa80000 end_va = 0xa81fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 24042 start_va = 0xa80000 end_va = 0xa83fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 24043 start_va = 0xa80000 end_va = 0xa85fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 24044 start_va = 0xa80000 end_va = 0xa87fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 24045 start_va = 0x850000 end_va = 0x94ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 24046 start_va = 0xa80000 end_va = 0xa89fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 24047 start_va = 0xa80000 end_va = 0xa8bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 24048 start_va = 0xa80000 end_va = 0xa8dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 24049 start_va = 0xa80000 end_va = 0xa8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 24050 start_va = 0xa80000 end_va = 0xa91fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 24051 start_va = 0xa80000 end_va = 0xa93fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 24052 start_va = 0xa80000 end_va = 0xa95fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 24053 start_va = 0xa80000 end_va = 0xa97fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 24054 start_va = 0xa80000 end_va = 0xa99fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 24055 start_va = 0xa80000 end_va = 0xa9bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 24056 start_va = 0xa80000 end_va = 0xa9dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 24057 start_va = 0xa80000 end_va = 0xa9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 24062 start_va = 0xd10000 end_va = 0xdeffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 24168 start_va = 0xe10000 end_va = 0xee0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Region: id = 24175 start_va = 0xef0000 end_va = 0xfa6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Region: id = 24176 start_va = 0xfb0000 end_va = 0x1057fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 24205 start_va = 0xa80000 end_va = 0xa80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 24206 start_va = 0xa90000 end_va = 0xa92fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wer.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wer.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wer.dll.mui") Region: id = 24207 start_va = 0xaa0000 end_va = 0xaa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000aa0000" filename = "" Region: id = 24208 start_va = 0x6870000 end_va = 0x706ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006870000" filename = "" Region: id = 24209 start_va = 0xab0000 end_va = 0xab6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 24210 start_va = 0xab0000 end_va = 0xab6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 24211 start_va = 0xab0000 end_va = 0xab6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 24212 start_va = 0xab0000 end_va = 0xab6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 24213 start_va = 0xab0000 end_va = 0xab6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 24214 start_va = 0xab0000 end_va = 0xab6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 24215 start_va = 0xab0000 end_va = 0xab6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 24217 start_va = 0xab0000 end_va = 0xab6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 24218 start_va = 0xab0000 end_va = 0xab6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 24219 start_va = 0xab0000 end_va = 0xab6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 24220 start_va = 0xab0000 end_va = 0xab6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 24221 start_va = 0xab0000 end_va = 0xab6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 24222 start_va = 0xab0000 end_va = 0xab6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 24223 start_va = 0xab0000 end_va = 0xab6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 24224 start_va = 0xab0000 end_va = 0xab6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 24225 start_va = 0xab0000 end_va = 0xab6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 24226 start_va = 0xab0000 end_va = 0xab6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 24227 start_va = 0xab0000 end_va = 0xab6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 24228 start_va = 0xab0000 end_va = 0xab6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 24229 start_va = 0xab0000 end_va = 0xab6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 24230 start_va = 0xab0000 end_va = 0xab6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 24231 start_va = 0xab0000 end_va = 0xab6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 24233 start_va = 0xe10000 end_va = 0xf0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Region: id = 24234 start_va = 0xab0000 end_va = 0xab6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 24235 start_va = 0xab0000 end_va = 0xab6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 24236 start_va = 0xab0000 end_va = 0xab6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 24237 start_va = 0xab0000 end_va = 0xab6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 24238 start_va = 0xab0000 end_va = 0xab6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 24239 start_va = 0x6fa00000 end_va = 0x6fa63fff monitored = 0 entry_point = 0x6fa3e270 region_type = mapped_file name = "werui.dll" filename = "\\Windows\\SysWOW64\\werui.dll" (normalized: "c:\\windows\\syswow64\\werui.dll") Region: id = 24240 start_va = 0x4d0000 end_va = 0x4d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 24241 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 24242 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 24243 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 24246 start_va = 0x731b0000 end_va = 0x733befff monitored = 0 entry_point = 0x7325b0a0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 24247 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 24248 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 24249 start_va = 0x6f460000 end_va = 0x6f5c6fff monitored = 0 entry_point = 0x6f4db9d0 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\SysWOW64\\dui70.dll" (normalized: "c:\\windows\\syswow64\\dui70.dll") Region: id = 24250 start_va = 0x4e0000 end_va = 0x4e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 24251 start_va = 0x6f430000 end_va = 0x6f457fff monitored = 0 entry_point = 0x6f437820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 24252 start_va = 0xab0000 end_va = 0xab0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 24253 start_va = 0x4f0000 end_va = 0x4f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 24254 start_va = 0xab0000 end_va = 0xab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 24255 start_va = 0x759b0000 end_va = 0x75a33fff monitored = 0 entry_point = 0x759d6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 24277 start_va = 0xac0000 end_va = 0xac0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 24278 start_va = 0x6f800000 end_va = 0x6f833fff monitored = 0 entry_point = 0x6f818280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 24668 start_va = 0xad0000 end_va = 0xb0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 24669 start_va = 0xf10000 end_va = 0xf4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f10000" filename = "" Region: id = 24670 start_va = 0xf50000 end_va = 0xf8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f50000" filename = "" Region: id = 24671 start_va = 0xf90000 end_va = 0xfcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 24672 start_va = 0xfd0000 end_va = 0x100ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fd0000" filename = "" Region: id = 24673 start_va = 0x1010000 end_va = 0x104ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001010000" filename = "" Region: id = 24771 start_va = 0x6f8b0000 end_va = 0x6f8b8fff monitored = 0 entry_point = 0x6f8b3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 25008 start_va = 0xab0000 end_va = 0xab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 25009 start_va = 0x6f800000 end_va = 0x6f833fff monitored = 0 entry_point = 0x6f818280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 25127 start_va = 0x6f8b0000 end_va = 0x6f8b8fff monitored = 0 entry_point = 0x6f8b3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 25269 start_va = 0xab0000 end_va = 0xab4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werui.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\werui.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werui.dll.mui") Region: id = 25270 start_va = 0xdf0000 end_va = 0xdf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000df0000" filename = "" Region: id = 25271 start_va = 0x6f800000 end_va = 0x6f833fff monitored = 0 entry_point = 0x6f818280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 25846 start_va = 0x6f8b0000 end_va = 0x6f8b8fff monitored = 0 entry_point = 0x6f8b3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 26088 start_va = 0x1050000 end_va = 0x108ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 26089 start_va = 0x1090000 end_va = 0x10cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 26143 start_va = 0xdf0000 end_va = 0xdf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000df0000" filename = "" Region: id = 26144 start_va = 0x6f800000 end_va = 0x6f833fff monitored = 0 entry_point = 0x6f818280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 26757 start_va = 0x6f840000 end_va = 0x6f848fff monitored = 0 entry_point = 0x6f843830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 27073 start_va = 0x500000 end_va = 0x501fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 27074 start_va = 0x6f6c0000 end_va = 0x6f73afff monitored = 0 entry_point = 0x6f6e4d80 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\SysWOW64\\duser.dll" (normalized: "c:\\windows\\syswow64\\duser.dll") Region: id = 27136 start_va = 0x6870000 end_va = 0x68affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006870000" filename = "" Region: id = 27137 start_va = 0x68b0000 end_va = 0x68effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000068b0000" filename = "" Region: id = 27138 start_va = 0x6f630000 end_va = 0x6f6b0fff monitored = 0 entry_point = 0x6f636310 region_type = mapped_file name = "riched20.dll" filename = "\\Windows\\SysWOW64\\riched20.dll" (normalized: "c:\\windows\\syswow64\\riched20.dll") Region: id = 27139 start_va = 0x6f790000 end_va = 0x6f7a5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 27140 start_va = 0x6f750000 end_va = 0x6f780fff monitored = 0 entry_point = 0x6f7622d0 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\SysWOW64\\msls31.dll" (normalized: "c:\\windows\\syswow64\\msls31.dll") Region: id = 27141 start_va = 0xdf0000 end_va = 0xdf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000df0000" filename = "" Region: id = 27142 start_va = 0x68f0000 end_va = 0x69abfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000068f0000" filename = "" Region: id = 27143 start_va = 0xdf0000 end_va = 0xdf3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000df0000" filename = "" Region: id = 27144 start_va = 0x74230000 end_va = 0x7424cfff monitored = 0 entry_point = 0x74233b10 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 27145 start_va = 0x10d0000 end_va = 0x10d3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010d0000" filename = "" Region: id = 27146 start_va = 0x69b0000 end_va = 0x69b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000069b0000" filename = "" Region: id = 27147 start_va = 0x69c0000 end_va = 0x69c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000069c0000" filename = "" Region: id = 27201 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 27202 start_va = 0x69d0000 end_va = 0x69d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "duser.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\duser.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\duser.dll.mui") Region: id = 27203 start_va = 0x6f9f0000 end_va = 0x6f9fcfff monitored = 0 entry_point = 0x6f9f7d80 region_type = mapped_file name = "atlthunk.dll" filename = "\\Windows\\SysWOW64\\atlthunk.dll" (normalized: "c:\\windows\\syswow64\\atlthunk.dll") Region: id = 27204 start_va = 0x69e0000 end_va = 0x69e2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui") Region: id = 27205 start_va = 0x950000 end_va = 0x952fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 27206 start_va = 0x69f0000 end_va = 0x6ee1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000069f0000" filename = "" Region: id = 27207 start_va = 0x6ef0000 end_va = 0x7f2ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 27237 start_va = 0x7f30000 end_va = 0x7f71fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007f30000" filename = "" Region: id = 27282 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 27283 start_va = 0x77500000 end_va = 0x7761efff monitored = 0 entry_point = 0x77545980 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Thread: id = 704 os_tid = 0xc24 Thread: id = 707 os_tid = 0x654 Thread: id = 709 os_tid = 0xc40 Thread: id = 710 os_tid = 0x12c0 Thread: id = 732 os_tid = 0x1188 Thread: id = 734 os_tid = 0xc98 Thread: id = 735 os_tid = 0x81c Thread: id = 770 os_tid = 0x11a4 Thread: id = 782 os_tid = 0x808 Process: id = "337" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0xbcb5000" os_pid = "0xdf0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setUserData /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 23785 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 23786 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 23787 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 23788 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 23789 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 23790 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 23791 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 23792 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 23793 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 23794 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 23795 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 23796 start_va = 0x7fcd0000 end_va = 0x7fcf2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fcd0000" filename = "" Region: id = 23797 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 23798 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 23799 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 23800 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 23829 start_va = 0x410000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 23830 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 23831 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 23832 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 23833 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 23834 start_va = 0x5c0000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 23835 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 23836 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 23844 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 23845 start_va = 0x7fbd0000 end_va = 0x7fccffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fbd0000" filename = "" Region: id = 23846 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 23847 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 23848 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 23849 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 23850 start_va = 0x5c0000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 23851 start_va = 0x750000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 23852 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 23853 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 23854 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 23855 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 23856 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 23857 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 23858 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 23859 start_va = 0x4c0000 end_va = 0x4c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 23860 start_va = 0x5b0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 23861 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 23862 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 23863 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 23864 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 23865 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 23886 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 23887 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 23888 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 23889 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 23890 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 23892 start_va = 0x4d0000 end_va = 0x4f9fff monitored = 0 entry_point = 0x4d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 23893 start_va = 0x850000 end_va = 0x9d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 23894 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 23899 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 23900 start_va = 0x4d0000 end_va = 0x4d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 23901 start_va = 0x4e0000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 23902 start_va = 0x9e0000 end_va = 0xb60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009e0000" filename = "" Region: id = 23903 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 23904 start_va = 0xb70000 end_va = 0xc00fff monitored = 0 entry_point = 0xba8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 23905 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 23906 start_va = 0x4e0000 end_va = 0x4e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 23907 start_va = 0x540000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 23908 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 23909 start_va = 0x4f0000 end_va = 0x4f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 23910 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 23911 start_va = 0x500000 end_va = 0x501fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 23912 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 23913 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 23914 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 23915 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Thread: id = 705 os_tid = 0xe00 [0235.481] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0235.481] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0235.481] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0235.481] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0235.482] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0235.482] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0235.482] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0235.482] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0235.483] GetProcessHeap () returned 0x750000 [0235.483] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0235.483] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0235.483] GetLastError () returned 0x7e [0235.483] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0235.483] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0235.483] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x364) returned 0x7609a0 [0235.483] SetLastError (dwErrCode=0x7e) [0235.484] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xe00) returned 0x760d10 [0235.485] GetStartupInfoW (in: lpStartupInfo=0x18fc24 | out: lpStartupInfo=0x18fc24*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0235.485] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0235.485] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0235.485] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0235.485] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setUserData /fn_args=\"1\"" [0235.485] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setUserData /fn_args=\"1\"" [0235.485] GetACP () returned 0x4e4 [0235.485] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x220) returned 0x761b18 [0235.485] IsValidCodePage (CodePage=0x4e4) returned 1 [0235.485] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fc44 | out: lpCPInfo=0x18fc44) returned 1 [0235.485] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f50c | out: lpCPInfo=0x18f50c) returned 1 [0235.486] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb20, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0235.486] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb20, cbMultiByte=256, lpWideCharStr=0x18f2a8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0235.486] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f520 | out: lpCharType=0x18f520) returned 1 [0235.486] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb20, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0235.486] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb20, cbMultiByte=256, lpWideCharStr=0x18f268, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0235.486] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0235.486] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0235.486] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0235.486] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f058, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0235.486] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fa20, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿI¸ß\x9d\\ü\x18", lpUsedDefaultChar=0x0) returned 256 [0235.486] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb20, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0235.486] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb20, cbMultiByte=256, lpWideCharStr=0x18f278, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0235.486] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0235.486] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f068, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0235.486] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f920, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿI¸ß\x9d\\ü\x18", lpUsedDefaultChar=0x0) returned 256 [0235.486] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x80) returned 0x753878 [0235.486] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0235.487] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x192) returned 0x761d40 [0235.487] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0235.487] GetLastError () returned 0x0 [0235.487] SetLastError (dwErrCode=0x0) [0235.487] GetEnvironmentStringsW () returned 0x761ee0* [0235.487] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0xa8c) returned 0x762978 [0235.487] FreeEnvironmentStringsW (penv=0x761ee0) returned 1 [0235.487] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x90) returned 0x754568 [0235.487] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x3e) returned 0x75b080 [0235.487] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x5c) returned 0x758840 [0235.487] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x6e) returned 0x754630 [0235.487] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x78) returned 0x763cb8 [0235.488] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x62) returned 0x754a00 [0235.488] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x28) returned 0x753d98 [0235.488] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x48) returned 0x753fe8 [0235.488] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x1a) returned 0x750570 [0235.488] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x3a) returned 0x75adb0 [0235.488] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x62) returned 0x753bf8 [0235.488] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x2a) returned 0x7584f8 [0235.488] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x2e) returned 0x758568 [0235.488] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x1c) returned 0x753dc8 [0235.488] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x144) returned 0x759a58 [0235.488] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x7c) returned 0x7580a0 [0235.488] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x36) returned 0x75e1f0 [0235.488] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x3a) returned 0x75ac90 [0235.488] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x90) returned 0x7543a0 [0235.488] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x24) returned 0x753918 [0235.488] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x30) returned 0x7586f0 [0235.488] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x36) returned 0x75e0f0 [0235.488] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x48) returned 0x752908 [0235.488] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x52) returned 0x7504b8 [0235.488] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x3c) returned 0x75aff0 [0235.488] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xd6) returned 0x759e78 [0235.488] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x2e) returned 0x7585a0 [0235.488] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x1e) returned 0x752958 [0235.488] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x2c) returned 0x7585d8 [0235.488] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x54) returned 0x753e10 [0235.488] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x52) returned 0x754070 [0235.488] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x24) returned 0x753e70 [0235.488] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x42) returned 0x7540d0 [0235.488] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x2c) returned 0x758610 [0235.488] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x44) returned 0x759fa8 [0235.488] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x24) returned 0x753948 [0235.489] HeapFree (in: hHeap=0x750000, dwFlags=0x0, lpMem=0x762978 | out: hHeap=0x750000) returned 1 [0235.489] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x800) returned 0x761ee0 [0235.490] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0235.490] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0235.490] GetStartupInfoW (in: lpStartupInfo=0x18fc88 | out: lpStartupInfo=0x18fc88*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0235.490] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setUserData /fn_args=\"1\"" [0235.490] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setUserData /fn_args=\"1\"", pNumArgs=0x18fc74 | out: pNumArgs=0x18fc74) returned 0x762b30*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0235.490] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0235.501] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x1000) returned 0x764418 [0235.501] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x40) returned 0x75ab70 [0235.502] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_setUserData", cchWideChar=-1, lpMultiByteStr=0x75ab70, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_setUserData", lpUsedDefaultChar=0x0) returned 32 [0235.502] GetLastError () returned 0x0 [0235.502] SetLastError (dwErrCode=0x0) [0235.502] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_setUserDataW") returned 0x0 [0235.502] GetLastError () returned 0x7f [0235.502] SetLastError (dwErrCode=0x7f) [0235.502] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_setUserDataA") returned 0x0 [0235.502] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_setUserData") returned 0x647c80d5 [0235.502] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x4) returned 0x753820 [0235.502] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x753820, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0235.502] GetActiveWindow () returned 0x0 [0235.503] GetLastError () returned 0x7f [0235.503] SetLastError (dwErrCode=0x7f) Thread: id = 708 os_tid = 0xc28 Process: id = "338" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0xdd62000" os_pid = "0xae4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "337" os_parent_pid = "0xdf0" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_setUserData /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "339" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0xad19000" os_pid = "0x11c4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_sign /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 23949 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 23950 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 23951 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 23952 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 23953 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 23954 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 23955 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 23956 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 23957 start_va = 0x8d0000 end_va = 0x8d1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008d0000" filename = "" Region: id = 23958 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 23959 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 23960 start_va = 0x7e5d0000 end_va = 0x7e5f2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e5d0000" filename = "" Region: id = 23961 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 23962 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 23963 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 23964 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 23978 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 23979 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 23980 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 23981 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 23982 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 23983 start_va = 0x8e0000 end_va = 0xadffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008e0000" filename = "" Region: id = 23984 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 23987 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 23988 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 23989 start_va = 0x7e4d0000 end_va = 0x7e5cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e4d0000" filename = "" Region: id = 23990 start_va = 0x480000 end_va = 0x53dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 23991 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 23992 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 23993 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 23994 start_va = 0x540000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 23995 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 23996 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 23997 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 23998 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 23999 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 24010 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 24011 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 24012 start_va = 0x8d0000 end_va = 0x8d3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008d0000" filename = "" Region: id = 24013 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 24014 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 24015 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 24016 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 24017 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 24018 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 24019 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 24020 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 24021 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 24022 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 24023 start_va = 0x640000 end_va = 0x7c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 24024 start_va = 0x8e0000 end_va = 0x909fff monitored = 0 entry_point = 0x8e5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 24025 start_va = 0x9e0000 end_va = 0xadffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 24026 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 24032 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 24033 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 24034 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 24035 start_va = 0x8e0000 end_va = 0x9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008e0000" filename = "" Region: id = 24036 start_va = 0xae0000 end_va = 0xc60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ae0000" filename = "" Region: id = 24037 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 24038 start_va = 0x8e0000 end_va = 0x970fff monitored = 0 entry_point = 0x918cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 24039 start_va = 0x9c0000 end_va = 0x9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 24058 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 24059 start_va = 0x8e0000 end_va = 0x8e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008e0000" filename = "" Region: id = 24060 start_va = 0x8f0000 end_va = 0x8f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 24061 start_va = 0x8f0000 end_va = 0x8f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 24063 start_va = 0x8f0000 end_va = 0x8f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 24064 start_va = 0x900000 end_va = 0x901fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000900000" filename = "" Region: id = 24065 start_va = 0x8f0000 end_va = 0x8f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 24066 start_va = 0x900000 end_va = 0x900fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000900000" filename = "" Region: id = 24067 start_va = 0x8f0000 end_va = 0x8f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 24068 start_va = 0x900000 end_va = 0x900fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Thread: id = 711 os_tid = 0x114c [0237.275] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0237.276] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0237.276] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0237.276] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0237.276] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0237.276] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0237.277] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0237.277] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0237.277] GetProcessHeap () returned 0x9e0000 [0237.277] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0237.277] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0237.277] GetLastError () returned 0x7e [0237.278] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0237.278] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0237.278] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x364) returned 0x9f0a60 [0237.278] SetLastError (dwErrCode=0x7e) [0237.278] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0xe00) returned 0x9f0dd0 [0237.280] GetStartupInfoW (in: lpStartupInfo=0x18f8a4 | out: lpStartupInfo=0x18f8a4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0237.280] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0237.280] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0237.280] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0237.280] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_sign /fn_args=\"1\"" [0237.280] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_sign /fn_args=\"1\"" [0237.280] GetACP () returned 0x4e4 [0237.280] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x0, Size=0x220) returned 0x9f1bd8 [0237.280] IsValidCodePage (CodePage=0x4e4) returned 1 [0237.280] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f8c4 | out: lpCPInfo=0x18f8c4) returned 1 [0237.280] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f18c | out: lpCPInfo=0x18f18c) returned 1 [0237.280] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7a0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0237.280] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7a0, cbMultiByte=256, lpWideCharStr=0x18ef28, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0237.280] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f1a0 | out: lpCharType=0x18f1a0) returned 1 [0237.280] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7a0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0237.280] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7a0, cbMultiByte=256, lpWideCharStr=0x18eee8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0237.280] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0237.281] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0237.281] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0237.281] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ecd8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0237.281] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f6a0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿïbe\x1aÜø\x18", lpUsedDefaultChar=0x0) returned 256 [0237.281] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7a0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0237.281] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7a0, cbMultiByte=256, lpWideCharStr=0x18eef8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0237.281] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0237.281] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ece8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0237.281] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f5a0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿïbe\x1aÜø\x18", lpUsedDefaultChar=0x0) returned 256 [0237.281] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x0, Size=0x80) returned 0x9e3868 [0237.281] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0237.281] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x184) returned 0x9f1e00 [0237.281] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0237.281] GetLastError () returned 0x0 [0237.281] SetLastError (dwErrCode=0x0) [0237.281] GetEnvironmentStringsW () returned 0x9f1f90* [0237.282] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x0, Size=0xa8c) returned 0x9f2a28 [0237.282] FreeEnvironmentStringsW (penv=0x9f1f90) returned 1 [0237.282] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x90) returned 0x9e4558 [0237.282] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x3e) returned 0x9eaec0 [0237.282] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x5c) returned 0x9e8a90 [0237.282] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x6e) returned 0x9e4620 [0237.282] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x78) returned 0x9f38e8 [0237.282] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x62) returned 0x9e4c50 [0237.282] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x28) returned 0x9e3d88 [0237.282] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x48) returned 0x9e3fd8 [0237.282] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x1a) returned 0x9e0570 [0237.282] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x3a) returned 0x9eacc8 [0237.282] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x62) returned 0x9e3be8 [0237.282] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x2a) returned 0x9e8908 [0237.282] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x2e) returned 0x9e8978 [0237.282] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x1c) returned 0x9e3db8 [0237.282] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x144) returned 0x9e9ca8 [0237.282] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x7c) returned 0x9e82f0 [0237.282] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x36) returned 0x9ee270 [0237.282] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x3a) returned 0x9eade8 [0237.282] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x90) returned 0x9e4390 [0237.282] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x24) returned 0x9e3908 [0237.282] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x30) returned 0x9e89b0 [0237.283] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x36) returned 0x9ee030 [0237.283] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x48) returned 0x9e2900 [0237.283] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x52) returned 0x9e04b8 [0237.283] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x3c) returned 0x9eac80 [0237.283] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0xd6) returned 0x9e9e68 [0237.283] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x2e) returned 0x9e8748 [0237.283] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x1e) returned 0x9e2950 [0237.283] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x2c) returned 0x9e8780 [0237.283] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x54) returned 0x9e3e00 [0237.283] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x52) returned 0x9e4060 [0237.283] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x24) returned 0x9e3e60 [0237.283] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x42) returned 0x9e40c0 [0237.283] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x2c) returned 0x9e8860 [0237.283] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x44) returned 0x9e9f98 [0237.283] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x24) returned 0x9e3938 [0237.284] HeapFree (in: hHeap=0x9e0000, dwFlags=0x0, lpMem=0x9f2a28 | out: hHeap=0x9e0000) returned 1 [0237.284] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x8, Size=0x800) returned 0x9f1f90 [0237.284] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0237.284] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0237.284] GetStartupInfoW (in: lpStartupInfo=0x18f908 | out: lpStartupInfo=0x18f908*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0237.284] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_sign /fn_args=\"1\"" [0237.284] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_sign /fn_args=\"1\"", pNumArgs=0x18f8f4 | out: pNumArgs=0x18f8f4) returned 0x9f2be0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0237.285] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0237.287] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x0, Size=0x1000) returned 0x9f44c8 [0237.288] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x0, Size=0x32) returned 0x9ee570 [0237.288] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_sign", cchWideChar=-1, lpMultiByteStr=0x9ee570, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_sign", lpUsedDefaultChar=0x0) returned 25 [0237.288] GetLastError () returned 0x0 [0237.288] SetLastError (dwErrCode=0x0) [0237.288] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_signW") returned 0x0 [0237.288] GetLastError () returned 0x7f [0237.288] SetLastError (dwErrCode=0x7f) [0237.288] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_signA") returned 0x0 [0237.288] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_sign") returned 0x647c70c6 [0237.288] RtlAllocateHeap (HeapHandle=0x9e0000, Flags=0x0, Size=0x4) returned 0x9e3810 [0237.288] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x9e3810, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0237.288] GetActiveWindow () returned 0x0 [0237.289] GetLastError () returned 0x7f [0237.289] SetLastError (dwErrCode=0x7f) Thread: id = 713 os_tid = 0x1068 Process: id = "340" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0xa03d000" os_pid = "0xc50" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "339" os_parent_pid = "0x11c4" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_sign /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "341" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x5e12f000" os_pid = "0xc3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signAny /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 24101 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 24102 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 24103 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 24104 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 24105 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 24106 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 24107 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 24108 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 24109 start_va = 0x9b0000 end_va = 0x9b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 24110 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 24111 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 24112 start_va = 0x7ed20000 end_va = 0x7ed42fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed20000" filename = "" Region: id = 24113 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 24114 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 24115 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 24116 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 24123 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 24124 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 24125 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 24126 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 24127 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 24128 start_va = 0x9c0000 end_va = 0xbbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 24129 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 24142 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 24143 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 24144 start_va = 0x7ec20000 end_va = 0x7ed1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ec20000" filename = "" Region: id = 24145 start_va = 0x480000 end_va = 0x53dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 24146 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 24147 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 24148 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 24149 start_va = 0x540000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 24150 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 24151 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 24152 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 24153 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 24154 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 24155 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 24156 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 24157 start_va = 0x9b0000 end_va = 0x9b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 24158 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 24159 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 24160 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 24161 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 24162 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 24163 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 24164 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 24165 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 24166 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 24167 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 24169 start_va = 0x640000 end_va = 0x7c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 24170 start_va = 0x9c0000 end_va = 0x9e9fff monitored = 0 entry_point = 0x9c5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 24171 start_va = 0xac0000 end_va = 0xbbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 24172 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 24177 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 24178 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 24179 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 24180 start_va = 0x7d0000 end_va = 0x950fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 24181 start_va = 0x9c0000 end_va = 0xa3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 24182 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 24183 start_va = 0xbc0000 end_va = 0xc50fff monitored = 0 entry_point = 0xbf8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 24188 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 24189 start_va = 0x9c0000 end_va = 0x9c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 24190 start_va = 0xa30000 end_va = 0xa3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 24191 start_va = 0x9d0000 end_va = 0x9d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 24192 start_va = 0x9d0000 end_va = 0x9d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 24194 start_va = 0x9d0000 end_va = 0x9d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 24197 start_va = 0x9e0000 end_va = 0x9e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009e0000" filename = "" Region: id = 24198 start_va = 0x9d0000 end_va = 0x9d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 24199 start_va = 0x9e0000 end_va = 0x9e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009e0000" filename = "" Region: id = 24200 start_va = 0x9d0000 end_va = 0x9d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 24201 start_va = 0x9e0000 end_va = 0x9e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Thread: id = 714 os_tid = 0xbe0 [0238.943] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0238.943] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0238.943] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0238.943] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0238.944] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0238.944] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0238.944] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0238.944] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0238.945] GetProcessHeap () returned 0xac0000 [0238.945] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0238.945] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0238.945] GetLastError () returned 0x7e [0238.945] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0238.945] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0238.945] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x364) returned 0xad09a0 [0238.946] SetLastError (dwErrCode=0x7e) [0238.946] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0xe00) returned 0xad0d10 [0239.042] GetStartupInfoW (in: lpStartupInfo=0x18f754 | out: lpStartupInfo=0x18f754*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0239.042] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0239.042] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0239.042] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0239.042] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signAny /fn_args=\"1\"" [0239.042] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signAny /fn_args=\"1\"" [0239.043] GetACP () returned 0x4e4 [0239.043] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x0, Size=0x220) returned 0xad1b18 [0239.043] IsValidCodePage (CodePage=0x4e4) returned 1 [0239.043] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f774 | out: lpCPInfo=0x18f774) returned 1 [0239.043] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f03c | out: lpCPInfo=0x18f03c) returned 1 [0239.043] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f650, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0239.043] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f650, cbMultiByte=256, lpWideCharStr=0x18edd8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0239.043] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f050 | out: lpCharType=0x18f050) returned 1 [0239.043] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f650, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0239.043] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f650, cbMultiByte=256, lpWideCharStr=0x18ed98, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0239.043] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0239.043] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0239.044] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0239.044] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18eb88, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0239.044] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f550, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x06\x1bJè\x8c÷\x18", lpUsedDefaultChar=0x0) returned 256 [0239.044] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f650, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0239.044] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f650, cbMultiByte=256, lpWideCharStr=0x18eda8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0239.044] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0239.044] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18eb98, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0239.044] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f450, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x06\x1bJè\x8c÷\x18", lpUsedDefaultChar=0x0) returned 256 [0239.044] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x0, Size=0x80) returned 0xac3870 [0239.044] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0239.044] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x18a) returned 0xad1d40 [0239.044] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0239.044] GetLastError () returned 0x0 [0239.044] SetLastError (dwErrCode=0x0) [0239.044] GetEnvironmentStringsW () returned 0xad1ed8* [0239.045] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x0, Size=0xa8c) returned 0xad2970 [0239.045] FreeEnvironmentStringsW (penv=0xad1ed8) returned 1 [0239.045] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x90) returned 0xac4568 [0239.045] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x3e) returned 0xacae40 [0239.045] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x5c) returned 0xac8aa0 [0239.045] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x6e) returned 0xac4630 [0239.045] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x78) returned 0xad42b0 [0239.045] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x62) returned 0xac4c60 [0239.045] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x28) returned 0xac3d90 [0239.045] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x48) returned 0xac3fe8 [0239.046] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x1a) returned 0xac0570 [0239.046] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x3a) returned 0xacac00 [0239.046] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x62) returned 0xac3bf0 [0239.046] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x2a) returned 0xac8790 [0239.046] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x2e) returned 0xac8838 [0239.046] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x1c) returned 0xac3dc0 [0239.046] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x144) returned 0xac9cb8 [0239.046] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x7c) returned 0xac8300 [0239.046] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x36) returned 0xacdf30 [0239.046] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x3a) returned 0xacac48 [0239.046] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x90) returned 0xac43a0 [0239.046] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x24) returned 0xac3910 [0239.046] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x30) returned 0xac89f8 [0239.046] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x36) returned 0xace030 [0239.046] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x48) returned 0xac2900 [0239.046] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x52) returned 0xac04b8 [0239.046] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x3c) returned 0xacb038 [0239.046] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0xd6) returned 0xac9e78 [0239.046] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x2e) returned 0xac8918 [0239.046] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x1e) returned 0xac2950 [0239.046] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x2c) returned 0xac8720 [0239.046] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x54) returned 0xac3e08 [0239.046] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x52) returned 0xac4070 [0239.046] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x24) returned 0xac3e68 [0239.046] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x42) returned 0xac40d0 [0239.046] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x2c) returned 0xac8800 [0239.046] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x44) returned 0xac9fa8 [0239.047] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x24) returned 0xac3940 [0239.048] HeapFree (in: hHeap=0xac0000, dwFlags=0x0, lpMem=0xad2970 | out: hHeap=0xac0000) returned 1 [0239.048] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x8, Size=0x800) returned 0xad1ed8 [0239.048] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0239.048] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0239.048] GetStartupInfoW (in: lpStartupInfo=0x18f7b8 | out: lpStartupInfo=0x18f7b8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0239.048] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signAny /fn_args=\"1\"" [0239.048] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signAny /fn_args=\"1\"", pNumArgs=0x18f7a4 | out: pNumArgs=0x18f7a4) returned 0xad2b28*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0239.049] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0239.052] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x0, Size=0x1000) returned 0xad4410 [0239.053] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x0, Size=0x38) returned 0xace630 [0239.053] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_signAny", cchWideChar=-1, lpMultiByteStr=0xace630, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_signAny", lpUsedDefaultChar=0x0) returned 28 [0239.053] GetLastError () returned 0x0 [0239.053] SetLastError (dwErrCode=0x0) [0239.053] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_signAnyW") returned 0x0 [0239.053] GetLastError () returned 0x7f [0239.053] SetLastError (dwErrCode=0x7f) [0239.053] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_signAnyA") returned 0x0 [0239.054] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_signAny") returned 0x647c779a [0239.054] RtlAllocateHeap (HeapHandle=0xac0000, Flags=0x0, Size=0x4) returned 0xac3818 [0239.054] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0xac3818, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0239.054] GetActiveWindow () returned 0x0 [0239.055] GetLastError () returned 0x7f [0239.055] SetLastError (dwErrCode=0x7f) Thread: id = 716 os_tid = 0x1008 Process: id = "342" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x9dc0000" os_pid = "0xea8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "341" os_parent_pid = "0xc3c" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signAny /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "343" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x9b47000" os_pid = "0xffc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signRecover /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 24261 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 24262 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 24263 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 24264 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 24265 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 24266 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 24267 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 24268 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 24269 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 24270 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 24271 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 24272 start_va = 0x7fa10000 end_va = 0x7fa32fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fa10000" filename = "" Region: id = 24273 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 24274 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 24275 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 24276 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 24281 start_va = 0x1c0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 24282 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 24283 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 24284 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 24285 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 24310 start_va = 0x410000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 24314 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 24315 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 24316 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 24317 start_va = 0x7f910000 end_va = 0x7fa0ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f910000" filename = "" Region: id = 24318 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 24319 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 24320 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 24321 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 24322 start_va = 0x570000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 24323 start_va = 0x670000 end_va = 0x76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 24324 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 24325 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 24326 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 24328 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 24329 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 24330 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 24331 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 24332 start_va = 0x500000 end_va = 0x503fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 24333 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 24334 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 24335 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 24336 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 24337 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 24338 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 24339 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 24340 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 24341 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 24342 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 24348 start_va = 0x510000 end_va = 0x539fff monitored = 0 entry_point = 0x515680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 24349 start_va = 0x770000 end_va = 0x8f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 24350 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 24352 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 24353 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 24354 start_va = 0x1e0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 24355 start_va = 0x900000 end_va = 0xa80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000900000" filename = "" Region: id = 24356 start_va = 0xa90000 end_va = 0xb4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a90000" filename = "" Region: id = 24357 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 24358 start_va = 0xa90000 end_va = 0xb20fff monitored = 0 entry_point = 0xac8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 24359 start_va = 0xb40000 end_va = 0xb4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b40000" filename = "" Region: id = 24364 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 24365 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 24366 start_va = 0x520000 end_va = 0x520fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 24367 start_va = 0x520000 end_va = 0x527fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 24369 start_va = 0x520000 end_va = 0x520fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 24370 start_va = 0x530000 end_va = 0x531fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 24373 start_va = 0x520000 end_va = 0x520fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 24374 start_va = 0x530000 end_va = 0x530fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 24375 start_va = 0x520000 end_va = 0x520fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 24376 start_va = 0x530000 end_va = 0x530fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Thread: id = 717 os_tid = 0xc48 [0241.317] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0241.317] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0241.318] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0241.318] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0241.318] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0241.318] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0241.319] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0241.319] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0241.320] GetProcessHeap () returned 0x570000 [0241.320] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0241.320] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0241.320] GetLastError () returned 0x7e [0241.320] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0241.320] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0241.320] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x364) returned 0x5809a0 [0241.321] SetLastError (dwErrCode=0x7e) [0241.321] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0xe00) returned 0x580d10 [0241.323] GetStartupInfoW (in: lpStartupInfo=0x18fb18 | out: lpStartupInfo=0x18fb18*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0241.323] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0241.323] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0241.323] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0241.323] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signRecover /fn_args=\"1\"" [0241.323] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signRecover /fn_args=\"1\"" [0241.323] GetACP () returned 0x4e4 [0241.323] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x220) returned 0x581b18 [0241.323] IsValidCodePage (CodePage=0x4e4) returned 1 [0241.323] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fb38 | out: lpCPInfo=0x18fb38) returned 1 [0241.323] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f400 | out: lpCPInfo=0x18f400) returned 1 [0241.323] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa14, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0241.324] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa14, cbMultiByte=256, lpWideCharStr=0x18f1a8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0241.324] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f414 | out: lpCharType=0x18f414) returned 1 [0241.324] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa14, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0241.324] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa14, cbMultiByte=256, lpWideCharStr=0x18f158, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0241.324] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0241.324] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0241.324] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0241.324] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ef48, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0241.324] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f914, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿuH¸ñPû\x18", lpUsedDefaultChar=0x0) returned 256 [0241.324] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa14, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0241.324] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa14, cbMultiByte=256, lpWideCharStr=0x18f178, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0241.324] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0241.324] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ef68, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0241.325] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f814, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿuH¸ñPû\x18", lpUsedDefaultChar=0x0) returned 256 [0241.325] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x80) returned 0x573878 [0241.325] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0241.325] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x192) returned 0x581d40 [0241.325] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0241.325] GetLastError () returned 0x0 [0241.325] SetLastError (dwErrCode=0x0) [0241.325] GetEnvironmentStringsW () returned 0x581ee0* [0241.325] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0xa8c) returned 0x582978 [0241.326] FreeEnvironmentStringsW (penv=0x581ee0) returned 1 [0241.326] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x90) returned 0x5747c8 [0241.326] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x3e) returned 0x57ac00 [0241.326] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x5c) returned 0x578aa0 [0241.326] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x6e) returned 0x574890 [0241.326] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x78) returned 0x584138 [0241.326] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x62) returned 0x574c60 [0241.326] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x28) returned 0x573d98 [0241.326] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x48) returned 0x573fe8 [0241.326] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x1a) returned 0x570570 [0241.326] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x3a) returned 0x57aa08 [0241.326] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x62) returned 0x573bf8 [0241.326] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x2a) returned 0x5788e0 [0241.326] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x2e) returned 0x578758 [0241.326] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x1c) returned 0x573dc8 [0241.326] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x144) returned 0x579cb8 [0241.326] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x7c) returned 0x578300 [0241.326] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x36) returned 0x57e030 [0241.326] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x3a) returned 0x57ae88 [0241.327] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x90) returned 0x574600 [0241.327] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x24) returned 0x573918 [0241.327] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x30) returned 0x5788a8 [0241.327] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x36) returned 0x57e0b0 [0241.327] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x48) returned 0x572908 [0241.327] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x52) returned 0x5704b8 [0241.327] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x3c) returned 0x57adb0 [0241.327] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0xd6) returned 0x579e78 [0241.327] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x2e) returned 0x578918 [0241.327] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x1e) returned 0x572958 [0241.327] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x2c) returned 0x5789f8 [0241.327] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x54) returned 0x573e10 [0241.327] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x52) returned 0x574070 [0241.327] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x24) returned 0x573e70 [0241.327] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x42) returned 0x5740d0 [0241.327] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x2c) returned 0x5787c8 [0241.327] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x44) returned 0x579fa8 [0241.327] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x24) returned 0x573948 [0241.328] HeapFree (in: hHeap=0x570000, dwFlags=0x0, lpMem=0x582978 | out: hHeap=0x570000) returned 1 [0241.328] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x8, Size=0x800) returned 0x581ee0 [0241.328] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0241.328] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0241.328] GetStartupInfoW (in: lpStartupInfo=0x18fb7c | out: lpStartupInfo=0x18fb7c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0241.328] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signRecover /fn_args=\"1\"" [0241.328] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signRecover /fn_args=\"1\"", pNumArgs=0x18fb68 | out: pNumArgs=0x18fb68) returned 0x582b30*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0241.329] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0241.331] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x1000) returned 0x584418 [0241.331] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x40) returned 0x57ad20 [0241.331] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_signRecover", cchWideChar=-1, lpMultiByteStr=0x57ad20, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_signRecover", lpUsedDefaultChar=0x0) returned 32 [0241.332] GetLastError () returned 0x0 [0241.332] SetLastError (dwErrCode=0x0) [0241.332] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_signRecoverW") returned 0x0 [0241.332] GetLastError () returned 0x7f [0241.332] SetLastError (dwErrCode=0x7f) [0241.332] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_signRecoverA") returned 0x0 [0241.332] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_signRecover") returned 0x647c727b [0241.332] RtlAllocateHeap (HeapHandle=0x570000, Flags=0x0, Size=0x4) returned 0x573820 [0241.332] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x573820, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0241.332] GetActiveWindow () returned 0x0 [0241.334] GetLastError () returned 0x7f [0241.334] SetLastError (dwErrCode=0x7f) Thread: id = 719 os_tid = 0xc38 Process: id = "344" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x4734c000" os_pid = "0x1020" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "343" os_parent_pid = "0xffc" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_signRecover /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "345" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x948b000" os_pid = "0x1178" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_unwrap /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 24385 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 24386 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 24387 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 24388 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 24389 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 24390 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 24391 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 24392 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 24393 start_va = 0xc70000 end_va = 0xc71fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c70000" filename = "" Region: id = 24394 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 24395 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 24396 start_va = 0x7f8f0000 end_va = 0x7f912fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f8f0000" filename = "" Region: id = 24397 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 24398 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 24399 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 24400 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 24402 start_va = 0x400000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 24403 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 24404 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 24405 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 24406 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 24407 start_va = 0xc80000 end_va = 0xf3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 24408 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 24409 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 24411 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 24412 start_va = 0x7f7f0000 end_va = 0x7f8effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f7f0000" filename = "" Region: id = 24413 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 24414 start_va = 0x540000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 24415 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 24416 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 24417 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 24418 start_va = 0x550000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 24419 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 24420 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 24421 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 24422 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 24423 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 24424 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 24425 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 24426 start_va = 0xc70000 end_va = 0xc73fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c70000" filename = "" Region: id = 24427 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 24428 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 24429 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 24430 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 24433 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 24434 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 24435 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 24436 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 24437 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 24438 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 24439 start_va = 0x650000 end_va = 0x7d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 24440 start_va = 0xc80000 end_va = 0xca9fff monitored = 0 entry_point = 0xc85680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 24441 start_va = 0xe40000 end_va = 0xf3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e40000" filename = "" Region: id = 24442 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 24444 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 24445 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 24446 start_va = 0x7e0000 end_va = 0x960fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 24447 start_va = 0xc80000 end_va = 0xdcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 24448 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 24449 start_va = 0xc80000 end_va = 0xd10fff monitored = 0 entry_point = 0xcb8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 24450 start_va = 0xdc0000 end_va = 0xdcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dc0000" filename = "" Region: id = 24452 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 24453 start_va = 0xc80000 end_va = 0xc80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 24454 start_va = 0xc90000 end_va = 0xc90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c90000" filename = "" Region: id = 24455 start_va = 0xc90000 end_va = 0xc97fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c90000" filename = "" Region: id = 24460 start_va = 0xc90000 end_va = 0xc90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c90000" filename = "" Region: id = 24461 start_va = 0xca0000 end_va = 0xca1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 24462 start_va = 0xc90000 end_va = 0xc90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c90000" filename = "" Region: id = 24463 start_va = 0xca0000 end_va = 0xca0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 24464 start_va = 0xc90000 end_va = 0xc90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c90000" filename = "" Region: id = 24465 start_va = 0xca0000 end_va = 0xca0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ca0000" filename = "" Thread: id = 720 os_tid = 0x13b0 [0242.645] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0242.645] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0242.646] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0242.646] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0242.647] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0242.647] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0242.649] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0242.811] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0242.811] GetProcessHeap () returned 0xe40000 [0242.811] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0242.812] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0242.812] GetLastError () returned 0x7e [0242.812] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0242.812] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0242.812] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x364) returned 0xe50a60 [0242.812] SetLastError (dwErrCode=0x7e) [0242.812] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0xe00) returned 0xe50dd0 [0242.815] GetStartupInfoW (in: lpStartupInfo=0x18fd78 | out: lpStartupInfo=0x18fd78*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0242.815] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0242.815] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0242.815] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0242.815] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_unwrap /fn_args=\"1\"" [0242.815] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_unwrap /fn_args=\"1\"" [0242.815] GetACP () returned 0x4e4 [0242.815] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x0, Size=0x220) returned 0xe51bd8 [0242.815] IsValidCodePage (CodePage=0x4e4) returned 1 [0242.815] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fd98 | out: lpCPInfo=0x18fd98) returned 1 [0242.815] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f660 | out: lpCPInfo=0x18f660) returned 1 [0242.816] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc74, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0242.816] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc74, cbMultiByte=256, lpWideCharStr=0x18f408, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0242.816] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f674 | out: lpCharType=0x18f674) returned 1 [0242.816] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc74, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0242.816] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc74, cbMultiByte=256, lpWideCharStr=0x18f3b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0242.816] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0242.816] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0242.816] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0242.816] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f1a8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0242.816] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fb74, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿu\x91ïg°ý\x18", lpUsedDefaultChar=0x0) returned 256 [0242.816] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc74, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0242.816] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc74, cbMultiByte=256, lpWideCharStr=0x18f3d8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0242.816] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0242.816] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f1c8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0242.816] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fa74, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿu\x91ïg°ý\x18", lpUsedDefaultChar=0x0) returned 256 [0242.817] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x0, Size=0x80) returned 0xe43868 [0242.817] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0242.817] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x188) returned 0xe51e00 [0242.817] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0242.817] GetLastError () returned 0x0 [0242.817] SetLastError (dwErrCode=0x0) [0242.817] GetEnvironmentStringsW () returned 0xe51f90* [0242.817] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x0, Size=0xa8c) returned 0xe52a28 [0242.817] FreeEnvironmentStringsW (penv=0xe51f90) returned 1 [0242.817] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x90) returned 0xe44558 [0242.817] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x3e) returned 0xe4ad58 [0242.817] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x5c) returned 0xe48830 [0242.818] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x6e) returned 0xe44620 [0242.818] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x78) returned 0xe534e8 [0242.818] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x62) returned 0xe449f0 [0242.818] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x28) returned 0xe43d88 [0242.818] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x48) returned 0xe43fd8 [0242.818] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x1a) returned 0xe40570 [0242.818] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x3a) returned 0xe4aba8 [0242.818] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x62) returned 0xe43be8 [0242.818] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x2a) returned 0xe48478 [0242.818] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x2e) returned 0xe48670 [0242.818] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x1c) returned 0xe43db8 [0242.818] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x144) returned 0xe49ca8 [0242.818] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x7c) returned 0xe48090 [0242.818] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x36) returned 0xe4e3f0 [0242.818] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x3a) returned 0xe4a9b0 [0242.818] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x90) returned 0xe44390 [0242.818] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x24) returned 0xe43908 [0242.818] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x30) returned 0xe48718 [0242.818] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x36) returned 0xe4e4b0 [0242.818] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x48) returned 0xe42900 [0242.818] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x52) returned 0xe404b8 [0242.818] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x3c) returned 0xe4aec0 [0242.818] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0xd6) returned 0xe49e68 [0242.819] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x2e) returned 0xe48750 [0242.819] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x1e) returned 0xe42950 [0242.819] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x2c) returned 0xe48590 [0242.819] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x54) returned 0xe43e00 [0242.819] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x52) returned 0xe44060 [0242.819] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x24) returned 0xe43e60 [0242.819] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x42) returned 0xe440c0 [0242.819] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x2c) returned 0xe48520 [0242.819] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x44) returned 0xe49f98 [0242.819] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x24) returned 0xe43938 [0242.819] HeapFree (in: hHeap=0xe40000, dwFlags=0x0, lpMem=0xe52a28 | out: hHeap=0xe40000) returned 1 [0242.819] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x8, Size=0x800) returned 0xe51f90 [0242.820] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0242.820] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0242.820] GetStartupInfoW (in: lpStartupInfo=0x18fddc | out: lpStartupInfo=0x18fddc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0242.820] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_unwrap /fn_args=\"1\"" [0242.820] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_unwrap /fn_args=\"1\"", pNumArgs=0x18fdc8 | out: pNumArgs=0x18fdc8) returned 0xe52be0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0242.821] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0242.824] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x0, Size=0x1000) returned 0xe544c8 [0242.824] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x0, Size=0x36) returned 0xe4e0b0 [0242.824] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_unwrap", cchWideChar=-1, lpMultiByteStr=0xe4e0b0, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_unwrap", lpUsedDefaultChar=0x0) returned 27 [0242.826] GetLastError () returned 0x0 [0242.826] SetLastError (dwErrCode=0x0) [0242.826] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_unwrapW") returned 0x0 [0242.827] GetLastError () returned 0x7f [0242.827] SetLastError (dwErrCode=0x7f) [0242.827] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_unwrapA") returned 0x0 [0242.827] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_unwrap") returned 0x647c75e5 [0242.827] RtlAllocateHeap (HeapHandle=0xe40000, Flags=0x0, Size=0x4) returned 0xe43810 [0242.827] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0xe43810, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0242.827] GetActiveWindow () returned 0x0 [0242.828] GetLastError () returned 0x7f [0242.828] SetLastError (dwErrCode=0x7f) Thread: id = 722 os_tid = 0x11f4 Process: id = "346" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x9326000" os_pid = "0x11c0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "345" os_parent_pid = "0x1178" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_unwrap /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "347" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x9075000" os_pid = "0xd24" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_del /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 24471 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 24472 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 24473 start_va = 0x40000 end_va = 0x54fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 24474 start_va = 0x60000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 24475 start_va = 0xa0000 end_va = 0x19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 24476 start_va = 0x1a0000 end_va = 0x1a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 24477 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 24478 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 24479 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 24480 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 24481 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 24482 start_va = 0x7e530000 end_va = 0x7e552fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e530000" filename = "" Region: id = 24483 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 24484 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 24485 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 24486 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 24489 start_va = 0x400000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 24490 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 24491 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 24492 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 24493 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 24494 start_va = 0x470000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 24495 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 24496 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 24497 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 24498 start_va = 0x7e430000 end_va = 0x7e52ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e430000" filename = "" Region: id = 24499 start_va = 0x470000 end_va = 0x52dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 24500 start_va = 0x540000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 24501 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 24502 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 24503 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 24504 start_va = 0x460000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 24505 start_va = 0x640000 end_va = 0x73ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 24506 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 24507 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 24508 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 24509 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 24510 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 24511 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 24512 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 24513 start_va = 0x20000 end_va = 0x23fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 24514 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 24515 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 24516 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 24517 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 24518 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 24519 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 24520 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 24521 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 24522 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 24523 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 24524 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 24525 start_va = 0x740000 end_va = 0x8c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 24526 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 24527 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 24528 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 24529 start_va = 0x8d0000 end_va = 0xa50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008d0000" filename = "" Region: id = 24530 start_va = 0xa60000 end_va = 0xb2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 24531 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 24532 start_va = 0xa60000 end_va = 0xaf0fff monitored = 0 entry_point = 0xa98cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 24533 start_va = 0xb20000 end_va = 0xb2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 24534 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 24535 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 24536 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 24537 start_va = 0x1f0000 end_va = 0x1f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 24538 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 24539 start_va = 0x440000 end_va = 0x441fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 24540 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 24541 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 24542 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 24543 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Thread: id = 723 os_tid = 0x59c [0244.100] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0244.100] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0244.100] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0244.100] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0244.101] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0244.101] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0244.102] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0244.102] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0244.139] GetProcessHeap () returned 0x540000 [0244.139] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0244.139] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0244.139] GetLastError () returned 0x7e [0244.139] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0244.139] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0244.139] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x364) returned 0x550a48 [0244.140] SetLastError (dwErrCode=0x7e) [0244.140] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0xe00) returned 0x550db8 [0244.141] GetStartupInfoW (in: lpStartupInfo=0x19fdf4 | out: lpStartupInfo=0x19fdf4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0244.141] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0244.141] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0244.141] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0244.141] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_del /fn_args=\"1\"" [0244.141] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_del /fn_args=\"1\"" [0244.142] GetACP () returned 0x4e4 [0244.142] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x0, Size=0x220) returned 0x551bc0 [0244.142] IsValidCodePage (CodePage=0x4e4) returned 1 [0244.142] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x19fe14 | out: lpCPInfo=0x19fe14) returned 1 [0244.142] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x19f6dc | out: lpCPInfo=0x19f6dc) returned 1 [0244.142] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fcf0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0244.142] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fcf0, cbMultiByte=256, lpWideCharStr=0x19f478, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0244.142] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x19f6f0 | out: lpCharType=0x19f6f0) returned 1 [0244.142] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fcf0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0244.142] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fcf0, cbMultiByte=256, lpWideCharStr=0x19f438, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0244.142] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0244.142] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0244.142] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0244.142] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x19f228, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0244.142] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x19fbf0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\niK|,þ\x19", lpUsedDefaultChar=0x0) returned 256 [0244.142] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fcf0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0244.142] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x19fcf0, cbMultiByte=256, lpWideCharStr=0x19f448, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0244.143] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0244.143] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x19f238, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0244.143] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x19faf0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\niK|,þ\x19", lpUsedDefaultChar=0x0) returned 256 [0244.143] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x0, Size=0x80) returned 0x543850 [0244.143] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0244.143] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x174) returned 0x551de8 [0244.143] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0244.143] GetLastError () returned 0x0 [0244.143] SetLastError (dwErrCode=0x0) [0244.143] GetEnvironmentStringsW () returned 0x551f68* [0244.143] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x0, Size=0xa8c) returned 0x552a00 [0244.143] FreeEnvironmentStringsW (penv=0x551f68) returned 1 [0244.143] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x90) returned 0x544540 [0244.144] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x3e) returned 0x54b010 [0244.144] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x5c) returned 0x548818 [0244.144] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x6e) returned 0x544608 [0244.144] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x78) returned 0x553540 [0244.144] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x62) returned 0x5449d8 [0244.144] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x28) returned 0x543d70 [0244.144] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x48) returned 0x543fc0 [0244.144] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x1a) returned 0x540570 [0244.144] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x3a) returned 0x54afc8 [0244.144] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x62) returned 0x543bd0 [0244.144] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x2a) returned 0x5484d0 [0244.144] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x2e) returned 0x5485e8 [0244.144] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x1c) returned 0x543da0 [0244.144] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x144) returned 0x549c90 [0244.144] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x7c) returned 0x548078 [0244.144] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x36) returned 0x54e358 [0244.144] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x3a) returned 0x54aab8 [0244.145] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x90) returned 0x544378 [0244.145] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x24) returned 0x5438f0 [0244.145] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x30) returned 0x548428 [0244.145] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x36) returned 0x54e5d8 [0244.145] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x48) returned 0x5428f0 [0244.145] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x52) returned 0x5404b8 [0244.145] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x3c) returned 0x54b0a0 [0244.145] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0xd6) returned 0x549e50 [0244.145] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x2e) returned 0x548658 [0244.145] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x1e) returned 0x542940 [0244.145] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x2c) returned 0x548460 [0244.145] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x54) returned 0x543de8 [0244.145] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x52) returned 0x544048 [0244.145] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x24) returned 0x543e48 [0244.145] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x42) returned 0x5440a8 [0244.145] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x2c) returned 0x548498 [0244.145] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x44) returned 0x549f80 [0244.145] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x24) returned 0x543920 [0244.146] HeapFree (in: hHeap=0x540000, dwFlags=0x0, lpMem=0x552a00 | out: hHeap=0x540000) returned 1 [0244.146] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x800) returned 0x551f68 [0244.146] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0244.146] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0244.146] GetStartupInfoW (in: lpStartupInfo=0x19fe58 | out: lpStartupInfo=0x19fe58*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0244.146] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_del /fn_args=\"1\"" [0244.146] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_del /fn_args=\"1\"", pNumArgs=0x19fe44 | out: pNumArgs=0x19fe44) returned 0x552bb8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0244.147] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0244.152] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x0, Size=0x1000) returned 0x5544a0 [0244.152] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x0, Size=0x22) returned 0x54a6c8 [0244.152] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_data_del", cchWideChar=-1, lpMultiByteStr=0x54a6c8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_data_del", lpUsedDefaultChar=0x0) returned 17 [0244.152] GetLastError () returned 0x0 [0244.153] SetLastError (dwErrCode=0x0) [0244.153] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_delW") returned 0x0 [0244.153] GetLastError () returned 0x7f [0244.153] SetLastError (dwErrCode=0x7f) [0244.153] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_delA") returned 0x0 [0244.153] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_del") returned 0x647cc884 [0244.153] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x0, Size=0x4) returned 0x5437f8 [0244.153] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x5437f8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0244.153] GetActiveWindow () returned 0x0 [0244.154] GetLastError () returned 0x7f [0244.154] SetLastError (dwErrCode=0x7f) Thread: id = 725 os_tid = 0x11bc Process: id = "348" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x83cc000" os_pid = "0x12c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "347" os_parent_pid = "0xd24" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_del /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "349" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x788b000" os_pid = "0x1200" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_enumDataObjects /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 24552 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 24553 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 24554 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 24555 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 24556 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 24557 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 24558 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 24559 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 24560 start_va = 0x840000 end_va = 0x841fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 24561 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 24562 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 24563 start_va = 0x7e3d0000 end_va = 0x7e3f2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e3d0000" filename = "" Region: id = 24564 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 24565 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 24566 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 24567 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 24568 start_va = 0x400000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 24569 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 24570 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 24605 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 24606 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 24607 start_va = 0x850000 end_va = 0x9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 24608 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 24609 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 24610 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 24611 start_va = 0x7e2d0000 end_va = 0x7e3cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e2d0000" filename = "" Region: id = 24612 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 24613 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 24614 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 24615 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 24616 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 24617 start_va = 0x4e0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 24618 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 24619 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 24620 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 24621 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 24622 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 24623 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 24624 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 24625 start_va = 0x840000 end_va = 0x843fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 24626 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 24627 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 24628 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 24629 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 24630 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 24631 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 24632 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 24633 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 24634 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 24635 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 24636 start_va = 0x5e0000 end_va = 0x767fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 24637 start_va = 0x850000 end_va = 0x879fff monitored = 0 entry_point = 0x855680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 24638 start_va = 0x8c0000 end_va = 0x9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 24639 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 24640 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 24641 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 24642 start_va = 0x9c0000 end_va = 0xb40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009c0000" filename = "" Region: id = 24643 start_va = 0xb50000 end_va = 0xc5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b50000" filename = "" Region: id = 24644 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 24645 start_va = 0xb50000 end_va = 0xbe0fff monitored = 0 entry_point = 0xb88cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 24646 start_va = 0xc50000 end_va = 0xc5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 24647 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 24648 start_va = 0x850000 end_va = 0x850fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 24649 start_va = 0x860000 end_va = 0x860fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000860000" filename = "" Region: id = 24650 start_va = 0x860000 end_va = 0x867fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000860000" filename = "" Region: id = 24655 start_va = 0x860000 end_va = 0x860fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 24656 start_va = 0x870000 end_va = 0x871fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 24657 start_va = 0x860000 end_va = 0x860fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 24658 start_va = 0x870000 end_va = 0x870fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 24659 start_va = 0x860000 end_va = 0x860fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000860000" filename = "" Region: id = 24660 start_va = 0x870000 end_va = 0x870fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Thread: id = 729 os_tid = 0x1184 [0245.602] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0245.602] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0245.603] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0245.603] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0245.647] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0245.647] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0245.648] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0245.648] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0245.649] GetProcessHeap () returned 0x8c0000 [0245.649] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0245.649] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0245.649] GetLastError () returned 0x7e [0245.649] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0245.650] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0245.650] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x364) returned 0x8d09a0 [0245.650] SetLastError (dwErrCode=0x7e) [0245.651] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0xe00) returned 0x8d0d10 [0245.653] GetStartupInfoW (in: lpStartupInfo=0x18f9f4 | out: lpStartupInfo=0x18f9f4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0245.653] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0245.653] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0245.653] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0245.653] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_enumDataObjects /fn_args=\"1\"" [0245.653] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_enumDataObjects /fn_args=\"1\"" [0245.653] GetACP () returned 0x4e4 [0245.653] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x0, Size=0x220) returned 0x8d1b18 [0245.653] IsValidCodePage (CodePage=0x4e4) returned 1 [0245.653] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fa14 | out: lpCPInfo=0x18fa14) returned 1 [0245.653] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f2dc | out: lpCPInfo=0x18f2dc) returned 1 [0245.653] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8f0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0245.653] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8f0, cbMultiByte=256, lpWideCharStr=0x18f078, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0245.653] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f2f0 | out: lpCharType=0x18f2f0) returned 1 [0245.654] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8f0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0245.654] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8f0, cbMultiByte=256, lpWideCharStr=0x18f038, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0245.654] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0245.654] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0245.654] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0245.654] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ee28, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0245.654] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f7f0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x15RNt,ú\x18", lpUsedDefaultChar=0x0) returned 256 [0245.654] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8f0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0245.654] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8f0, cbMultiByte=256, lpWideCharStr=0x18f048, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0245.654] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0245.655] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ee38, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0245.655] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f6f0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x15RNt,ú\x18", lpUsedDefaultChar=0x0) returned 256 [0245.655] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x0, Size=0x80) returned 0x8c3878 [0245.655] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0245.655] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x18c) returned 0x8d1d40 [0245.655] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0245.655] GetLastError () returned 0x0 [0245.655] SetLastError (dwErrCode=0x0) [0245.655] GetEnvironmentStringsW () returned 0x8d1ed8* [0245.655] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x0, Size=0xa8c) returned 0x8d2970 [0245.656] FreeEnvironmentStringsW (penv=0x8d1ed8) returned 1 [0245.656] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x90) returned 0x8c47c8 [0245.656] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x3e) returned 0x8cadf8 [0245.656] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x5c) returned 0x8c8aa0 [0245.656] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x6e) returned 0x8c4890 [0245.656] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x78) returned 0x8d3930 [0245.656] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x62) returned 0x8c4c60 [0245.656] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x28) returned 0x8c3d98 [0245.656] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x48) returned 0x8c3fe8 [0245.656] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x1a) returned 0x8c0570 [0245.656] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x3a) returned 0x8cabb8 [0245.657] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x62) returned 0x8c3bf8 [0245.657] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x2a) returned 0x8c89f8 [0245.657] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x2e) returned 0x8c87c8 [0245.657] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x1c) returned 0x8c3dc8 [0245.657] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x144) returned 0x8c9cb8 [0245.657] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x7c) returned 0x8c8300 [0245.657] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x36) returned 0x8ce1b0 [0245.657] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x3a) returned 0x8cac00 [0245.657] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x90) returned 0x8c4600 [0245.657] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x24) returned 0x8c3918 [0245.657] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x30) returned 0x8c8800 [0245.657] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x36) returned 0x8ce430 [0245.657] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x48) returned 0x8c2908 [0245.657] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x52) returned 0x8c04b8 [0245.657] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x3c) returned 0x8cae40 [0245.657] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0xd6) returned 0x8c9e78 [0245.657] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x2e) returned 0x8c88a8 [0245.657] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x1e) returned 0x8c2958 [0245.657] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x2c) returned 0x8c8838 [0245.657] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x54) returned 0x8c3e10 [0245.657] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x52) returned 0x8c4070 [0245.657] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x24) returned 0x8c3e70 [0245.657] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x42) returned 0x8c40d0 [0245.658] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x2c) returned 0x8c8870 [0245.658] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x44) returned 0x8c9fa8 [0245.658] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x24) returned 0x8c3948 [0245.658] HeapFree (in: hHeap=0x8c0000, dwFlags=0x0, lpMem=0x8d2970 | out: hHeap=0x8c0000) returned 1 [0245.658] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x8, Size=0x800) returned 0x8d1ed8 [0245.659] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0245.659] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0245.659] GetStartupInfoW (in: lpStartupInfo=0x18fa58 | out: lpStartupInfo=0x18fa58*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0245.659] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_enumDataObjects /fn_args=\"1\"" [0245.660] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_enumDataObjects /fn_args=\"1\"", pNumArgs=0x18fa44 | out: pNumArgs=0x18fa44) returned 0x8d2b28*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0245.660] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0245.666] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x0, Size=0x1000) returned 0x8d4410 [0245.666] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x0, Size=0x3a) returned 0x8cad20 [0245.666] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_data_enumDataObjects", cchWideChar=-1, lpMultiByteStr=0x8cad20, cbMultiByte=58, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_data_enumDataObjects", lpUsedDefaultChar=0x0) returned 29 [0245.666] GetLastError () returned 0x0 [0245.666] SetLastError (dwErrCode=0x0) [0245.667] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_enumDataObjectsW") returned 0x0 [0245.667] GetLastError () returned 0x7f [0245.667] SetLastError (dwErrCode=0x7f) [0245.667] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_enumDataObjectsA") returned 0x0 [0245.667] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_enumDataObjects") returned 0x647ccc50 [0245.667] RtlAllocateHeap (HeapHandle=0x8c0000, Flags=0x0, Size=0x4) returned 0x8c3820 [0245.667] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x8c3820, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0245.668] GetActiveWindow () returned 0x0 [0245.669] GetLastError () returned 0x7f [0245.669] SetLastError (dwErrCode=0x7f) Thread: id = 731 os_tid = 0x136c Process: id = "350" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x7716000" os_pid = "0x13e4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "349" os_parent_pid = "0x1200" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_enumDataObjects /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "351" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x60a1000" os_pid = "0x12d8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_freeDataIdList /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 24680 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 24681 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 24682 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 24683 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 24684 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 24685 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 24686 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 24687 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 24688 start_va = 0xdd0000 end_va = 0xdd1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 24689 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 24690 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 24691 start_va = 0x7e3a0000 end_va = 0x7e3c2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e3a0000" filename = "" Region: id = 24692 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 24693 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 24694 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 24695 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 24701 start_va = 0x400000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 24702 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 24703 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 24704 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 24705 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 24706 start_va = 0xde0000 end_va = 0xfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 24708 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 24709 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 24710 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 24711 start_va = 0x7e2a0000 end_va = 0x7e39ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e2a0000" filename = "" Region: id = 24712 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 24713 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 24714 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 24715 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 24716 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 24717 start_va = 0x4e0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 24718 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 24719 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 24720 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 24723 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 24724 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 24725 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 24726 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 24727 start_va = 0xdd0000 end_va = 0xdd3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 24728 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 24729 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 24730 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 24732 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 24733 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 24734 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 24735 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 24736 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 24737 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 24738 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 24739 start_va = 0x5e0000 end_va = 0x767fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 24740 start_va = 0xde0000 end_va = 0xe09fff monitored = 0 entry_point = 0xde5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 24741 start_va = 0xeb0000 end_va = 0xfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 24742 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 24744 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 24745 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 24746 start_va = 0x770000 end_va = 0x8f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 24747 start_va = 0xfb0000 end_va = 0x114ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 24748 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 24750 start_va = 0xde0000 end_va = 0xe70fff monitored = 0 entry_point = 0xe18cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 24751 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 24752 start_va = 0xde0000 end_va = 0xde0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 24753 start_va = 0xdf0000 end_va = 0xdf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000df0000" filename = "" Region: id = 24754 start_va = 0xdf0000 end_va = 0xdf7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000df0000" filename = "" Region: id = 24762 start_va = 0xdf0000 end_va = 0xdf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000df0000" filename = "" Region: id = 24763 start_va = 0xe00000 end_va = 0xe01fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e00000" filename = "" Region: id = 24764 start_va = 0xdf0000 end_va = 0xdf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000df0000" filename = "" Region: id = 24765 start_va = 0xe00000 end_va = 0xe00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e00000" filename = "" Region: id = 24766 start_va = 0xdf0000 end_va = 0xdf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000df0000" filename = "" Region: id = 24767 start_va = 0xe00000 end_va = 0xe00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Thread: id = 737 os_tid = 0x11e4 [0247.193] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0247.193] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0247.193] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0247.193] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0247.194] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0247.194] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0247.194] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0247.195] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0247.195] GetProcessHeap () returned 0xeb0000 [0247.195] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0247.195] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0247.196] GetLastError () returned 0x7e [0247.196] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0247.196] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0247.196] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x364) returned 0xec09a0 [0247.197] SetLastError (dwErrCode=0x7e) [0247.197] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0xe00) returned 0xec0d10 [0247.199] GetStartupInfoW (in: lpStartupInfo=0x18fdb4 | out: lpStartupInfo=0x18fdb4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0247.199] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0247.199] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0247.199] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0247.199] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_freeDataIdList /fn_args=\"1\"" [0247.199] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_freeDataIdList /fn_args=\"1\"" [0247.199] GetACP () returned 0x4e4 [0247.199] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x0, Size=0x220) returned 0xec1b18 [0247.199] IsValidCodePage (CodePage=0x4e4) returned 1 [0247.199] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fdd4 | out: lpCPInfo=0x18fdd4) returned 1 [0247.199] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f69c | out: lpCPInfo=0x18f69c) returned 1 [0247.199] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcb0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0247.199] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcb0, cbMultiByte=256, lpWideCharStr=0x18f438, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0247.200] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f6b0 | out: lpCharType=0x18f6b0) returned 1 [0247.200] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcb0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0247.200] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcb0, cbMultiByte=256, lpWideCharStr=0x18f3f8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0247.200] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0247.200] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0247.200] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0247.200] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f1e8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0247.200] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fbb0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿK£µ{ìý\x18", lpUsedDefaultChar=0x0) returned 256 [0247.200] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcb0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0247.200] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcb0, cbMultiByte=256, lpWideCharStr=0x18f408, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0247.200] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0247.200] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f1f8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0247.201] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fab0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿK£µ{ìý\x18", lpUsedDefaultChar=0x0) returned 256 [0247.201] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x0, Size=0x80) returned 0xeb3870 [0247.201] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0247.201] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x18a) returned 0xec1d40 [0247.201] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0247.201] GetLastError () returned 0x0 [0247.201] SetLastError (dwErrCode=0x0) [0247.201] GetEnvironmentStringsW () returned 0xec1ed8* [0247.201] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x0, Size=0xa8c) returned 0xec2970 [0247.202] FreeEnvironmentStringsW (penv=0xec1ed8) returned 1 [0247.202] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x90) returned 0xeb47c8 [0247.202] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x3e) returned 0xebadf8 [0247.202] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x5c) returned 0xeb8aa0 [0247.202] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x6e) returned 0xeb4890 [0247.202] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x78) returned 0xec3bb0 [0247.202] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x62) returned 0xeb4c60 [0247.202] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x28) returned 0xeb3d90 [0247.202] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x48) returned 0xeb3fe8 [0247.202] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x1a) returned 0xeb0570 [0247.202] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x3a) returned 0xebaff0 [0247.202] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x62) returned 0xeb3bf0 [0247.202] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x2a) returned 0xeb8950 [0247.202] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x2e) returned 0xeb89f8 [0247.202] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x1c) returned 0xeb3dc0 [0247.202] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x144) returned 0xeb9cb8 [0247.203] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x7c) returned 0xeb8300 [0247.203] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x36) returned 0xebdeb0 [0247.203] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x3a) returned 0xebae88 [0247.203] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x90) returned 0xeb4600 [0247.203] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x24) returned 0xeb3910 [0247.203] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x30) returned 0xeb8800 [0247.203] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x36) returned 0xebe0f0 [0247.203] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x48) returned 0xeb2900 [0247.203] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x52) returned 0xeb04b8 [0247.203] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x3c) returned 0xebb038 [0247.203] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0xd6) returned 0xeb9e78 [0247.203] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x2e) returned 0xeb87c8 [0247.203] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x1e) returned 0xeb2950 [0247.203] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x2c) returned 0xeb8678 [0247.203] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x54) returned 0xeb3e08 [0247.203] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x52) returned 0xeb4070 [0247.203] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x24) returned 0xeb3e68 [0247.203] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x42) returned 0xeb40d0 [0247.203] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x2c) returned 0xeb8790 [0247.203] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x44) returned 0xeb9fa8 [0247.203] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x24) returned 0xeb3940 [0247.204] HeapFree (in: hHeap=0xeb0000, dwFlags=0x0, lpMem=0xec2970 | out: hHeap=0xeb0000) returned 1 [0247.204] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x800) returned 0xec1ed8 [0247.204] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0247.204] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0247.204] GetStartupInfoW (in: lpStartupInfo=0x18fe18 | out: lpStartupInfo=0x18fe18*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0247.204] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_freeDataIdList /fn_args=\"1\"" [0247.205] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_freeDataIdList /fn_args=\"1\"", pNumArgs=0x18fe04 | out: pNumArgs=0x18fe04) returned 0xec2b28*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0247.205] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0247.208] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x0, Size=0x1000) returned 0xec4410 [0247.208] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x0, Size=0x38) returned 0xebdf30 [0247.208] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_data_freeDataIdList", cchWideChar=-1, lpMultiByteStr=0xebdf30, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_data_freeDataIdList", lpUsedDefaultChar=0x0) returned 28 [0247.208] GetLastError () returned 0x0 [0247.208] SetLastError (dwErrCode=0x0) [0247.209] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_freeDataIdListW") returned 0x0 [0247.209] GetLastError () returned 0x7f [0247.209] SetLastError (dwErrCode=0x7f) [0247.209] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_freeDataIdListA") returned 0x0 [0247.209] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_freeDataIdList") returned 0x647ccb5d [0247.209] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x0, Size=0x4) returned 0xeb3818 [0247.209] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0xeb3818, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0247.209] GetActiveWindow () returned 0x0 [0247.210] GetLastError () returned 0x7f [0247.210] SetLastError (dwErrCode=0x7f) Thread: id = 739 os_tid = 0xcec Process: id = "352" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x79f8000" os_pid = "0x134c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "351" os_parent_pid = "0x12d8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_freeDataIdList /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "353" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6cb7000" os_pid = "0xc90" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_get /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 24776 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 24777 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 24778 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 24779 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 24780 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 24781 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 24782 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 24783 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 24784 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 24785 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 24786 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 24787 start_va = 0x7f320000 end_va = 0x7f342fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f320000" filename = "" Region: id = 24788 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 24789 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 24790 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 24791 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 24793 start_va = 0x410000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 24794 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 24795 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 24796 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 24797 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 24798 start_va = 0x4f0000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 24799 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 24800 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 24803 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 24804 start_va = 0x7f220000 end_va = 0x7f31ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f220000" filename = "" Region: id = 24805 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 24806 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 24807 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 24808 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 24809 start_va = 0x6a0000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 24810 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 24811 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 24812 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 24813 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 24814 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 24815 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 24816 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 24817 start_va = 0x4c0000 end_va = 0x4c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 24818 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 24819 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 24820 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 24822 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 24823 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 24824 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 24825 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 24826 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 24827 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 24828 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 24829 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 24830 start_va = 0x4f0000 end_va = 0x519fff monitored = 0 entry_point = 0x4f5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 24831 start_va = 0x5a0000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 24832 start_va = 0x7a0000 end_va = 0x927fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 24833 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 24835 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 24836 start_va = 0x4d0000 end_va = 0x4d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 24837 start_va = 0x4f0000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 24838 start_va = 0x930000 end_va = 0xab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 24839 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 24840 start_va = 0xac0000 end_va = 0xb50fff monitored = 0 entry_point = 0xaf8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 24842 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 24843 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 24844 start_va = 0x510000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 24845 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 24846 start_va = 0x500000 end_va = 0x507fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 24851 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 24852 start_va = 0x520000 end_va = 0x521fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 24853 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 24854 start_va = 0x520000 end_va = 0x520fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 24855 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 24856 start_va = 0x520000 end_va = 0x520fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Thread: id = 740 os_tid = 0x12d0 [0248.554] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0248.555] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0248.555] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0248.555] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0248.555] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0248.555] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0248.605] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0248.606] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0248.606] GetProcessHeap () returned 0x5a0000 [0248.606] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0248.606] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0248.606] GetLastError () returned 0x7e [0248.606] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0248.606] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0248.606] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x364) returned 0x5b0a48 [0248.607] SetLastError (dwErrCode=0x7e) [0248.607] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0xe00) returned 0x5b0db8 [0248.608] GetStartupInfoW (in: lpStartupInfo=0x18fb04 | out: lpStartupInfo=0x18fb04*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0248.608] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0248.608] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0248.608] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0248.608] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_get /fn_args=\"1\"" [0248.608] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_get /fn_args=\"1\"" [0248.609] GetACP () returned 0x4e4 [0248.609] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x220) returned 0x5b1bc0 [0248.609] IsValidCodePage (CodePage=0x4e4) returned 1 [0248.609] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fb24 | out: lpCPInfo=0x18fb24) returned 1 [0248.609] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f3ec | out: lpCPInfo=0x18f3ec) returned 1 [0248.609] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa00, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0248.609] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa00, cbMultiByte=256, lpWideCharStr=0x18f188, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0248.609] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f400 | out: lpCharType=0x18f400) returned 1 [0248.609] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa00, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0248.609] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa00, cbMultiByte=256, lpWideCharStr=0x18f148, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0248.609] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0248.609] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0248.609] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0248.609] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ef38, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0248.609] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f900, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ¨Á|ô<û\x18", lpUsedDefaultChar=0x0) returned 256 [0248.609] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa00, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0248.609] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa00, cbMultiByte=256, lpWideCharStr=0x18f158, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0248.610] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0248.610] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ef48, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0248.610] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f800, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ¨Á|ô<û\x18", lpUsedDefaultChar=0x0) returned 256 [0248.610] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x80) returned 0x5a3850 [0248.610] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0248.610] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x174) returned 0x5b1de8 [0248.610] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0248.610] GetLastError () returned 0x0 [0248.610] SetLastError (dwErrCode=0x0) [0248.610] GetEnvironmentStringsW () returned 0x5b1f68* [0248.610] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xa8c) returned 0x5b2a00 [0248.610] FreeEnvironmentStringsW (penv=0x5b1f68) returned 1 [0248.610] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x90) returned 0x5a4540 [0248.610] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x3e) returned 0x5aafc8 [0248.611] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x5c) returned 0x5a8a78 [0248.611] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x6e) returned 0x5a4608 [0248.611] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x78) returned 0x5b43c0 [0248.611] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x62) returned 0x5a49d8 [0248.611] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x28) returned 0x5a3d70 [0248.611] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x48) returned 0x5a3fc0 [0248.611] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x1a) returned 0x5a0570 [0248.611] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x3a) returned 0x5aaea8 [0248.611] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x62) returned 0x5a3bd0 [0248.611] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x2a) returned 0x5a8700 [0248.611] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x2e) returned 0x5a8738 [0248.611] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x1c) returned 0x5a3da0 [0248.611] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x144) returned 0x5a9c90 [0248.611] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x7c) returned 0x5a8078 [0248.611] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x36) returned 0x5ae018 [0248.611] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x3a) returned 0x5aaf38 [0248.611] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x90) returned 0x5a4378 [0248.611] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x24) returned 0x5a38f0 [0248.611] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x30) returned 0x5a8658 [0248.611] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x36) returned 0x5ae4d8 [0248.611] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x48) returned 0x5a28f0 [0248.611] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x52) returned 0x5a04b8 [0248.611] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x3c) returned 0x5aaa70 [0248.611] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0xd6) returned 0x5a9e50 [0248.611] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x2e) returned 0x5a83f0 [0248.611] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x1e) returned 0x5a2940 [0248.612] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x2c) returned 0x5a84d0 [0248.612] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x54) returned 0x5a3de8 [0248.612] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x52) returned 0x5a4048 [0248.612] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x24) returned 0x5a3e48 [0248.612] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x42) returned 0x5a40a8 [0248.612] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x2c) returned 0x5a86c8 [0248.612] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x44) returned 0x5a9f80 [0248.612] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x24) returned 0x5a3920 [0248.612] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b2a00 | out: hHeap=0x5a0000) returned 1 [0248.612] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x800) returned 0x5b1f68 [0248.612] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0248.612] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0248.612] GetStartupInfoW (in: lpStartupInfo=0x18fb68 | out: lpStartupInfo=0x18fb68*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0248.612] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_get /fn_args=\"1\"" [0248.613] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_get /fn_args=\"1\"", pNumArgs=0x18fb54 | out: pNumArgs=0x18fb54) returned 0x5b2bb8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0248.613] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0248.616] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1000) returned 0x5b44a0 [0248.616] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x22) returned 0x5aa6c8 [0248.616] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_data_get", cchWideChar=-1, lpMultiByteStr=0x5aa6c8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_data_get", lpUsedDefaultChar=0x0) returned 17 [0248.616] GetLastError () returned 0x0 [0248.616] SetLastError (dwErrCode=0x0) [0248.616] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_getW") returned 0x0 [0248.616] GetLastError () returned 0x7f [0248.616] SetLastError (dwErrCode=0x7f) [0248.616] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_getA") returned 0x0 [0248.616] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_get") returned 0x647cc130 [0248.616] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x4) returned 0x5a37f8 [0248.616] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x5a37f8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0248.616] GetActiveWindow () returned 0x0 [0248.617] GetLastError () returned 0x7f [0248.617] SetLastError (dwErrCode=0x7f) Thread: id = 742 os_tid = 0x79c Process: id = "354" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6dce000" os_pid = "0x12f0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "353" os_parent_pid = "0xc90" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_get /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "355" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6dcd000" os_pid = "0xb58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_put /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 24900 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 24901 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 24902 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 24903 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 24904 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 24905 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 24906 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 24907 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 24908 start_va = 0xf60000 end_va = 0xf61fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f60000" filename = "" Region: id = 24909 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 24910 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 24911 start_va = 0x7ee10000 end_va = 0x7ee32fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ee10000" filename = "" Region: id = 24912 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 24913 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 24914 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 24915 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 24925 start_va = 0x400000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 24926 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 24927 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 24928 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 24929 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 24930 start_va = 0xf70000 end_va = 0x11dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f70000" filename = "" Region: id = 24931 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 24969 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 24970 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 24971 start_va = 0x7ed10000 end_va = 0x7ee0ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed10000" filename = "" Region: id = 24972 start_va = 0x4c0000 end_va = 0x57dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 24973 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 24974 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 24975 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 24976 start_va = 0x580000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 24977 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 24978 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 24979 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 24980 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 24983 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 24984 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 24985 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 24986 start_va = 0xf60000 end_va = 0xf63fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f60000" filename = "" Region: id = 24987 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 24988 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 24989 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 24990 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 24991 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 24992 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 24993 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 24994 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 24995 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 24996 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 24997 start_va = 0x680000 end_va = 0x807fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 24998 start_va = 0xf70000 end_va = 0xf99fff monitored = 0 entry_point = 0xf75680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 24999 start_va = 0x10e0000 end_va = 0x11dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010e0000" filename = "" Region: id = 25000 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 25010 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 25011 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 25012 start_va = 0x4b0000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 25013 start_va = 0x810000 end_va = 0x990fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 25014 start_va = 0xf70000 end_va = 0xfeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f70000" filename = "" Region: id = 25015 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 25016 start_va = 0xff0000 end_va = 0x1080fff monitored = 0 entry_point = 0x1028cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 25019 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 25020 start_va = 0xf70000 end_va = 0xf70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f70000" filename = "" Region: id = 25021 start_va = 0xfe0000 end_va = 0xfeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 25022 start_va = 0xf80000 end_va = 0xf80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f80000" filename = "" Region: id = 25023 start_va = 0xf80000 end_va = 0xf87fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f80000" filename = "" Region: id = 25024 start_va = 0xf80000 end_va = 0xf80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f80000" filename = "" Region: id = 25025 start_va = 0xf90000 end_va = 0xf91fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f90000" filename = "" Region: id = 25026 start_va = 0xf80000 end_va = 0xf80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f80000" filename = "" Region: id = 25027 start_va = 0xf90000 end_va = 0xf90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f90000" filename = "" Region: id = 25028 start_va = 0xf80000 end_va = 0xf80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f80000" filename = "" Region: id = 25029 start_va = 0xf90000 end_va = 0xf90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Thread: id = 744 os_tid = 0x12a4 [0250.270] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0250.270] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0250.270] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0250.270] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0250.270] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0250.271] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0250.271] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0250.271] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0250.272] GetProcessHeap () returned 0x10e0000 [0250.272] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0250.272] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0250.272] GetLastError () returned 0x7e [0250.272] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0250.272] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0250.272] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x364) returned 0x10f0a48 [0250.272] SetLastError (dwErrCode=0x7e) [0250.273] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0xe00) returned 0x10f0db8 [0250.274] GetStartupInfoW (in: lpStartupInfo=0x18fad8 | out: lpStartupInfo=0x18fad8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0250.274] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0250.274] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0250.274] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0250.274] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_put /fn_args=\"1\"" [0250.274] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_put /fn_args=\"1\"" [0250.274] GetACP () returned 0x4e4 [0250.274] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x0, Size=0x220) returned 0x10f1bc0 [0250.274] IsValidCodePage (CodePage=0x4e4) returned 1 [0250.274] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18faf8 | out: lpCPInfo=0x18faf8) returned 1 [0250.274] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f3c0 | out: lpCPInfo=0x18f3c0) returned 1 [0250.275] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f9d4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0250.275] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f9d4, cbMultiByte=256, lpWideCharStr=0x18f168, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0250.275] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f3d4 | out: lpCharType=0x18f3d4) returned 1 [0250.275] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f9d4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0250.275] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f9d4, cbMultiByte=256, lpWideCharStr=0x18f118, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0250.275] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0250.275] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0250.275] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0250.275] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ef08, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0250.275] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f8d4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿg\x92£C\x10û\x18", lpUsedDefaultChar=0x0) returned 256 [0250.275] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f9d4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0250.275] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f9d4, cbMultiByte=256, lpWideCharStr=0x18f138, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0250.275] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0250.275] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ef28, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0250.275] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f7d4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿg\x92£C\x10û\x18", lpUsedDefaultChar=0x0) returned 256 [0250.275] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x0, Size=0x80) returned 0x10e3850 [0250.275] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0250.276] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x174) returned 0x10f1de8 [0250.276] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0250.276] GetLastError () returned 0x0 [0250.276] SetLastError (dwErrCode=0x0) [0250.276] GetEnvironmentStringsW () returned 0x10f1f68* [0250.276] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x0, Size=0xa8c) returned 0x10f2a00 [0250.276] FreeEnvironmentStringsW (penv=0x10f1f68) returned 1 [0250.276] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x90) returned 0x10e47a0 [0250.276] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x3e) returned 0x10ea9e0 [0250.276] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x5c) returned 0x10e8a78 [0250.276] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x6e) returned 0x10e4868 [0250.276] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x78) returned 0x10f34c0 [0250.277] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x62) returned 0x10e4c38 [0250.277] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x28) returned 0x10e3d70 [0250.277] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x48) returned 0x10e3fc0 [0250.277] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x1a) returned 0x10e0570 [0250.277] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x3a) returned 0x10eb0a0 [0250.277] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x62) returned 0x10e3bd0 [0250.277] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x2a) returned 0x10e87d8 [0250.277] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x2e) returned 0x10e8688 [0250.277] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x1c) returned 0x10e3da0 [0250.277] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x144) returned 0x10e9c90 [0250.277] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x7c) returned 0x10e82d8 [0250.277] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x36) returned 0x10ee598 [0250.277] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x3a) returned 0x10eabd8 [0250.277] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x90) returned 0x10e4378 [0250.277] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x24) returned 0x10e38f0 [0250.277] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x30) returned 0x10e86c0 [0250.277] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x36) returned 0x10edfd8 [0250.277] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x48) returned 0x10e28f0 [0250.277] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x52) returned 0x10e04b8 [0250.277] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x3c) returned 0x10eac68 [0250.277] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0xd6) returned 0x10e9e50 [0250.277] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x2e) returned 0x10e8810 [0250.277] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x1e) returned 0x10e2940 [0250.277] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x2c) returned 0x10e88b8 [0250.277] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x54) returned 0x10e3de8 [0250.277] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x52) returned 0x10e4048 [0250.277] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x24) returned 0x10e3e48 [0250.277] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x42) returned 0x10e40a8 [0250.277] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x2c) returned 0x10e8848 [0250.277] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x44) returned 0x10e9f80 [0250.277] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x24) returned 0x10e3920 [0250.278] HeapFree (in: hHeap=0x10e0000, dwFlags=0x0, lpMem=0x10f2a00 | out: hHeap=0x10e0000) returned 1 [0250.278] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x8, Size=0x800) returned 0x10f1f68 [0250.278] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0250.278] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0250.278] GetStartupInfoW (in: lpStartupInfo=0x18fb3c | out: lpStartupInfo=0x18fb3c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0250.279] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_put /fn_args=\"1\"" [0250.279] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_put /fn_args=\"1\"", pNumArgs=0x18fb28 | out: pNumArgs=0x18fb28) returned 0x10f2bb8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0250.279] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0250.281] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x0, Size=0x1000) returned 0x10f44a0 [0250.281] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x0, Size=0x22) returned 0x10ea6c8 [0250.281] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_data_put", cchWideChar=-1, lpMultiByteStr=0x10ea6c8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_data_put", lpUsedDefaultChar=0x0) returned 17 [0250.282] GetLastError () returned 0x0 [0250.282] SetLastError (dwErrCode=0x0) [0250.282] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_putW") returned 0x0 [0250.282] GetLastError () returned 0x7f [0250.282] SetLastError (dwErrCode=0x7f) [0250.282] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_putA") returned 0x0 [0250.282] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_data_put") returned 0x647cc4df [0250.282] RtlAllocateHeap (HeapHandle=0x10e0000, Flags=0x0, Size=0x4) returned 0x10e37f8 [0250.282] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x10e37f8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0250.282] GetActiveWindow () returned 0x0 [0250.283] GetLastError () returned 0x7f [0250.283] SetLastError (dwErrCode=0x7f) Thread: id = 746 os_tid = 0x116c Process: id = "356" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x784f000" os_pid = "0xd54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "355" os_parent_pid = "0xb58" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_data_put /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "357" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0xe1e5000" os_pid = "0xce0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setCrypto /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 25048 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 25049 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 25050 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 25051 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 25052 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 25053 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 25054 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 25055 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 25056 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 25057 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 25058 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 25059 start_va = 0x7ece0000 end_va = 0x7ed02fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ece0000" filename = "" Region: id = 25060 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 25061 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 25062 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 25063 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 25068 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 25069 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 25070 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 25071 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 25072 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 25073 start_va = 0x410000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 25074 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 25075 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 25076 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 25077 start_va = 0x7ebe0000 end_va = 0x7ecdffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ebe0000" filename = "" Region: id = 25078 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 25079 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 25080 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 25081 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 25082 start_va = 0x550000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 25083 start_va = 0x650000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 25084 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 25085 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 25086 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 25087 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 25088 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 25091 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 25092 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 25093 start_va = 0x500000 end_va = 0x503fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 25094 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 25095 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 25096 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 25097 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 25098 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 25099 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 25100 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 25101 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 25102 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 25103 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 25104 start_va = 0x510000 end_va = 0x539fff monitored = 0 entry_point = 0x515680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 25105 start_va = 0x750000 end_va = 0x8d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 25106 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 25107 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 25108 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 25109 start_va = 0x1f0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 25110 start_va = 0x8e0000 end_va = 0xa60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 25111 start_va = 0xa70000 end_va = 0xadffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 25112 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 25113 start_va = 0xae0000 end_va = 0xb70fff monitored = 0 entry_point = 0xb18cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 25115 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 25116 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 25117 start_va = 0x520000 end_va = 0x520fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 25118 start_va = 0x520000 end_va = 0x527fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 25119 start_va = 0x520000 end_va = 0x520fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 25120 start_va = 0x530000 end_va = 0x531fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 25121 start_va = 0x520000 end_va = 0x520fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 25122 start_va = 0x530000 end_va = 0x530fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 25125 start_va = 0x520000 end_va = 0x520fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 25126 start_va = 0x530000 end_va = 0x530fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Thread: id = 749 os_tid = 0x1374 [0251.172] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0251.172] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0251.172] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0251.172] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0251.172] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0251.172] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0251.173] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0251.173] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0251.174] GetProcessHeap () returned 0x550000 [0251.174] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0251.174] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0251.174] GetLastError () returned 0x7e [0251.174] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0251.174] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0251.174] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x364) returned 0x560a60 [0251.174] SetLastError (dwErrCode=0x7e) [0251.175] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xe00) returned 0x560dd0 [0251.176] GetStartupInfoW (in: lpStartupInfo=0x18f900 | out: lpStartupInfo=0x18f900*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0251.176] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0251.176] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0251.176] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0251.176] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setCrypto /fn_args=\"1\"" [0251.177] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setCrypto /fn_args=\"1\"" [0251.177] GetACP () returned 0x4e4 [0251.177] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x0, Size=0x220) returned 0x561bd8 [0251.177] IsValidCodePage (CodePage=0x4e4) returned 1 [0251.177] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f920 | out: lpCPInfo=0x18f920) returned 1 [0251.177] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f1e8 | out: lpCPInfo=0x18f1e8) returned 1 [0251.177] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7fc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0251.177] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7fc, cbMultiByte=256, lpWideCharStr=0x18ef88, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0251.177] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f1fc | out: lpCharType=0x18f1fc) returned 1 [0251.177] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7fc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0251.177] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7fc, cbMultiByte=256, lpWideCharStr=0x18ef38, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0251.177] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0251.177] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0251.177] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0251.177] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ed28, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0251.177] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f6fc, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ²î\x9bÀ8ù\x18", lpUsedDefaultChar=0x0) returned 256 [0251.177] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7fc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0251.177] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7fc, cbMultiByte=256, lpWideCharStr=0x18ef58, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0251.178] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0251.178] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ed48, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0251.178] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f5fc, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ²î\x9bÀ8ù\x18", lpUsedDefaultChar=0x0) returned 256 [0251.178] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x0, Size=0x80) returned 0x553868 [0251.178] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0251.178] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x184) returned 0x561e00 [0251.178] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0251.178] GetLastError () returned 0x0 [0251.178] SetLastError (dwErrCode=0x0) [0251.178] GetEnvironmentStringsW () returned 0x561f90* [0251.178] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x0, Size=0xa8c) returned 0x562a28 [0251.178] FreeEnvironmentStringsW (penv=0x561f90) returned 1 [0251.178] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x90) returned 0x554558 [0251.178] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x3e) returned 0x55aa88 [0251.178] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x5c) returned 0x558a90 [0251.179] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x6e) returned 0x554620 [0251.179] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x78) returned 0x564268 [0251.179] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x62) returned 0x554c50 [0251.179] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x28) returned 0x553d88 [0251.179] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x48) returned 0x553fd8 [0251.179] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x1a) returned 0x550570 [0251.179] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x3a) returned 0x55af50 [0251.179] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x62) returned 0x553be8 [0251.179] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x2a) returned 0x558828 [0251.179] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x2e) returned 0x558978 [0251.179] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x1c) returned 0x553db8 [0251.179] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x144) returned 0x559ca8 [0251.179] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x7c) returned 0x5582f0 [0251.179] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x36) returned 0x55e2f0 [0251.179] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x3a) returned 0x55ada0 [0251.179] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x90) returned 0x554390 [0251.179] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x24) returned 0x553908 [0251.179] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x30) returned 0x5587b8 [0251.179] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x36) returned 0x55e030 [0251.179] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x48) returned 0x552900 [0251.179] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x52) returned 0x5504b8 [0251.179] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x3c) returned 0x55af98 [0251.179] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0xd6) returned 0x559e68 [0251.179] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x2e) returned 0x5586d8 [0251.179] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x1e) returned 0x552950 [0251.179] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x2c) returned 0x558710 [0251.179] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x54) returned 0x553e00 [0251.180] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x52) returned 0x554060 [0251.180] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x24) returned 0x553e60 [0251.180] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x42) returned 0x5540c0 [0251.180] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x2c) returned 0x558748 [0251.180] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x44) returned 0x559f98 [0251.180] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x24) returned 0x553938 [0251.181] HeapFree (in: hHeap=0x550000, dwFlags=0x0, lpMem=0x562a28 | out: hHeap=0x550000) returned 1 [0251.349] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x8, Size=0x800) returned 0x561f90 [0251.349] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0251.349] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0251.350] GetStartupInfoW (in: lpStartupInfo=0x18f964 | out: lpStartupInfo=0x18f964*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0251.350] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setCrypto /fn_args=\"1\"" [0251.350] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setCrypto /fn_args=\"1\"", pNumArgs=0x18f950 | out: pNumArgs=0x18f950) returned 0x562be0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0251.350] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0251.358] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x0, Size=0x1000) returned 0x5644c8 [0251.358] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x0, Size=0x32) returned 0x55e2b0 [0251.358] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_engine_setCrypto", cchWideChar=-1, lpMultiByteStr=0x55e2b0, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_engine_setCrypto", lpUsedDefaultChar=0x0) returned 25 [0251.358] GetLastError () returned 0x0 [0251.358] SetLastError (dwErrCode=0x0) [0251.358] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_engine_setCryptoW") returned 0x0 [0251.358] GetLastError () returned 0x7f [0251.358] SetLastError (dwErrCode=0x7f) [0251.358] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_engine_setCryptoA") returned 0x0 [0251.358] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_engine_setCrypto") returned 0x647c16e4 [0251.358] RtlAllocateHeap (HeapHandle=0x550000, Flags=0x0, Size=0x4) returned 0x553810 [0251.358] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x553810, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0251.359] GetActiveWindow () returned 0x0 [0251.359] GetLastError () returned 0x7f [0251.359] SetLastError (dwErrCode=0x7f) Thread: id = 751 os_tid = 0x234 Process: id = "358" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x5d30000" os_pid = "0x12b4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "357" os_parent_pid = "0xce0" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setCrypto /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "359" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x78fa000" os_pid = "0x110c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setSystem /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 25128 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 25129 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 25130 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 25131 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 25132 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 25133 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 25134 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 25135 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 25136 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 25137 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 25138 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 25139 start_va = 0x7e9a0000 end_va = 0x7e9c2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e9a0000" filename = "" Region: id = 25140 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 25141 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 25142 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 25143 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 25146 start_va = 0x410000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 25147 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 25148 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 25149 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 25150 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 25151 start_va = 0x410000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 25152 start_va = 0x5c0000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 25153 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 25154 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 25155 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 25156 start_va = 0x7e8a0000 end_va = 0x7e99ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e8a0000" filename = "" Region: id = 25157 start_va = 0x5d0000 end_va = 0x68dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 25158 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 25159 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 25160 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 25161 start_va = 0x690000 end_va = 0x78ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 25162 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 25163 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 25164 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 25165 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 25166 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 25167 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 25168 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 25169 start_va = 0x400000 end_va = 0x403fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 25170 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 25171 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 25172 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 25173 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 25174 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 25175 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 25176 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 25177 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 25178 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 25179 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 25180 start_va = 0x410000 end_va = 0x439fff monitored = 0 entry_point = 0x415680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 25181 start_va = 0x480000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 25182 start_va = 0x790000 end_va = 0x917fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 25183 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 25184 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 25185 start_va = 0x410000 end_va = 0x410fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 25186 start_va = 0x920000 end_va = 0xaa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000920000" filename = "" Region: id = 25187 start_va = 0xab0000 end_va = 0xc5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 25188 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 25189 start_va = 0xab0000 end_va = 0xb40fff monitored = 0 entry_point = 0xae8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 25190 start_va = 0xc50000 end_va = 0xc5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 25191 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 25192 start_va = 0x420000 end_va = 0x420fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 25193 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 25194 start_va = 0x430000 end_va = 0x437fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 25195 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 25196 start_va = 0x440000 end_va = 0x441fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 25197 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 25198 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 25202 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 25203 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Thread: id = 752 os_tid = 0xce4 [0251.766] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0251.766] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0251.766] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0251.766] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0251.766] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0251.766] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0251.767] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0251.767] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0251.767] GetProcessHeap () returned 0x480000 [0251.767] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0251.768] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0251.768] GetLastError () returned 0x7e [0251.768] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0251.768] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0251.768] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x364) returned 0x490a60 [0251.768] SetLastError (dwErrCode=0x7e) [0251.768] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0xe00) returned 0x490dd0 [0251.770] GetStartupInfoW (in: lpStartupInfo=0x18f8c0 | out: lpStartupInfo=0x18f8c0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0251.770] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0251.770] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0251.770] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0251.770] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setSystem /fn_args=\"1\"" [0251.770] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setSystem /fn_args=\"1\"" [0251.770] GetACP () returned 0x4e4 [0251.770] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x0, Size=0x220) returned 0x491bd8 [0251.770] IsValidCodePage (CodePage=0x4e4) returned 1 [0251.770] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f8e0 | out: lpCPInfo=0x18f8e0) returned 1 [0251.770] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f1a8 | out: lpCPInfo=0x18f1a8) returned 1 [0251.770] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7bc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0251.770] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7bc, cbMultiByte=256, lpWideCharStr=0x18ef48, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0251.770] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f1bc | out: lpCharType=0x18f1bc) returned 1 [0251.770] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7bc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0251.770] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7bc, cbMultiByte=256, lpWideCharStr=0x18eef8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0251.770] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0251.771] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0251.771] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0251.771] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ece8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0251.771] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f6bc, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x9f~Rxøø\x18", lpUsedDefaultChar=0x0) returned 256 [0251.771] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7bc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0251.771] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7bc, cbMultiByte=256, lpWideCharStr=0x18ef18, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0251.771] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0251.771] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ed08, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0251.771] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f5bc, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x9f~Rxøø\x18", lpUsedDefaultChar=0x0) returned 256 [0251.771] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x0, Size=0x80) returned 0x483868 [0251.771] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0251.771] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x184) returned 0x491e00 [0251.771] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0251.771] GetLastError () returned 0x0 [0251.771] SetLastError (dwErrCode=0x0) [0251.771] GetEnvironmentStringsW () returned 0x491f90* [0251.772] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x0, Size=0xa8c) returned 0x492a28 [0251.772] FreeEnvironmentStringsW (penv=0x491f90) returned 1 [0251.772] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x90) returned 0x484558 [0251.772] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x3e) returned 0x48ab60 [0251.772] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x5c) returned 0x488830 [0251.772] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x6e) returned 0x484620 [0251.772] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x78) returned 0x4936e8 [0251.772] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x62) returned 0x4849f0 [0251.772] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x28) returned 0x483d88 [0251.772] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x48) returned 0x483fd8 [0251.772] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x1a) returned 0x480570 [0251.772] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x3a) returned 0x48ade8 [0251.772] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x62) returned 0x483be8 [0251.772] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x2a) returned 0x488520 [0251.772] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x2e) returned 0x488670 [0251.772] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x1c) returned 0x483db8 [0251.772] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x144) returned 0x489a48 [0251.772] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x7c) returned 0x488090 [0251.773] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x36) returned 0x48e6b0 [0251.773] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x3a) returned 0x48ad58 [0251.773] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x90) returned 0x484390 [0251.773] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x24) returned 0x483908 [0251.773] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x30) returned 0x4886a8 [0251.773] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x36) returned 0x48df70 [0251.773] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x48) returned 0x482900 [0251.773] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x52) returned 0x4804b8 [0251.773] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x3c) returned 0x48ab18 [0251.773] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0xd6) returned 0x489e68 [0251.773] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x2e) returned 0x488558 [0251.773] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x1e) returned 0x482950 [0251.773] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x2c) returned 0x488590 [0251.773] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x54) returned 0x483e00 [0251.773] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x52) returned 0x484060 [0251.773] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x24) returned 0x483e60 [0251.773] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x42) returned 0x4840c0 [0251.773] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x2c) returned 0x4886e0 [0251.773] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x44) returned 0x489f98 [0251.773] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x24) returned 0x483938 [0251.774] HeapFree (in: hHeap=0x480000, dwFlags=0x0, lpMem=0x492a28 | out: hHeap=0x480000) returned 1 [0251.774] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x8, Size=0x800) returned 0x491f90 [0251.782] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0251.782] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0251.782] GetStartupInfoW (in: lpStartupInfo=0x18f924 | out: lpStartupInfo=0x18f924*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0251.782] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setSystem /fn_args=\"1\"" [0251.782] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setSystem /fn_args=\"1\"", pNumArgs=0x18f910 | out: pNumArgs=0x18f910) returned 0x492be0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0251.783] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0251.785] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x0, Size=0x1000) returned 0x4944c8 [0251.785] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x0, Size=0x32) returned 0x48dff0 [0251.785] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_engine_setSystem", cchWideChar=-1, lpMultiByteStr=0x48dff0, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_engine_setSystem", lpUsedDefaultChar=0x0) returned 25 [0251.785] GetLastError () returned 0x0 [0251.785] SetLastError (dwErrCode=0x0) [0251.785] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_engine_setSystemW") returned 0x0 [0251.785] GetLastError () returned 0x7f [0251.786] SetLastError (dwErrCode=0x7f) [0251.786] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_engine_setSystemA") returned 0x0 [0251.786] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_engine_setSystem") returned 0x647c1699 [0251.786] RtlAllocateHeap (HeapHandle=0x480000, Flags=0x0, Size=0x4) returned 0x483810 [0251.786] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x483810, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0251.786] GetActiveWindow () returned 0x0 [0251.787] GetLastError () returned 0x7f [0251.787] SetLastError (dwErrCode=0x7f) Thread: id = 754 os_tid = 0x5fc Process: id = "360" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x13981000" os_pid = "0x7e8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "359" os_parent_pid = "0x110c" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_engine_setSystem /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "361" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x71010000" os_pid = "0xc74" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_forkFixup /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 25204 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 25205 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 25206 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 25207 start_va = 0x90000 end_va = 0x93fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 25208 start_va = 0xa0000 end_va = 0xa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 25209 start_va = 0xb0000 end_va = 0xb1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 25210 start_va = 0xd0000 end_va = 0xd1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 25211 start_va = 0xe0000 end_va = 0x1dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 25212 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 25213 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 25214 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 25215 start_va = 0x7f8c0000 end_va = 0x7f8e2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f8c0000" filename = "" Region: id = 25216 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 25217 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 25218 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 25219 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 25220 start_va = 0x400000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 25223 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 25224 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 25225 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 25226 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 25227 start_va = 0x590000 end_va = 0x7bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 25228 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 25229 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 25230 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 25231 start_va = 0x7f7c0000 end_va = 0x7f8bffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f7c0000" filename = "" Region: id = 25232 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 25233 start_va = 0x580000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 25234 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 25235 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 25236 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 25237 start_va = 0x590000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 25238 start_va = 0x6c0000 end_va = 0x7bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 25239 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 25240 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 25241 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 25242 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 25243 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 25244 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 25245 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 25246 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 25247 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 25248 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 25249 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 25250 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 25251 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 25252 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 25253 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 25254 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 25255 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 25256 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 25257 start_va = 0x500000 end_va = 0x529fff monitored = 0 entry_point = 0x505680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 25258 start_va = 0x7c0000 end_va = 0x947fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 25259 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 25260 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 25261 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 25262 start_va = 0x500000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 25263 start_va = 0x950000 end_va = 0xad0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 25264 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 25265 start_va = 0xae0000 end_va = 0xb70fff monitored = 0 entry_point = 0xb18cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 25266 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 25272 start_va = 0x1e0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 25273 start_va = 0xae0000 end_va = 0xbdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 25274 start_va = 0x1e0000 end_va = 0x1fdfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 25275 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 25276 start_va = 0x520000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 25277 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25278 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25279 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25280 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25281 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25282 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25283 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25284 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25285 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25286 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25287 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25288 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25289 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25290 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25291 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25292 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25293 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25294 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25295 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25296 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25297 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25298 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25299 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25300 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25301 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25302 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25303 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25304 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25305 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25306 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25307 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25308 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25309 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25310 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25311 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25312 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25313 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25314 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25315 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25316 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25317 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25318 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25319 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25320 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25321 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25322 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25323 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25324 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25325 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25326 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25327 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25328 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25329 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25330 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25331 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25332 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25333 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25334 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25335 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25336 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25337 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25338 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25339 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25340 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25341 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25342 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25343 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25344 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25345 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25346 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25347 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25348 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25349 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25350 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25351 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25352 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25353 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25354 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25355 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25356 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25357 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25358 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25359 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25360 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25361 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25362 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25363 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25364 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25365 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25366 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25367 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25368 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25369 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25370 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25371 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25372 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25373 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25374 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25375 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25376 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25377 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25378 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25379 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25380 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25381 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25382 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25383 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25384 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25385 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25386 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25387 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25388 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25389 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25390 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25391 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25392 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25393 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25394 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25395 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25396 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25397 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25398 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25399 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25400 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25401 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25402 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25403 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25404 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25405 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25406 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25407 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25408 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25409 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25410 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25411 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25412 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25413 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25414 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25415 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25416 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25417 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25418 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25419 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25420 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25421 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25422 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25423 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25424 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25425 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25426 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25427 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25428 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25429 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25430 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25431 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25432 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25433 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25434 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25435 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25436 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25437 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25438 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25439 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25440 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25441 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25442 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25443 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25444 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25445 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25446 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25447 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25448 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25449 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25450 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25451 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25452 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25453 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25454 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25455 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25456 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25457 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25458 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25459 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25460 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25461 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25462 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25463 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25464 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25465 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25466 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25467 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25468 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25469 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25470 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25471 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25472 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25473 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25474 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25475 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25476 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25477 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25478 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25479 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25480 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25481 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25482 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25483 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25484 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25485 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25486 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25487 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25488 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25489 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25490 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25491 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25492 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25493 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25494 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25495 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25496 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25497 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25498 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25499 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25500 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25501 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25502 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25503 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25504 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25505 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25506 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25507 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25508 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25509 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25510 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25511 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25512 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25513 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25514 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25515 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25516 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25517 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25518 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25519 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25520 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25521 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25522 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25523 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25524 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25525 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 25526 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 31379 start_va = 0x1e0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 31380 start_va = 0x1e0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 31381 start_va = 0x4c0000 end_va = 0x4c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 31382 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Thread: id = 755 os_tid = 0x1100 [0252.515] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0252.515] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0252.515] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0252.515] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0252.516] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0252.516] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0252.516] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0252.516] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0252.517] GetProcessHeap () returned 0x6c0000 [0252.517] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0252.517] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0252.517] GetLastError () returned 0x7e [0252.517] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0252.517] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0252.517] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x364) returned 0x6d0a48 [0252.517] SetLastError (dwErrCode=0x7e) [0252.518] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0xe00) returned 0x6d0db8 [0252.519] GetStartupInfoW (in: lpStartupInfo=0x1df6b8 | out: lpStartupInfo=0x1df6b8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0252.519] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0252.519] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0252.519] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0252.519] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_forkFixup /fn_args=\"1\"" [0252.519] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_forkFixup /fn_args=\"1\"" [0252.519] GetACP () returned 0x4e4 [0252.519] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x0, Size=0x220) returned 0x6d1bc0 [0252.519] IsValidCodePage (CodePage=0x4e4) returned 1 [0252.519] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1df6d8 | out: lpCPInfo=0x1df6d8) returned 1 [0252.519] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1defa0 | out: lpCPInfo=0x1defa0) returned 1 [0252.520] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1df5b4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0252.520] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1df5b4, cbMultiByte=256, lpWideCharStr=0x1ded48, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0252.520] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x1defb4 | out: lpCharType=0x1defb4) returned 1 [0252.520] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1df5b4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0252.520] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1df5b4, cbMultiByte=256, lpWideCharStr=0x1decf8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0252.520] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0252.520] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0252.520] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0252.520] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x1deae8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0252.520] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x1df4b4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x9d\x9fÁ ðö\x1d", lpUsedDefaultChar=0x0) returned 256 [0252.520] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1df5b4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0252.520] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1df5b4, cbMultiByte=256, lpWideCharStr=0x1ded18, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0252.520] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0252.520] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x1deb08, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0252.520] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x1df3b4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x9d\x9fÁ ðö\x1d", lpUsedDefaultChar=0x0) returned 256 [0252.520] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x0, Size=0x80) returned 0x6c3850 [0252.520] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0252.520] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x176) returned 0x6d1de8 [0252.521] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0252.521] GetLastError () returned 0x0 [0252.521] SetLastError (dwErrCode=0x0) [0252.521] GetEnvironmentStringsW () returned 0x6d1f68* [0252.521] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x0, Size=0xa8c) returned 0x6d2a00 [0252.521] FreeEnvironmentStringsW (penv=0x6d1f68) returned 1 [0252.521] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x90) returned 0x6c4540 [0252.521] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x3e) returned 0x6cb058 [0252.521] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x5c) returned 0x6c8a78 [0252.521] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x6e) returned 0x6c4608 [0252.522] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x78) returned 0x6d38c0 [0252.522] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x62) returned 0x6c49d8 [0252.522] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x28) returned 0x6c3d70 [0252.522] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x48) returned 0x6c3fc0 [0252.522] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x1a) returned 0x6c0570 [0252.522] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x3a) returned 0x6ca9e0 [0252.522] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x62) returned 0x6c3bd0 [0252.522] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x2a) returned 0x6c8880 [0252.522] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x2e) returned 0x6c88b8 [0252.522] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x1c) returned 0x6c3da0 [0252.522] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x144) returned 0x6c9c90 [0252.522] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x7c) returned 0x6c8078 [0252.522] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x36) returned 0x6ce1d8 [0252.522] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x3a) returned 0x6caa28 [0252.522] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x90) returned 0x6c4378 [0252.522] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x24) returned 0x6c38f0 [0252.522] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x30) returned 0x6c88f0 [0252.522] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x36) returned 0x6ce2d8 [0252.523] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x48) returned 0x6c28f0 [0252.523] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x52) returned 0x6c04b8 [0252.523] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x3c) returned 0x6cac68 [0252.523] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0xd6) returned 0x6c9e50 [0252.523] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x2e) returned 0x6c89d0 [0252.523] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x1e) returned 0x6c2940 [0252.523] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x2c) returned 0x6c8928 [0252.523] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x54) returned 0x6c3de8 [0252.523] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x52) returned 0x6c4048 [0252.523] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x24) returned 0x6c3e48 [0252.523] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x42) returned 0x6c40a8 [0252.523] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x2c) returned 0x6c8768 [0252.523] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x44) returned 0x6c9f80 [0252.523] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x24) returned 0x6c3920 [0252.524] HeapFree (in: hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6d2a00 | out: hHeap=0x6c0000) returned 1 [0252.524] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x8, Size=0x800) returned 0x6d1f68 [0252.578] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0252.578] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0252.578] GetStartupInfoW (in: lpStartupInfo=0x1df71c | out: lpStartupInfo=0x1df71c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0252.579] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_forkFixup /fn_args=\"1\"" [0252.579] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_forkFixup /fn_args=\"1\"", pNumArgs=0x1df708 | out: pNumArgs=0x1df708) returned 0x6d2bb8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0252.579] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0252.582] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x0, Size=0x1000) returned 0x6d44a0 [0252.582] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x0, Size=0x24) returned 0x6ca6c8 [0252.582] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_forkFixup", cchWideChar=-1, lpMultiByteStr=0x6ca6c8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_forkFixup", lpUsedDefaultChar=0x0) returned 18 [0252.582] GetLastError () returned 0x0 [0252.582] SetLastError (dwErrCode=0x0) [0252.582] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_forkFixupW") returned 0x0 [0252.582] GetLastError () returned 0x7f [0252.582] SetLastError (dwErrCode=0x7f) [0252.583] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_forkFixupA") returned 0x0 [0252.583] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_forkFixup") returned 0x647cbbb3 [0252.583] RtlAllocateHeap (HeapHandle=0x6c0000, Flags=0x0, Size=0x4) returned 0x6c37f8 [0252.583] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x6c37f8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0252.583] GetActiveWindow () returned 0x0 [0252.629] HeapFree (in: hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6d44a0 | out: hHeap=0x6c0000) returned 1 [0252.630] HeapFree (in: hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6ca6c8 | out: hHeap=0x6c0000) returned 1 [0252.630] HeapFree (in: hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6c37f8 | out: hHeap=0x6c0000) returned 1 [0252.630] GetCurrentProcessId () returned 0xc74 [0252.630] GetCurrentThreadId () returned 0x1100 [0252.630] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0252.645] Thread32First (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.646] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.646] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.647] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.647] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.648] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.649] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.650] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.650] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.651] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.652] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.652] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.653] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.654] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.654] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.655] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.656] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.656] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.657] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.657] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.658] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.659] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.659] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.660] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.661] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.661] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.662] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.662] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.663] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.664] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.664] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.683] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.684] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.685] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.685] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.686] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.687] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.687] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.688] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.688] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.689] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.690] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.690] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.691] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.691] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.692] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.693] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.693] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.694] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.695] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.695] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.696] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.697] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.697] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.698] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.698] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.699] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.700] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.700] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.701] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.702] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.702] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.703] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.703] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.704] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.705] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.705] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.706] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.707] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.707] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.708] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.708] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.709] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.710] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.710] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.711] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.712] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.713] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.713] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.714] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.714] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.715] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.716] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.716] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.717] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.718] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.718] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.719] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.720] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.720] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.721] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.721] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.722] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.723] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.723] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.724] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.724] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.725] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.726] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.726] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.727] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.773] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.774] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.775] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.775] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.776] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.777] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.777] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.778] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.779] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.779] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.780] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.781] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.781] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.782] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.783] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.783] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.784] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.785] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.785] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.786] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.787] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.787] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.788] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.789] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.789] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.791] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.791] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.792] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.793] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.794] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.795] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.796] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.796] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.797] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.798] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.799] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.800] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.801] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.801] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.802] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.803] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.803] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.804] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.805] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.808] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.809] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.809] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.810] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.811] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.811] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.812] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.812] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.813] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.814] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.814] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.815] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.816] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.816] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.817] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.817] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.818] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.819] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.819] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.820] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.820] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.822] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.822] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.823] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.823] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.824] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.825] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.825] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.826] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.826] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.827] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.828] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.828] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.829] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.830] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.830] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.831] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.832] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.832] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.833] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.834] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.834] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.835] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.836] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.836] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.837] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.838] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.839] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.839] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.840] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.840] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.841] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.842] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.842] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.843] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.844] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.844] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.845] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.845] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.846] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.847] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.847] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.848] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.848] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.849] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.850] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.850] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.851] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.852] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.854] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.854] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.855] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.856] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.856] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.857] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.857] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.858] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.859] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.859] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.860] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.861] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.861] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.862] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.862] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.863] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.864] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.864] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.865] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.866] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.866] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.867] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.867] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.868] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.869] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.869] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.870] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.871] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.871] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.872] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.872] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.873] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.874] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.874] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.875] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0252.876] Thread32Next (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0253.216] CloseHandle (hObject=0x150) returned 1 [0253.216] OpenThread (dwDesiredAccess=0x100000, bInheritHandle=0, dwThreadId=0xdc4) returned 0x150 [0253.216] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xffffffff) returned 0x0 [0289.152] CloseHandle (hObject=0x150) returned 1 [0289.152] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0289.166] Thread32First (hSnapshot=0x150, lpte=0x1df6ec) returned 1 [0291.574] CloseHandle (hObject=0x150) returned 1 [0291.574] FreeLibrary (hLibModule=0x647c0000) returned 1 [0291.575] LocalFree (hMem=0x6d2bb8) returned 0x0 [0291.576] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0291.576] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0291.577] HeapFree (in: hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6c3850 | out: hHeap=0x6c0000) returned 1 [0291.578] HeapFree (in: hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6d1f68 | out: hHeap=0x6c0000) returned 1 [0291.579] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-2", hFile=0x0, dwFlags=0x800) returned 0x772e0000 [0291.579] GetProcAddress (hModule=0x772e0000, lpProcName="AppPolicyGetProcessTerminationMethod") returned 0x0 [0291.579] GetModuleHandleExW (in: dwFlags=0x0, lpModuleName="mscoree.dll", phModule=0x1df714 | out: phModule=0x1df714) returned 0 [0291.579] ExitProcess (uExitCode=0x0) [0291.580] HeapFree (in: hHeap=0x6c0000, dwFlags=0x0, lpMem=0x6d0a48 | out: hHeap=0x6c0000) returned 1 Thread: id = 757 os_tid = 0xdc4 Process: id = "362" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x11226000" os_pid = "0x12bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getFeatures /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 25527 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 25528 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 25529 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 25530 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 25531 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 25532 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 25533 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 25534 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 25535 start_va = 0x6d0000 end_va = 0x6d1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 25536 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 25537 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 25538 start_va = 0x7fb60000 end_va = 0x7fb82fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fb60000" filename = "" Region: id = 25539 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 25540 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 25541 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 25542 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 25545 start_va = 0x400000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 25546 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 25547 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 25548 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 25549 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 25550 start_va = 0x6e0000 end_va = 0x8dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 25551 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 25552 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 25554 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 25555 start_va = 0x7fa60000 end_va = 0x7fb5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fa60000" filename = "" Region: id = 25556 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 25557 start_va = 0x510000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 25558 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 25559 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 25560 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 25561 start_va = 0x520000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 25562 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 25563 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 25564 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 25565 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 25566 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 25567 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 25568 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 25569 start_va = 0x6d0000 end_va = 0x6d3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 25570 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 25571 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 25572 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 25573 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 25574 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 25575 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 25576 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 25577 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 25578 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 25579 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 25580 start_va = 0x6e0000 end_va = 0x709fff monitored = 0 entry_point = 0x6e5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 25581 start_va = 0x7e0000 end_va = 0x8dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 25582 start_va = 0x8e0000 end_va = 0xa67fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 25583 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 25584 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 25585 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 25586 start_va = 0xa70000 end_va = 0xbf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a70000" filename = "" Region: id = 25587 start_va = 0xc00000 end_va = 0xd3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 25588 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 25589 start_va = 0x6e0000 end_va = 0x770fff monitored = 0 entry_point = 0x718cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 25590 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 25591 start_va = 0x6e0000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 25592 start_va = 0xc00000 end_va = 0xcfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 25593 start_va = 0xd30000 end_va = 0xd3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d30000" filename = "" Region: id = 25594 start_va = 0x6e0000 end_va = 0x6fdfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 25595 start_va = 0x700000 end_va = 0x705fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 25596 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25597 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25598 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25599 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25600 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25601 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25602 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25603 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25604 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25605 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25606 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25607 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25608 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25609 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25610 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25611 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25612 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25613 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25614 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25615 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25616 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25617 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25618 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25619 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25620 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25621 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25622 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25623 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25624 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25625 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25626 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25627 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25628 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25629 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25630 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25631 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25632 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25633 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25634 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25635 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25636 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25637 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25638 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25639 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25640 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25641 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25642 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25643 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25644 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25645 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25646 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25647 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25648 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25649 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25650 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25651 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25652 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25653 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25654 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25655 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25656 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25657 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25658 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25659 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25660 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25661 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25662 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25663 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25664 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25665 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25666 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25667 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25668 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25669 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25670 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25671 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25672 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25673 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25674 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25675 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25676 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25677 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25678 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25679 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25680 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25681 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25682 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25683 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25684 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25685 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25686 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25687 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25688 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25689 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25690 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25691 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25692 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25693 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25694 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25695 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25696 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25697 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25698 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25699 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25700 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25701 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25702 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25703 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25704 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25705 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25706 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25707 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25708 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25709 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25710 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25711 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25712 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25713 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25714 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25715 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25716 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25717 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25718 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25719 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25720 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25721 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25722 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25723 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25724 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25725 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25726 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25727 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25728 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25729 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25730 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25731 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25732 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25733 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25734 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25735 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25736 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25737 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25738 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25739 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25740 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25741 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25742 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25743 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25744 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25745 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25746 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25747 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25748 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25749 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25750 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25751 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25752 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25753 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25754 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25755 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25756 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25757 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25758 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25759 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25760 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25761 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25762 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25763 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25764 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25765 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25766 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25767 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25768 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25769 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25770 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25771 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25772 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25773 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25774 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25775 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25776 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25777 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25778 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25779 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25780 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25781 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25782 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25783 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25784 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25785 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25786 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25787 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25788 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25789 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25790 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25791 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25792 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25793 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25794 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25795 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25796 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25797 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25798 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25799 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25800 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25801 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25802 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25803 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25804 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25805 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25806 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25807 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25808 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25809 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25810 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25811 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25812 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25813 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25814 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25815 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25816 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25817 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25818 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25819 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25820 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25821 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25822 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25823 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25824 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25825 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25826 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25827 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25828 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25829 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25830 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25831 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25832 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25833 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25834 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25835 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25836 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25837 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25838 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25839 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25840 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25841 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25842 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25843 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25844 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 25845 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 31383 start_va = 0x6e0000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 31384 start_va = 0x6e0000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 31385 start_va = 0x700000 end_va = 0x705fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 31386 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Thread: id = 758 os_tid = 0x5d0 [0253.280] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0253.280] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0253.281] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0253.281] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0253.281] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0253.281] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0253.281] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0253.282] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0253.282] GetProcessHeap () returned 0x7e0000 [0253.282] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0253.282] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0253.282] GetLastError () returned 0x7e [0253.282] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0253.282] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0253.283] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x364) returned 0x7f0a50 [0253.283] SetLastError (dwErrCode=0x7e) [0253.283] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0xe00) returned 0x7f0dc0 [0253.284] GetStartupInfoW (in: lpStartupInfo=0x18fb50 | out: lpStartupInfo=0x18fb50*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0253.284] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0253.284] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0253.284] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0253.284] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getFeatures /fn_args=\"1\"" [0253.285] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getFeatures /fn_args=\"1\"" [0253.285] GetACP () returned 0x4e4 [0253.285] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x0, Size=0x220) returned 0x7f1bc8 [0253.285] IsValidCodePage (CodePage=0x4e4) returned 1 [0253.285] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fb70 | out: lpCPInfo=0x18fb70) returned 1 [0253.285] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f438 | out: lpCPInfo=0x18f438) returned 1 [0253.285] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa4c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0253.285] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa4c, cbMultiByte=256, lpWideCharStr=0x18f1d8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0253.285] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f44c | out: lpCharType=0x18f44c) returned 1 [0253.285] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa4c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0253.285] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa4c, cbMultiByte=256, lpWideCharStr=0x18f188, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0253.285] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0253.285] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0253.285] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0253.285] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ef78, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0253.285] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f94c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÔóqy\x88û\x18", lpUsedDefaultChar=0x0) returned 256 [0253.285] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa4c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0253.285] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa4c, cbMultiByte=256, lpWideCharStr=0x18f1a8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0253.286] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0253.286] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ef98, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0253.286] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f84c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÔóqy\x88û\x18", lpUsedDefaultChar=0x0) returned 256 [0253.286] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x0, Size=0x80) returned 0x7e3858 [0253.286] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0253.286] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x17a) returned 0x7f1df0 [0253.286] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0253.286] GetLastError () returned 0x0 [0253.286] SetLastError (dwErrCode=0x0) [0253.286] GetEnvironmentStringsW () returned 0x7f1f78* [0253.286] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x0, Size=0xa8c) returned 0x7f2a10 [0253.286] FreeEnvironmentStringsW (penv=0x7f1f78) returned 1 [0253.286] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x90) returned 0x7e4548 [0253.286] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x3e) returned 0x7eaac0 [0253.286] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x5c) returned 0x7e8820 [0253.287] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x6e) returned 0x7e4610 [0253.287] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x78) returned 0x7f3750 [0253.287] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x62) returned 0x7e49e0 [0253.287] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x28) returned 0x7e3d78 [0253.287] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x48) returned 0x7e3fc8 [0253.287] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x1a) returned 0x7e0570 [0253.287] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x3a) returned 0x7eaf88 [0253.287] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x62) returned 0x7e3bd8 [0253.287] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x2a) returned 0x7e85f0 [0253.287] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x2e) returned 0x7e8548 [0253.287] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x1c) returned 0x7e3da8 [0253.287] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x144) returned 0x7e9a38 [0253.287] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x7c) returned 0x7e8080 [0253.287] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x36) returned 0x7ee460 [0253.287] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x3a) returned 0x7ea9a0 [0253.287] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x90) returned 0x7e4380 [0253.287] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x24) returned 0x7e38f8 [0253.287] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x30) returned 0x7e85b8 [0253.287] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x36) returned 0x7ee4e0 [0253.287] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x48) returned 0x7e28f0 [0253.287] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x52) returned 0x7e04b8 [0253.287] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x3c) returned 0x7eb018 [0253.287] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0xd6) returned 0x7e9e58 [0253.287] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x2e) returned 0x7e8628 [0253.287] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x1e) returned 0x7e2940 [0253.287] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x2c) returned 0x7e8660 [0253.287] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x54) returned 0x7e3df0 [0253.287] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x52) returned 0x7e4050 [0253.288] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x24) returned 0x7e3e50 [0253.288] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x42) returned 0x7e40b0 [0253.288] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x2c) returned 0x7e8698 [0253.288] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x44) returned 0x7e9f88 [0253.288] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x24) returned 0x7e3928 [0253.288] HeapFree (in: hHeap=0x7e0000, dwFlags=0x0, lpMem=0x7f2a10 | out: hHeap=0x7e0000) returned 1 [0253.288] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x800) returned 0x7f1f78 [0253.288] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0253.288] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0253.289] GetStartupInfoW (in: lpStartupInfo=0x18fbb4 | out: lpStartupInfo=0x18fbb4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0253.289] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getFeatures /fn_args=\"1\"" [0253.289] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getFeatures /fn_args=\"1\"", pNumArgs=0x18fba0 | out: pNumArgs=0x18fba0) returned 0x7f2bc8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0253.289] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0253.301] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x0, Size=0x1000) returned 0x7f44b0 [0253.301] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x0, Size=0x28) returned 0x7ea6d0 [0253.301] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_getFeatures", cchWideChar=-1, lpMultiByteStr=0x7ea6d0, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_getFeatures", lpUsedDefaultChar=0x0) returned 20 [0253.301] GetLastError () returned 0x0 [0253.301] SetLastError (dwErrCode=0x0) [0253.302] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_getFeaturesW") returned 0x0 [0253.302] GetLastError () returned 0x7f [0253.302] SetLastError (dwErrCode=0x7f) [0253.302] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_getFeaturesA") returned 0x0 [0253.302] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_getFeatures") returned 0x647caac0 [0253.302] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x0, Size=0x4) returned 0x7e3800 [0253.302] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x7e3800, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0253.302] GetActiveWindow () returned 0x0 [0253.303] HeapFree (in: hHeap=0x7e0000, dwFlags=0x0, lpMem=0x7f44b0 | out: hHeap=0x7e0000) returned 1 [0253.303] HeapFree (in: hHeap=0x7e0000, dwFlags=0x0, lpMem=0x7ea6d0 | out: hHeap=0x7e0000) returned 1 [0253.303] HeapFree (in: hHeap=0x7e0000, dwFlags=0x0, lpMem=0x7e3800 | out: hHeap=0x7e0000) returned 1 [0253.303] GetCurrentProcessId () returned 0x12bc [0253.303] GetCurrentThreadId () returned 0x5d0 [0253.303] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0253.313] Thread32First (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.314] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.314] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.315] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.315] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.316] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.317] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.317] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.318] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.318] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.319] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.320] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.320] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.321] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.322] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.322] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.323] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.323] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.324] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.325] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.325] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.326] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.326] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.327] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.328] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.328] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.329] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.329] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.330] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.331] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.331] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.332] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.332] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.333] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.334] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.334] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.335] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.335] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.336] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.340] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.340] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.341] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.342] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.342] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.343] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.343] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.344] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.345] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.345] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.346] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.346] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.347] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.347] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.348] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.349] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.349] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.350] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.350] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.351] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.352] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.352] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.353] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.354] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.354] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.355] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.355] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.356] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.357] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.357] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.358] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.358] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.359] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.359] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.360] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.361] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.361] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.362] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.362] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.363] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.364] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.364] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.365] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.365] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.366] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.366] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.367] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.368] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.369] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.370] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.370] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.371] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.372] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.372] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.373] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.373] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.374] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.375] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.375] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.376] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.376] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.377] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.378] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.378] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.379] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.379] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.380] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.381] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.381] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.382] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.382] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.383] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.387] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.388] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.388] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.389] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.389] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.390] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.391] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.391] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.392] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.392] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.393] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.394] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.394] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.395] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.395] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.396] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.397] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.397] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.398] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.398] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.399] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.401] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.401] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.402] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.402] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.403] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.403] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.404] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.405] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.405] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.406] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.406] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.407] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.408] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.408] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.409] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.409] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.410] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.410] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.411] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.412] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.412] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.413] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.413] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.414] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.414] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.415] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.416] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.416] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.417] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.417] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.418] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.418] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.420] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.421] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.422] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.422] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.423] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.423] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.424] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.425] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.425] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.426] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.426] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.427] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.427] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.428] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.429] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.429] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.430] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.433] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.434] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.435] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.435] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.436] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.436] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.437] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.438] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.438] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.439] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.439] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.440] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.440] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.441] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.442] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.442] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.443] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.443] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.444] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.444] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.445] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.446] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.494] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.495] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.496] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.496] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.497] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.498] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.499] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.499] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.513] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.514] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.515] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.515] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.516] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.517] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.517] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.518] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.519] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.519] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.520] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.521] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.522] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.522] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.523] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.524] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.525] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.525] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.526] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.526] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.527] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.528] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.529] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.529] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.530] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.531] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.532] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.532] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.533] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.534] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.535] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.535] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.536] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.537] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.538] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.538] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.539] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.552] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.553] Thread32Next (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0253.926] CloseHandle (hObject=0x150) returned 1 [0253.926] OpenThread (dwDesiredAccess=0x100000, bInheritHandle=0, dwThreadId=0xd4c) returned 0x150 [0253.926] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xffffffff) returned 0x0 [0289.188] CloseHandle (hObject=0x150) returned 1 [0289.189] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0289.197] Thread32First (hSnapshot=0x150, lpte=0x18fb84) returned 1 [0291.404] CloseHandle (hObject=0x150) returned 1 [0291.405] FreeLibrary (hLibModule=0x647c0000) returned 1 [0291.406] LocalFree (hMem=0x7f2bc8) returned 0x0 [0291.406] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0291.406] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0291.407] HeapFree (in: hHeap=0x7e0000, dwFlags=0x0, lpMem=0x7e3858 | out: hHeap=0x7e0000) returned 1 [0291.408] HeapFree (in: hHeap=0x7e0000, dwFlags=0x0, lpMem=0x7f1f78 | out: hHeap=0x7e0000) returned 1 [0291.408] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-2", hFile=0x0, dwFlags=0x800) returned 0x772e0000 [0291.408] GetProcAddress (hModule=0x772e0000, lpProcName="AppPolicyGetProcessTerminationMethod") returned 0x0 [0291.408] GetModuleHandleExW (in: dwFlags=0x0, lpModuleName="mscoree.dll", phModule=0x18fbac | out: phModule=0x18fbac) returned 0 [0291.409] ExitProcess (uExitCode=0x0) [0291.410] HeapFree (in: hHeap=0x7e0000, dwFlags=0x0, lpMem=0x7f0a50 | out: hHeap=0x7e0000) returned 1 Thread: id = 760 os_tid = 0xd4c Process: id = "363" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x1923c000" os_pid = "0x1370" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getLogLevel /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 25847 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 25848 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 25849 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 25850 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 25851 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 25852 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 25853 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 25854 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 25855 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 25856 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 25857 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 25858 start_va = 0x7ede0000 end_va = 0x7ee02fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ede0000" filename = "" Region: id = 25859 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 25860 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 25861 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 25862 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 25863 start_va = 0x1d0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 25864 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 25865 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 25866 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 25867 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 25868 start_va = 0x400000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 25869 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 25870 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 25871 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 25872 start_va = 0x7ece0000 end_va = 0x7eddffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ece0000" filename = "" Region: id = 25873 start_va = 0x510000 end_va = 0x5cdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 25874 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 25875 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 25876 start_va = 0x5d0000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 25877 start_va = 0x610000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 25878 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 25879 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 25880 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 25881 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 25882 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 25883 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 25884 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 25885 start_va = 0x1c0000 end_va = 0x1c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 25886 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 25887 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 25888 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 25889 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 25890 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 25891 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 25892 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 25893 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 25894 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 25895 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 25896 start_va = 0x710000 end_va = 0x897fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 25897 start_va = 0x8a0000 end_va = 0x8c9fff monitored = 0 entry_point = 0x8a5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 25898 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 25899 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 25900 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 25901 start_va = 0x1f0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 25902 start_va = 0x8a0000 end_va = 0xa20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 25903 start_va = 0xa30000 end_va = 0xbbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 25904 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 25905 start_va = 0xa30000 end_va = 0xac0fff monitored = 0 entry_point = 0xa68cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 25906 start_va = 0xbb0000 end_va = 0xbbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bb0000" filename = "" Region: id = 25907 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 25908 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 25909 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 25910 start_va = 0x410000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 25911 start_va = 0x400000 end_va = 0x407fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 25912 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 25913 start_va = 0xa30000 end_va = 0xa31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 25914 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 25915 start_va = 0xa30000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 25916 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 25917 start_va = 0xa30000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Thread: id = 761 os_tid = 0xc2c [0253.986] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0253.986] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0253.986] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0253.986] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0253.986] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0253.986] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0253.987] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0253.987] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0253.987] GetProcessHeap () returned 0x410000 [0253.987] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0253.987] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0253.987] GetLastError () returned 0x7e [0253.988] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0253.988] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0253.988] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x364) returned 0x420a50 [0253.988] SetLastError (dwErrCode=0x7e) [0253.988] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xe00) returned 0x420dc0 [0253.990] GetStartupInfoW (in: lpStartupInfo=0x18fe3c | out: lpStartupInfo=0x18fe3c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0253.990] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0253.990] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0253.990] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0253.990] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getLogLevel /fn_args=\"1\"" [0253.990] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getLogLevel /fn_args=\"1\"" [0253.990] GetACP () returned 0x4e4 [0253.990] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x220) returned 0x421bc8 [0253.990] IsValidCodePage (CodePage=0x4e4) returned 1 [0253.990] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fe5c | out: lpCPInfo=0x18fe5c) returned 1 [0253.990] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f724 | out: lpCPInfo=0x18f724) returned 1 [0253.990] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd38, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0253.990] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd38, cbMultiByte=256, lpWideCharStr=0x18f4c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0253.990] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f738 | out: lpCharType=0x18f738) returned 1 [0253.990] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd38, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0253.990] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd38, cbMultiByte=256, lpWideCharStr=0x18f478, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0253.990] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0253.990] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0253.991] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0253.991] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f268, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0253.991] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fc38, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", lpUsedDefaultChar=0x0) returned 256 [0253.991] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd38, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0253.991] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd38, cbMultiByte=256, lpWideCharStr=0x18f498, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0253.991] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0253.991] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f288, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0253.991] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fb38, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", lpUsedDefaultChar=0x0) returned 256 [0253.991] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x80) returned 0x413858 [0253.991] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0253.991] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x17a) returned 0x421df0 [0253.991] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0253.991] GetLastError () returned 0x0 [0253.991] SetLastError (dwErrCode=0x0) [0253.991] GetEnvironmentStringsW () returned 0x421f78* [0253.991] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xa8c) returned 0x422a10 [0253.992] FreeEnvironmentStringsW (penv=0x421f78) returned 1 [0253.992] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x90) returned 0x414548 [0253.992] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x3e) returned 0x41add8 [0253.992] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x5c) returned 0x418820 [0253.992] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x6e) returned 0x414610 [0253.992] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x78) returned 0x423cd0 [0253.992] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x62) returned 0x4149e0 [0253.992] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x28) returned 0x413d78 [0253.992] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x48) returned 0x413fc8 [0253.992] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x1a) returned 0x410570 [0253.992] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x3a) returned 0x41aac0 [0253.992] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x62) returned 0x413bd8 [0253.992] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x2a) returned 0x418628 [0253.992] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x2e) returned 0x4183f8 [0253.992] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x1c) returned 0x413da8 [0253.992] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x144) returned 0x419c98 [0253.992] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x7c) returned 0x418080 [0253.992] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x36) returned 0x41e0e0 [0253.992] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x3a) returned 0x41b0f0 [0253.992] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x90) returned 0x414380 [0253.992] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x24) returned 0x4138f8 [0253.992] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x30) returned 0x4184a0 [0253.992] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x36) returned 0x41e2a0 [0253.992] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x48) returned 0x4128f0 [0253.992] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x52) returned 0x4104b8 [0253.992] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x3c) returned 0x41ab08 [0253.992] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xd6) returned 0x419e58 [0253.993] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x2e) returned 0x418430 [0253.993] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x1e) returned 0x412940 [0253.993] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x2c) returned 0x418660 [0253.993] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x54) returned 0x413df0 [0253.993] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x52) returned 0x414050 [0253.993] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x24) returned 0x413e50 [0253.993] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x42) returned 0x4140b0 [0253.993] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x2c) returned 0x418708 [0253.993] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x44) returned 0x419f88 [0253.993] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x24) returned 0x413928 [0253.993] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x422a10 | out: hHeap=0x410000) returned 1 [0253.993] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x800) returned 0x421f78 [0253.994] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0253.994] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0253.994] GetStartupInfoW (in: lpStartupInfo=0x18fea0 | out: lpStartupInfo=0x18fea0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0253.994] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getLogLevel /fn_args=\"1\"" [0253.994] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getLogLevel /fn_args=\"1\"", pNumArgs=0x18fe8c | out: pNumArgs=0x18fe8c) returned 0x422bc8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0253.995] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0254.011] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1000) returned 0x4244b0 [0254.011] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x28) returned 0x41a6d0 [0254.011] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_getLogLevel", cchWideChar=-1, lpMultiByteStr=0x41a6d0, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_getLogLevel", lpUsedDefaultChar=0x0) returned 20 [0254.011] GetLastError () returned 0x0 [0254.011] SetLastError (dwErrCode=0x0) [0254.011] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_getLogLevelW") returned 0x0 [0254.011] GetLastError () returned 0x7f [0254.011] SetLastError (dwErrCode=0x7f) [0254.012] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_getLogLevelA") returned 0x0 [0254.012] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_getLogLevel") returned 0x647cb01c [0254.012] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x4) returned 0x413800 [0254.012] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x413800, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0254.012] GetActiveWindow () returned 0x0 [0254.013] GetLastError () returned 0x7f [0254.013] SetLastError (dwErrCode=0x7f) Thread: id = 763 os_tid = 0x3a8 Process: id = "364" image_name = "werfault.exe" filename = "c:\\windows\\syswow64\\werfault.exe" page_root = "0x5886000" os_pid = "0xdd0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "363" os_parent_pid = "0x1370" cmd_line = "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 4976 -s 364" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 25922 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 25923 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 25924 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 25925 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 25926 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 25927 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 25928 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 25929 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 25930 start_va = 0xc50000 end_va = 0xc50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 25931 start_va = 0x10e0000 end_va = 0x1122fff monitored = 0 entry_point = 0x1100f50 region_type = mapped_file name = "werfault.exe" filename = "\\Windows\\SysWOW64\\WerFault.exe" (normalized: "c:\\windows\\syswow64\\werfault.exe") Region: id = 25932 start_va = 0x1130000 end_va = 0x512ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 25933 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 25934 start_va = 0x7f2f0000 end_va = 0x7f312fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f2f0000" filename = "" Region: id = 25935 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 25936 start_va = 0x7fff0000 end_va = 0x7dfb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 25937 start_va = 0x7dfb201b0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfb201b0000" filename = "" Region: id = 25938 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 25939 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 25940 start_va = 0x100000 end_va = 0x16ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 25941 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 25942 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 25961 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 25962 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 25963 start_va = 0xc60000 end_va = 0xe4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 25964 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 25965 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 25972 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 25973 start_va = 0x7f1f0000 end_va = 0x7f2effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f1f0000" filename = "" Region: id = 25974 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 25975 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 25976 start_va = 0x100000 end_va = 0x13ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 25977 start_va = 0x160000 end_va = 0x16ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 25978 start_va = 0x170000 end_va = 0x1affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 25979 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 25980 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 25981 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 25996 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 25997 start_va = 0x6fb30000 end_va = 0x6fbb6fff monitored = 0 entry_point = 0x6fb9dbc0 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\SysWOW64\\wer.dll" (normalized: "c:\\windows\\syswow64\\wer.dll") Region: id = 25998 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 25999 start_va = 0xc50000 end_va = 0xc53fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 26000 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 26001 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 26002 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 26003 start_va = 0x6fbc0000 end_va = 0x6fcfefff monitored = 0 entry_point = 0x6fbed880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 26004 start_va = 0x6fb00000 end_va = 0x6fb21fff monitored = 0 entry_point = 0x6fb091f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 26005 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 26019 start_va = 0x6faa0000 end_va = 0x6faf3fff monitored = 0 entry_point = 0x6fad10d0 region_type = mapped_file name = "faultrep.dll" filename = "\\Windows\\SysWOW64\\Faultrep.dll" (normalized: "c:\\windows\\syswow64\\faultrep.dll") Region: id = 26020 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 26021 start_va = 0x6fa70000 end_va = 0x6fa90fff monitored = 0 entry_point = 0x6fa8a910 region_type = mapped_file name = "dbgcore.dll" filename = "\\Windows\\SysWOW64\\dbgcore.dll" (normalized: "c:\\windows\\syswow64\\dbgcore.dll") Region: id = 26022 start_va = 0xc60000 end_va = 0xccffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 26023 start_va = 0xd50000 end_va = 0xe4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d50000" filename = "" Region: id = 26054 start_va = 0xe50000 end_va = 0xfdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e50000" filename = "" Region: id = 26055 start_va = 0xc60000 end_va = 0xc63fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 26056 start_va = 0xcc0000 end_va = 0xccffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 26062 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 26063 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 26064 start_va = 0x4c0000 end_va = 0x647fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 26065 start_va = 0xc70000 end_va = 0xc99fff monitored = 0 entry_point = 0xc75680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 26066 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 26072 start_va = 0x650000 end_va = 0x7d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 26073 start_va = 0x5130000 end_va = 0x652ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005130000" filename = "" Region: id = 26074 start_va = 0xc70000 end_va = 0xc73fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werfault.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\WerFault.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werfault.exe.mui") Region: id = 26075 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 26076 start_va = 0x140000 end_va = 0x140fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 26077 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 26078 start_va = 0xe50000 end_va = 0xf1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e50000" filename = "" Region: id = 26079 start_va = 0xfd0000 end_va = 0xfdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fd0000" filename = "" Region: id = 26135 start_va = 0xc80000 end_va = 0xc80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c80000" filename = "" Region: id = 26136 start_va = 0xc90000 end_va = 0xc90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c90000" filename = "" Region: id = 26137 start_va = 0xca0000 end_va = 0xca0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ca0000" filename = "" Region: id = 26138 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 26139 start_va = 0xca0000 end_va = 0xca0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ca0000" filename = "" Region: id = 26140 start_va = 0x6530000 end_va = 0x6d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006530000" filename = "" Region: id = 26141 start_va = 0xca0000 end_va = 0xca6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 26142 start_va = 0xca0000 end_va = 0xca6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 26194 start_va = 0xca0000 end_va = 0xca6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 26195 start_va = 0xca0000 end_va = 0xca6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 26196 start_va = 0xca0000 end_va = 0xca6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 26197 start_va = 0xca0000 end_va = 0xca6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 26198 start_va = 0xca0000 end_va = 0xca6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 26199 start_va = 0xca0000 end_va = 0xca6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 26200 start_va = 0xca0000 end_va = 0xca6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 26201 start_va = 0xca0000 end_va = 0xca6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 26202 start_va = 0xca0000 end_va = 0xca6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 26203 start_va = 0xca0000 end_va = 0xca6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 26204 start_va = 0xca0000 end_va = 0xca6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 26205 start_va = 0xca0000 end_va = 0xca6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 26206 start_va = 0xca0000 end_va = 0xca6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 26207 start_va = 0xca0000 end_va = 0xca6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 26208 start_va = 0xca0000 end_va = 0xca6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 26209 start_va = 0xca0000 end_va = 0xca6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 26210 start_va = 0xca0000 end_va = 0xca6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 26211 start_va = 0xca0000 end_va = 0xca6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 26212 start_va = 0xca0000 end_va = 0xca6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 26213 start_va = 0xca0000 end_va = 0xca6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 26214 start_va = 0xca0000 end_va = 0xca6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 26215 start_va = 0xca0000 end_va = 0xca6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 26216 start_va = 0xca0000 end_va = 0xca6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 26217 start_va = 0xca0000 end_va = 0xca6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 26218 start_va = 0xca0000 end_va = 0xca6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 26278 start_va = 0x1b0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 26279 start_va = 0x7e0000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 26280 start_va = 0xcd0000 end_va = 0xd4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 26401 start_va = 0xca0000 end_va = 0xca1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "faultrep.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\faultrep.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\faultrep.dll.mui") Region: id = 26402 start_va = 0xcb0000 end_va = 0xcb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 26403 start_va = 0x6ee90000 end_va = 0x6f2adfff monitored = 0 entry_point = 0x6ef8ee80 region_type = mapped_file name = "dbgeng.dll" filename = "\\Windows\\SysWOW64\\dbgeng.dll" (normalized: "c:\\windows\\syswow64\\dbgeng.dll") Region: id = 26404 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 26419 start_va = 0x6f850000 end_va = 0x6f8bffff monitored = 0 entry_point = 0x6f8a4b90 region_type = mapped_file name = "dbgmodel.dll" filename = "\\Windows\\SysWOW64\\DbgModel.dll" (normalized: "c:\\windows\\syswow64\\dbgmodel.dll") Region: id = 26420 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 26421 start_va = 0xfe0000 end_va = 0x10c9fff monitored = 0 entry_point = 0x101d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 26422 start_va = 0x70050000 end_va = 0x70059fff monitored = 0 entry_point = 0x70053200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 26423 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 26424 start_va = 0x6f5d0000 end_va = 0x6f5d7fff monitored = 0 entry_point = 0x6f5d17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 26425 start_va = 0xfe0000 end_va = 0x10dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 26426 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 26440 start_va = 0x6530000 end_va = 0x6866fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 26447 start_va = 0xcb0000 end_va = 0xcb1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 26448 start_va = 0xcb0000 end_va = 0xcb3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 26449 start_va = 0xcb0000 end_va = 0xcb5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 26450 start_va = 0xcb0000 end_va = 0xcb7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 26451 start_va = 0x7e0000 end_va = 0x8dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 26452 start_va = 0xcb0000 end_va = 0xcb9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 26453 start_va = 0xcb0000 end_va = 0xcbbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 26454 start_va = 0xcb0000 end_va = 0xcbdfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 26455 start_va = 0xcb0000 end_va = 0xcbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 26456 start_va = 0xe50000 end_va = 0xe61fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e50000" filename = "" Region: id = 26457 start_va = 0xf10000 end_va = 0xf1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f10000" filename = "" Region: id = 26458 start_va = 0xe50000 end_va = 0xe63fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e50000" filename = "" Region: id = 26459 start_va = 0xe50000 end_va = 0xe65fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e50000" filename = "" Region: id = 26460 start_va = 0xe50000 end_va = 0xe67fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e50000" filename = "" Region: id = 26461 start_va = 0xe50000 end_va = 0xe69fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e50000" filename = "" Region: id = 26462 start_va = 0xe50000 end_va = 0xe6bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e50000" filename = "" Region: id = 26463 start_va = 0xe50000 end_va = 0xe6dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e50000" filename = "" Region: id = 26464 start_va = 0xe50000 end_va = 0xe6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e50000" filename = "" Region: id = 26471 start_va = 0x6870000 end_va = 0x694ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 26730 start_va = 0x6950000 end_va = 0x6a15fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006950000" filename = "" Region: id = 26749 start_va = 0xe50000 end_va = 0xf05fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e50000" filename = "" Region: id = 26750 start_va = 0xf20000 end_va = 0xfc5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f20000" filename = "" Region: id = 26797 start_va = 0xcb0000 end_va = 0xcb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 26798 start_va = 0xe50000 end_va = 0xe52fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wer.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wer.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wer.dll.mui") Region: id = 26799 start_va = 0xe60000 end_va = 0xe63fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e60000" filename = "" Region: id = 26800 start_va = 0x6950000 end_va = 0x714ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006950000" filename = "" Region: id = 26801 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 26802 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 26803 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 26804 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 26805 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 26806 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 26807 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 26808 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 26809 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 26810 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 26811 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 26816 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 26817 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 26818 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 26819 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 26820 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 26821 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 26822 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 26823 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 26824 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 26825 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 26826 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 26827 start_va = 0x6950000 end_va = 0x6a4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006950000" filename = "" Region: id = 26828 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 26829 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 26830 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 26831 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 26832 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 26836 start_va = 0x6fa00000 end_va = 0x6fa63fff monitored = 0 entry_point = 0x6fa3e270 region_type = mapped_file name = "werui.dll" filename = "\\Windows\\SysWOW64\\werui.dll" (normalized: "c:\\windows\\syswow64\\werui.dll") Region: id = 26837 start_va = 0x150000 end_va = 0x151fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 26838 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 26839 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 26840 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 26841 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 26842 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 26846 start_va = 0x731b0000 end_va = 0x733befff monitored = 0 entry_point = 0x7325b0a0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 26847 start_va = 0x6f460000 end_va = 0x6f5c6fff monitored = 0 entry_point = 0x6f4db9d0 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\SysWOW64\\dui70.dll" (normalized: "c:\\windows\\syswow64\\dui70.dll") Region: id = 26848 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 26849 start_va = 0x6f430000 end_va = 0x6f457fff monitored = 0 entry_point = 0x6f437820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 26850 start_va = 0xe70000 end_va = 0xe70fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 26851 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 26852 start_va = 0xe70000 end_va = 0xe70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 26853 start_va = 0x759b0000 end_va = 0x75a33fff monitored = 0 entry_point = 0x759d6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 26854 start_va = 0xe80000 end_va = 0xe80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e80000" filename = "" Region: id = 26855 start_va = 0x6f800000 end_va = 0x6f833fff monitored = 0 entry_point = 0x6f818280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 27741 start_va = 0x8e0000 end_va = 0x91ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008e0000" filename = "" Region: id = 27742 start_va = 0x920000 end_va = 0x95ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000920000" filename = "" Region: id = 27743 start_va = 0x960000 end_va = 0x99ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Region: id = 27744 start_va = 0x9a0000 end_va = 0x9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 27745 start_va = 0x9e0000 end_va = 0xa1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 27746 start_va = 0xa20000 end_va = 0xa5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Region: id = 27747 start_va = 0x6f840000 end_va = 0x6f848fff monitored = 0 entry_point = 0x6f843830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 28015 start_va = 0xe70000 end_va = 0xe70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 28016 start_va = 0x6f800000 end_va = 0x6f833fff monitored = 0 entry_point = 0x6f818280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 28100 start_va = 0x6f8b0000 end_va = 0x6f8b8fff monitored = 0 entry_point = 0x6f8b3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 28212 start_va = 0xe70000 end_va = 0xe74fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werui.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\werui.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werui.dll.mui") Region: id = 28213 start_va = 0xe90000 end_va = 0xe90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 28214 start_va = 0x6f800000 end_va = 0x6f833fff monitored = 0 entry_point = 0x6f818280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 28584 start_va = 0x6f8b0000 end_va = 0x6f8b8fff monitored = 0 entry_point = 0x6f8b3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 28715 start_va = 0xa60000 end_va = 0xa9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 28716 start_va = 0xaa0000 end_va = 0xadffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000aa0000" filename = "" Region: id = 28725 start_va = 0xe90000 end_va = 0xe90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 28726 start_va = 0x6f800000 end_va = 0x6f833fff monitored = 0 entry_point = 0x6f818280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 29058 start_va = 0x6f8b0000 end_va = 0x6f8b8fff monitored = 0 entry_point = 0x6f8b3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 29479 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 29480 start_va = 0x6f6c0000 end_va = 0x6f73afff monitored = 0 entry_point = 0x6f6e4d80 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\SysWOW64\\duser.dll" (normalized: "c:\\windows\\syswow64\\duser.dll") Region: id = 29485 start_va = 0xae0000 end_va = 0xb1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 29486 start_va = 0xb20000 end_va = 0xb5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 29487 start_va = 0x6f630000 end_va = 0x6f6b0fff monitored = 0 entry_point = 0x6f636310 region_type = mapped_file name = "riched20.dll" filename = "\\Windows\\SysWOW64\\riched20.dll" (normalized: "c:\\windows\\syswow64\\riched20.dll") Region: id = 29488 start_va = 0x6f790000 end_va = 0x6f7a5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 29489 start_va = 0x6f750000 end_va = 0x6f780fff monitored = 0 entry_point = 0x6f7622d0 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\SysWOW64\\msls31.dll" (normalized: "c:\\windows\\syswow64\\msls31.dll") Region: id = 29490 start_va = 0xe90000 end_va = 0xe90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 29491 start_va = 0x6a50000 end_va = 0x6b0bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006a50000" filename = "" Region: id = 29492 start_va = 0xe90000 end_va = 0xe93fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 29493 start_va = 0x74230000 end_va = 0x7424cfff monitored = 0 entry_point = 0x74233b10 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 29494 start_va = 0xea0000 end_va = 0xea3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 29495 start_va = 0xeb0000 end_va = 0xeb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000eb0000" filename = "" Region: id = 29496 start_va = 0xec0000 end_va = 0xec0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ec0000" filename = "" Region: id = 29497 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 29498 start_va = 0xed0000 end_va = 0xed0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "duser.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\duser.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\duser.dll.mui") Region: id = 29499 start_va = 0x6f9f0000 end_va = 0x6f9fcfff monitored = 0 entry_point = 0x6f9f7d80 region_type = mapped_file name = "atlthunk.dll" filename = "\\Windows\\SysWOW64\\atlthunk.dll" (normalized: "c:\\windows\\syswow64\\atlthunk.dll") Region: id = 29500 start_va = 0xee0000 end_va = 0xee2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui") Region: id = 29501 start_va = 0x1f0000 end_va = 0x1f2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 29506 start_va = 0x6b10000 end_va = 0x7001fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006b10000" filename = "" Region: id = 29507 start_va = 0x7010000 end_va = 0x804ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 29508 start_va = 0xb60000 end_va = 0xba1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b60000" filename = "" Region: id = 29545 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 29546 start_va = 0x77500000 end_va = 0x7761efff monitored = 0 entry_point = 0x77545980 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Thread: id = 765 os_tid = 0xce8 Thread: id = 768 os_tid = 0x1274 Thread: id = 771 os_tid = 0x1278 Thread: id = 793 os_tid = 0x1134 Thread: id = 796 os_tid = 0x1110 Thread: id = 798 os_tid = 0x1298 Thread: id = 832 os_tid = 0xcd4 Thread: id = 842 os_tid = 0x10f8 Process: id = "365" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x5970000" os_pid = "0x120c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getMessage /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 25945 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 25946 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 25947 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 25948 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 25949 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 25950 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 25951 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 25952 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 25953 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 25954 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 25955 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 25956 start_va = 0x7f130000 end_va = 0x7f152fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f130000" filename = "" Region: id = 25957 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 25958 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 25959 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 25960 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 25966 start_va = 0x410000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 25967 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 25968 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 25969 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 25970 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 25971 start_va = 0x490000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 25982 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 25983 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 25984 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 25985 start_va = 0x7f030000 end_va = 0x7f12ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f030000" filename = "" Region: id = 25986 start_va = 0x490000 end_va = 0x54dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 25987 start_va = 0x5a0000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 25988 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 25989 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 25990 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 25991 start_va = 0x6a0000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 25992 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 25993 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 25994 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 25995 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 26006 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 26007 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 26008 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 26009 start_va = 0x400000 end_va = 0x403fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 26010 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 26011 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 26012 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 26013 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 26014 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 26015 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 26016 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 26017 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 26018 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 26057 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 26058 start_va = 0x410000 end_va = 0x439fff monitored = 0 entry_point = 0x415680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 26059 start_va = 0x480000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 26060 start_va = 0x7a0000 end_va = 0x927fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 26061 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 26067 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 26068 start_va = 0x410000 end_va = 0x410fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 26069 start_va = 0x930000 end_va = 0xab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 26070 start_va = 0xac0000 end_va = 0xc8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 26071 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 26082 start_va = 0xac0000 end_va = 0xb50fff monitored = 0 entry_point = 0xaf8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 26083 start_va = 0xc80000 end_va = 0xc8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 26084 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 26085 start_va = 0x420000 end_va = 0x42ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 26086 start_va = 0xac0000 end_va = 0xbbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 26087 start_va = 0x420000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 26090 start_va = 0x440000 end_va = 0x445fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 26091 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26092 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26093 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26094 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26095 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26096 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26097 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26098 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26099 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26100 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26101 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26102 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26103 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26104 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26105 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26106 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26107 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26108 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26109 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26110 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26111 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26112 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26113 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26114 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26115 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26116 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26117 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26118 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26119 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26120 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26121 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26122 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26123 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26124 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26125 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26126 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26127 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26128 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26129 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26130 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26131 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26132 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26133 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26134 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26145 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26146 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26147 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26148 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26149 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26150 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26151 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26152 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26153 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26154 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26155 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26156 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26157 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26158 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26159 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26160 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26161 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26162 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26163 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26164 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26165 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26166 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26167 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26168 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26169 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26170 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26171 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26172 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26173 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26174 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26175 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26176 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26177 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26178 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26179 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26180 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26181 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26182 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26183 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26184 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26185 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26186 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26187 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26188 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26189 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26190 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26191 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26192 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26193 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26219 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26220 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26221 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26222 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26223 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26224 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26225 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26226 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26227 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26228 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26229 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26230 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26231 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26232 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26233 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26234 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26235 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26236 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26237 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26238 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26239 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26240 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26241 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26242 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26243 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26244 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26245 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26246 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26247 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26248 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26249 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26250 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26251 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26252 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26253 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26254 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26255 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26256 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26257 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26258 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26259 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26260 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26261 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26262 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26263 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26264 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26265 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26266 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26267 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26268 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26269 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26270 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26271 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26272 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26273 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26274 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26275 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26276 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26277 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26297 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26298 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26299 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26300 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26301 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26302 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26303 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26304 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26305 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26306 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26307 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26308 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26309 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26310 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26311 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26312 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26313 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26314 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26315 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26316 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26317 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26318 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26319 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26320 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26321 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26322 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26323 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26324 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26325 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26326 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26327 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26328 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26329 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26330 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26331 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26332 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26333 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26334 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26335 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26336 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26337 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26338 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26339 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26340 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26341 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26342 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26343 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26344 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26345 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26346 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26347 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26348 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26349 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26350 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26351 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26352 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26353 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26354 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26355 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26356 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26363 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26364 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26365 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26366 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26367 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26368 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26369 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26370 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26371 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26372 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26373 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26374 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26375 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26376 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26377 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26378 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26379 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26380 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26381 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26382 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26383 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26384 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26385 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26386 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26387 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26388 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26389 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26390 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26391 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26392 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26393 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26394 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26395 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26396 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26397 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26398 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26399 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 26400 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 31387 start_va = 0x420000 end_va = 0x42ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 31388 start_va = 0x420000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 31389 start_va = 0x440000 end_va = 0x445fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 31390 start_va = 0x420000 end_va = 0x425fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Thread: id = 766 os_tid = 0xbbc [0255.040] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0255.040] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0255.041] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0255.041] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0255.041] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0255.041] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0255.042] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0255.042] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0255.043] GetProcessHeap () returned 0x5a0000 [0255.043] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0255.043] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0255.043] GetLastError () returned 0x7e [0255.043] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0255.043] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0255.043] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x364) returned 0x5b0a48 [0255.043] SetLastError (dwErrCode=0x7e) [0255.044] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0xe00) returned 0x5b0db8 [0255.045] GetStartupInfoW (in: lpStartupInfo=0x18fe1c | out: lpStartupInfo=0x18fe1c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0255.045] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0255.045] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0255.046] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0255.046] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getMessage /fn_args=\"1\"" [0255.046] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getMessage /fn_args=\"1\"" [0255.046] GetACP () returned 0x4e4 [0255.046] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x220) returned 0x5b1bc0 [0255.046] IsValidCodePage (CodePage=0x4e4) returned 1 [0255.046] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fe3c | out: lpCPInfo=0x18fe3c) returned 1 [0255.046] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f704 | out: lpCPInfo=0x18f704) returned 1 [0255.046] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd18, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0255.046] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd18, cbMultiByte=256, lpWideCharStr=0x18f4a8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0255.046] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f718 | out: lpCharType=0x18f718) returned 1 [0255.046] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd18, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0255.046] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd18, cbMultiByte=256, lpWideCharStr=0x18f458, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0255.046] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0255.047] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0255.047] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0255.047] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f248, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0255.047] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fc18, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿc4…\x8dTþ\x18", lpUsedDefaultChar=0x0) returned 256 [0255.047] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd18, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0255.047] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd18, cbMultiByte=256, lpWideCharStr=0x18f478, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0255.047] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0255.047] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f268, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0255.047] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fb18, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿc4…\x8dTþ\x18", lpUsedDefaultChar=0x0) returned 256 [0255.047] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x80) returned 0x5a3850 [0255.047] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0255.047] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x178) returned 0x5b1de8 [0255.047] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0255.047] GetLastError () returned 0x0 [0255.047] SetLastError (dwErrCode=0x0) [0255.047] GetEnvironmentStringsW () returned 0x5b1f68* [0255.048] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0xa8c) returned 0x5b2a00 [0255.048] FreeEnvironmentStringsW (penv=0x5b1f68) returned 1 [0255.048] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x90) returned 0x5a47a0 [0255.048] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x3e) returned 0x5aaea8 [0255.048] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x5c) returned 0x5a8a78 [0255.048] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x6e) returned 0x5a4868 [0255.048] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x78) returned 0x5b3fc0 [0255.049] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x62) returned 0x5a4c38 [0255.049] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x28) returned 0x5a3d70 [0255.049] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x48) returned 0x5a3fc0 [0255.049] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x1a) returned 0x5a0570 [0255.049] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x3a) returned 0x5aaa28 [0255.049] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x62) returned 0x5a3bd0 [0255.049] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x2a) returned 0x5a89d0 [0255.049] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x2e) returned 0x5a8688 [0255.049] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x1c) returned 0x5a3da0 [0255.049] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x144) returned 0x5a9c90 [0255.049] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x7c) returned 0x5a82d8 [0255.049] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x36) returned 0x5ae0d8 [0255.049] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x3a) returned 0x5aae18 [0255.049] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x90) returned 0x5a4378 [0255.049] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x24) returned 0x5a38f0 [0255.049] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x30) returned 0x5a86c0 [0255.049] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x36) returned 0x5ae298 [0255.049] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x48) returned 0x5a28f0 [0255.049] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x52) returned 0x5a04b8 [0255.049] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x3c) returned 0x5ab130 [0255.049] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0xd6) returned 0x5a9e50 [0255.049] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x2e) returned 0x5a8730 [0255.049] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x1e) returned 0x5a2940 [0255.049] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x2c) returned 0x5a8768 [0255.049] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x54) returned 0x5a3de8 [0255.049] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x52) returned 0x5a4048 [0255.050] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x24) returned 0x5a3e48 [0255.050] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x42) returned 0x5a40a8 [0255.050] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x2c) returned 0x5a87a0 [0255.050] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x44) returned 0x5a9f80 [0255.050] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x24) returned 0x5a3920 [0255.050] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b2a00 | out: hHeap=0x5a0000) returned 1 [0255.050] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x8, Size=0x800) returned 0x5b1f68 [0255.050] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0255.050] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0255.051] GetStartupInfoW (in: lpStartupInfo=0x18fe80 | out: lpStartupInfo=0x18fe80*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0255.051] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getMessage /fn_args=\"1\"" [0255.051] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getMessage /fn_args=\"1\"", pNumArgs=0x18fe6c | out: pNumArgs=0x18fe6c) returned 0x5b2bb8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0255.052] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0255.056] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x1000) returned 0x5b44a0 [0255.056] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x26) returned 0x5aa7b0 [0255.056] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_getMessage", cchWideChar=-1, lpMultiByteStr=0x5aa7b0, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_getMessage", lpUsedDefaultChar=0x0) returned 19 [0255.056] GetLastError () returned 0x0 [0255.056] SetLastError (dwErrCode=0x0) [0255.057] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_getMessageW") returned 0x0 [0255.057] GetLastError () returned 0x7f [0255.057] SetLastError (dwErrCode=0x7f) [0255.057] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_getMessageA") returned 0x0 [0255.057] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_getMessage") returned 0x647ca2d0 [0255.057] RtlAllocateHeap (HeapHandle=0x5a0000, Flags=0x0, Size=0x4) returned 0x5a37f8 [0255.057] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x5a37f8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0255.057] GetActiveWindow () returned 0x0 [0255.058] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b44a0 | out: hHeap=0x5a0000) returned 1 [0255.059] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5aa7b0 | out: hHeap=0x5a0000) returned 1 [0255.059] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5a37f8 | out: hHeap=0x5a0000) returned 1 [0255.059] GetCurrentProcessId () returned 0x120c [0255.059] GetCurrentThreadId () returned 0xbbc [0255.059] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0255.271] Thread32First (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.272] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.273] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.273] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.276] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.277] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.277] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.278] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.279] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.279] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.280] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.281] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.282] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.282] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.283] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.284] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.285] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.285] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.286] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.287] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.287] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.288] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.289] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.290] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.291] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.292] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.293] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.294] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.294] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.295] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.296] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.296] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.297] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.298] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.299] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.299] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.300] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.301] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.301] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.302] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.303] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.304] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.304] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.305] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.360] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.361] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.361] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.362] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.363] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.364] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.364] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.365] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.366] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.367] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.367] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.368] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.369] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.370] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.371] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.371] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.372] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.373] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.374] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.374] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.375] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.376] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.376] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.377] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.378] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.379] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.379] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.380] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.381] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.381] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.382] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.383] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.387] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.388] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.388] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.389] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.390] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.390] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.391] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.392] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.393] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.393] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.394] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.395] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.396] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.396] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.397] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.398] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.398] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.434] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.435] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.436] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.437] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.437] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.438] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.439] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.440] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.440] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.441] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.442] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.443] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.443] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.444] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.445] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.445] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.446] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.447] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.448] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.449] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.449] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.450] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.451] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.452] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.452] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.453] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.454] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.454] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.455] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.456] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.457] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.457] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.458] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.459] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.460] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.460] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.461] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.462] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.463] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.463] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.464] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.465] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.466] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.466] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.467] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.468] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.468] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.469] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.470] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.470] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.471] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.472] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.472] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.473] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.474] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.475] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.475] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.476] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.477] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.538] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.539] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.542] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.543] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.543] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.545] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.545] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.546] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.547] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.548] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.548] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.549] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.550] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.551] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.551] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.552] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.553] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.554] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.554] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.555] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.556] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.557] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.558] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.558] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.559] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.560] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.561] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.562] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.562] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.563] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.564] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.565] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.565] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.566] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.567] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.568] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.568] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.569] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.570] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.571] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.572] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.572] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.573] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.574] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.574] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.575] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.576] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.577] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.578] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.578] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.579] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.580] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.581] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.581] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.582] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.583] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.584] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.584] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.585] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.586] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.637] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.638] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.639] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.640] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.640] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.641] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.642] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.643] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.643] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.644] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.645] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.646] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.646] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.647] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.648] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.649] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.650] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.651] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.652] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.652] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.653] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.654] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.655] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.655] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.656] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.657] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.657] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.658] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.659] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.659] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.660] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.661] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.661] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.662] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.663] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.663] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.664] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0255.664] Thread32Next (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0256.455] CloseHandle (hObject=0x150) returned 1 [0256.455] OpenThread (dwDesiredAccess=0x100000, bInheritHandle=0, dwThreadId=0xcfc) returned 0x150 [0256.455] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xffffffff) returned 0x0 [0289.227] CloseHandle (hObject=0x150) returned 1 [0289.227] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0289.234] Thread32First (hSnapshot=0x150, lpte=0x18fe50) returned 1 [0291.447] CloseHandle (hObject=0x150) returned 1 [0291.447] FreeLibrary (hLibModule=0x647c0000) returned 1 [0291.449] LocalFree (hMem=0x5b2bb8) returned 0x0 [0291.449] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0291.449] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0291.450] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5a3850 | out: hHeap=0x5a0000) returned 1 [0291.451] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b1f68 | out: hHeap=0x5a0000) returned 1 [0291.451] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-2", hFile=0x0, dwFlags=0x800) returned 0x772e0000 [0291.451] GetProcAddress (hModule=0x772e0000, lpProcName="AppPolicyGetProcessTerminationMethod") returned 0x0 [0291.452] GetModuleHandleExW (in: dwFlags=0x0, lpModuleName="mscoree.dll", phModule=0x18fe78 | out: phModule=0x18fe78) returned 0 [0291.452] ExitProcess (uExitCode=0x0) [0291.453] HeapFree (in: hHeap=0x5a0000, dwFlags=0x0, lpMem=0x5b0a48 | out: hHeap=0x5a0000) returned 1 Thread: id = 769 os_tid = 0xcfc Process: id = "366" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x594d000" os_pid = "0xcb0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "363" os_parent_pid = "0x1370" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getLogLevel /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "367" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x4656b000" os_pid = "0x13dc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getVersion /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26281 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26282 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 26283 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 26284 start_va = 0x60000 end_va = 0x61fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 26285 start_va = 0x70000 end_va = 0xaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 26286 start_va = 0xb0000 end_va = 0x1affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 26287 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 26288 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 26289 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 26290 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 26291 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 26292 start_va = 0x7f4e0000 end_va = 0x7f502fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f4e0000" filename = "" Region: id = 26293 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 26294 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 26295 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26296 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 26357 start_va = 0x400000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 26358 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 26359 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 26360 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 26361 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 26362 start_va = 0x5c0000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 26405 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 26406 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 26407 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26408 start_va = 0x7f3e0000 end_va = 0x7f4dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f3e0000" filename = "" Region: id = 26409 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26410 start_va = 0x5b0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 26411 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 26412 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 26413 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 26414 start_va = 0x5c0000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 26415 start_va = 0x780000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 26416 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 26417 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 26418 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 26427 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 26428 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 26429 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 26430 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 26431 start_va = 0x60000 end_va = 0x63fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 26432 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 26433 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 26434 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 26435 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 26436 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 26437 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 26438 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 26439 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 26442 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 26443 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 26444 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 26445 start_va = 0x880000 end_va = 0xa07fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 26446 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 26465 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 26466 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 26467 start_va = 0x500000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 26468 start_va = 0xa10000 end_va = 0xb90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a10000" filename = "" Region: id = 26469 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 26470 start_va = 0x6c0000 end_va = 0x750fff monitored = 0 entry_point = 0x6f8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 26474 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 26475 start_va = 0x1e0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 26476 start_va = 0xba0000 end_va = 0xc9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 26477 start_va = 0x1e0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 26478 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 26479 start_va = 0x590000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 26480 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26481 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26482 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26483 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26484 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26485 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26486 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26487 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26488 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26489 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26490 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26491 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26492 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26493 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26494 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26495 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26496 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26497 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26498 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26499 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26500 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26501 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26502 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26503 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26504 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26505 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26506 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26507 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26508 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26509 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26510 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26511 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26512 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26513 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26514 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26515 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26516 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26517 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26518 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26519 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26520 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26521 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26522 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26523 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26524 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26525 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26526 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26527 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26528 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26529 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26530 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26531 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26532 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26533 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26534 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26535 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26536 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26537 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26538 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26539 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26540 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26541 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26542 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26543 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26544 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26545 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26546 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26547 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26548 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26549 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26550 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26551 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26552 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26553 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26554 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26555 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26556 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26557 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26558 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26559 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26560 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26561 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26562 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26563 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26564 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26565 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26566 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26567 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26568 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26569 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26570 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26571 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26572 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26573 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26574 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26575 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26576 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26577 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26578 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26579 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26580 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26581 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26582 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26583 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26584 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26585 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26586 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26587 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26588 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26589 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26590 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26591 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26592 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26593 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26594 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26595 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26596 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26597 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26598 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26599 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26600 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26601 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26602 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26603 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26604 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26605 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26606 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26607 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26608 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26609 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26610 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26611 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26612 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26613 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26614 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26615 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26616 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26617 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26618 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26619 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26620 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26621 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26622 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26623 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26624 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26625 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26626 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26627 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26628 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26629 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26630 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26631 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26632 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26633 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26634 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26635 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26636 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26637 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26638 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26639 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26640 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26641 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26642 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26643 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26644 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26645 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26646 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26647 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26648 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26649 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26650 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26651 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26652 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26653 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26654 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26655 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26656 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26657 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26658 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26659 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26660 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26661 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26662 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26663 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26664 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26665 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26666 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26667 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26668 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26669 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26670 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26671 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26672 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26673 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26674 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26675 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26676 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26677 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26678 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26679 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26680 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26681 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26682 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26683 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26684 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26685 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26686 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26687 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26688 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26689 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26690 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26691 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26692 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26693 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26694 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26695 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26696 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26697 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26698 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26699 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26700 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26701 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26702 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26703 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26704 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26705 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26706 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26707 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26708 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26709 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26710 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26711 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26712 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26713 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26714 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26715 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26716 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26717 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26718 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26719 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26720 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26721 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26722 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26723 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26724 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26725 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26726 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26727 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26728 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 26729 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 31391 start_va = 0x1e0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 31392 start_va = 0x1e0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 31393 start_va = 0x4c0000 end_va = 0x4c5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 31394 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Thread: id = 772 os_tid = 0x1328 [0256.140] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0256.140] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0256.141] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0256.141] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0256.141] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0256.141] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0256.142] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0256.142] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0256.142] GetProcessHeap () returned 0x780000 [0256.142] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0256.142] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0256.142] GetLastError () returned 0x7e [0256.142] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0256.142] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0256.143] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x364) returned 0x790a48 [0256.143] SetLastError (dwErrCode=0x7e) [0256.143] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0xe00) returned 0x790db8 [0256.144] GetStartupInfoW (in: lpStartupInfo=0x1af7d0 | out: lpStartupInfo=0x1af7d0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0256.144] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0256.144] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0256.144] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0256.144] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getVersion /fn_args=\"1\"" [0256.145] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getVersion /fn_args=\"1\"" [0256.145] GetACP () returned 0x4e4 [0256.145] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x0, Size=0x220) returned 0x791bc0 [0256.145] IsValidCodePage (CodePage=0x4e4) returned 1 [0256.145] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1af7f0 | out: lpCPInfo=0x1af7f0) returned 1 [0256.145] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1af0b8 | out: lpCPInfo=0x1af0b8) returned 1 [0256.145] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1af6cc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0256.145] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1af6cc, cbMultiByte=256, lpWideCharStr=0x1aee58, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0256.145] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x1af0cc | out: lpCharType=0x1af0cc) returned 1 [0256.145] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1af6cc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0256.145] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1af6cc, cbMultiByte=256, lpWideCharStr=0x1aee08, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0256.145] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0256.145] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0256.145] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0256.145] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x1aebf8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0256.145] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x1af5cc, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЮ(ö\x08ø\x1a", lpUsedDefaultChar=0x0) returned 256 [0256.145] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1af6cc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0256.145] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1af6cc, cbMultiByte=256, lpWideCharStr=0x1aee28, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0256.146] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0256.146] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x1aec18, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0256.146] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x1af4cc, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЮ(ö\x08ø\x1a", lpUsedDefaultChar=0x0) returned 256 [0256.146] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x0, Size=0x80) returned 0x783850 [0256.146] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0256.146] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x178) returned 0x791de8 [0256.146] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0256.146] GetLastError () returned 0x0 [0256.146] SetLastError (dwErrCode=0x0) [0256.146] GetEnvironmentStringsW () returned 0x791f68* [0256.146] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x0, Size=0xa8c) returned 0x792a00 [0256.146] FreeEnvironmentStringsW (penv=0x791f68) returned 1 [0256.146] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x90) returned 0x7847a0 [0256.146] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x3e) returned 0x78ab90 [0256.146] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x5c) returned 0x788a78 [0256.146] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x6e) returned 0x784868 [0256.146] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x78) returned 0x793bc0 [0256.147] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x62) returned 0x784c38 [0256.147] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x28) returned 0x783d70 [0256.147] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x48) returned 0x783fc0 [0256.147] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x1a) returned 0x780570 [0256.147] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x3a) returned 0x78aa28 [0256.147] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x62) returned 0x783bd0 [0256.147] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x2a) returned 0x7889d0 [0256.147] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x2e) returned 0x7887d8 [0256.147] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x1c) returned 0x783da0 [0256.147] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x144) returned 0x789c90 [0256.147] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x7c) returned 0x7882d8 [0256.147] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x36) returned 0x78e0d8 [0256.147] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x3a) returned 0x78acb0 [0256.147] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x90) returned 0x7845d8 [0256.147] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x24) returned 0x7838f0 [0256.147] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x30) returned 0x7887a0 [0256.147] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x36) returned 0x78e458 [0256.147] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x48) returned 0x7828f0 [0256.147] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x52) returned 0x7804b8 [0256.147] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x3c) returned 0x78b010 [0256.147] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0xd6) returned 0x789e50 [0256.147] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x2e) returned 0x788650 [0256.147] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x1e) returned 0x782940 [0256.147] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x2c) returned 0x788810 [0256.147] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x54) returned 0x783de8 [0256.147] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x52) returned 0x784048 [0256.147] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x24) returned 0x783e48 [0256.148] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x42) returned 0x7840a8 [0256.148] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x2c) returned 0x788688 [0256.148] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x44) returned 0x789f80 [0256.148] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x24) returned 0x783920 [0256.148] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x792a00 | out: hHeap=0x780000) returned 1 [0256.148] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x800) returned 0x791f68 [0256.148] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0256.148] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0256.149] GetStartupInfoW (in: lpStartupInfo=0x1af834 | out: lpStartupInfo=0x1af834*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0256.149] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getVersion /fn_args=\"1\"" [0256.149] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_getVersion /fn_args=\"1\"", pNumArgs=0x1af820 | out: pNumArgs=0x1af820) returned 0x792bb8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0256.293] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0256.297] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x0, Size=0x1000) returned 0x7944a0 [0256.297] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x0, Size=0x26) returned 0x78a728 [0256.297] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_getVersion", cchWideChar=-1, lpMultiByteStr=0x78a728, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_getVersion", lpUsedDefaultChar=0x0) returned 19 [0256.298] GetLastError () returned 0x0 [0256.298] SetLastError (dwErrCode=0x0) [0256.298] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_getVersionW") returned 0x0 [0256.298] GetLastError () returned 0x7f [0256.298] SetLastError (dwErrCode=0x7f) [0256.298] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_getVersionA") returned 0x0 [0256.298] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_getVersion") returned 0x647caab6 [0256.298] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x0, Size=0x4) returned 0x7837f8 [0256.298] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x7837f8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0256.298] GetActiveWindow () returned 0x0 [0256.299] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7944a0 | out: hHeap=0x780000) returned 1 [0256.299] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x78a728 | out: hHeap=0x780000) returned 1 [0256.299] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x7837f8 | out: hHeap=0x780000) returned 1 [0256.299] GetCurrentProcessId () returned 0x13dc [0256.299] GetCurrentThreadId () returned 0x1328 [0256.299] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0256.309] Thread32First (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.310] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.310] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.311] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.311] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.312] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.312] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.313] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.314] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.314] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.315] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.315] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.316] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.317] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.317] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.318] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.318] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.319] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.320] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.320] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.321] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.322] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.322] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.323] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.323] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.324] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.324] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.325] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.326] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.326] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.327] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.327] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.328] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.329] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.329] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.330] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.330] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.331] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.331] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.332] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.333] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.333] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.334] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.334] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.335] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.336] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.336] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.337] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.337] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.338] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.339] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.339] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.340] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.389] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.389] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.390] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.391] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.391] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.392] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.392] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.393] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.394] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.394] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.395] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.395] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.396] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.396] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.397] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.398] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.398] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.399] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.403] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.404] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.404] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.405] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.406] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.406] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.407] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.407] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.408] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.408] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.409] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.410] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.410] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.411] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.411] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.412] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.413] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.413] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.414] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.414] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.415] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.416] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.416] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.417] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.418] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.418] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.419] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.419] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.420] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.420] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.421] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.422] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.422] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.423] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.423] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.424] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.425] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.425] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.426] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.426] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.427] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.427] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.428] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.429] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.429] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.430] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.459] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.459] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.460] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.461] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.461] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.462] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.462] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.463] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.464] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.464] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.465] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.465] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.466] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.466] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.467] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.468] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.468] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.469] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.469] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.470] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.470] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.471] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.472] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.472] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.473] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.473] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.474] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.474] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.475] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.476] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.476] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.477] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.478] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.478] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.479] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.479] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.480] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.480] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.481] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.482] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.482] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.483] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.483] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.484] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.485] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.485] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.486] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.486] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.487] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.487] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.488] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.489] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.489] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.490] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.490] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.491] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.491] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.492] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.493] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.502] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.502] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.503] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.503] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.504] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.505] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.505] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.506] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.506] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.507] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.507] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.508] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.509] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.509] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.510] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.511] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.511] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.512] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.512] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.513] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.513] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.514] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.515] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.515] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.516] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.516] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.517] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.517] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.518] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.519] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.519] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.520] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.520] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.521] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.522] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.522] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.523] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.523] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.524] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.525] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.526] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.526] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.527] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.527] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.528] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.529] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.529] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.530] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.530] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.531] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.531] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.532] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.533] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.533] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.534] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.534] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.535] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.536] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.536] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.537] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.537] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.538] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.538] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.539] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.540] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.548] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.549] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.550] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.550] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.551] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.551] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.552] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.552] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0256.553] Thread32Next (hSnapshot=0x150, lpte=0x1af804) returned 1 [0257.171] CloseHandle (hObject=0x150) returned 1 [0257.171] OpenThread (dwDesiredAccess=0x100000, bInheritHandle=0, dwThreadId=0xca8) returned 0x150 [0257.171] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xffffffff) returned 0x0 [0289.265] CloseHandle (hObject=0x150) returned 1 [0289.265] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0289.273] Thread32First (hSnapshot=0x150, lpte=0x1af804) returned 1 [0291.488] CloseHandle (hObject=0x150) returned 1 [0291.488] FreeLibrary (hLibModule=0x647c0000) returned 1 [0291.489] LocalFree (hMem=0x792bb8) returned 0x0 [0291.490] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0291.490] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0291.490] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x783850 | out: hHeap=0x780000) returned 1 [0291.491] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x791f68 | out: hHeap=0x780000) returned 1 [0291.491] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-2", hFile=0x0, dwFlags=0x800) returned 0x772e0000 [0291.491] GetProcAddress (hModule=0x772e0000, lpProcName="AppPolicyGetProcessTerminationMethod") returned 0x0 [0291.491] GetModuleHandleExW (in: dwFlags=0x0, lpModuleName="mscoree.dll", phModule=0x1af82c | out: phModule=0x1af82c) returned 0 [0291.491] ExitProcess (uExitCode=0x0) [0291.492] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x790a48 | out: hHeap=0x780000) returned 1 Thread: id = 774 os_tid = 0xca8 Process: id = "368" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x5481000" os_pid = "0x11f8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_initialize /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26731 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26732 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 26733 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 26734 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 26735 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 26736 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 26737 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 26738 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 26739 start_va = 0x710000 end_va = 0x711fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 26740 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 26741 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 26742 start_va = 0x7ef50000 end_va = 0x7ef72fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ef50000" filename = "" Region: id = 26743 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 26744 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 26745 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26746 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 26751 start_va = 0x400000 end_va = 0x45ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 26752 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 26753 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 26754 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 26755 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 26756 start_va = 0x720000 end_va = 0x9fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 26758 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 26759 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 26760 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26761 start_va = 0x7ee50000 end_va = 0x7ef4ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ee50000" filename = "" Region: id = 26762 start_va = 0x460000 end_va = 0x51dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26763 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 26764 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 26765 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 26766 start_va = 0x520000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 26767 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 26768 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 26769 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 26770 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 26771 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 26772 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 26773 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 26774 start_va = 0x710000 end_va = 0x713fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 26775 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 26776 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 26777 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 26778 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 26779 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 26780 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 26781 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 26782 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 26783 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 26784 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 26785 start_va = 0x720000 end_va = 0x8a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 26786 start_va = 0x8b0000 end_va = 0x8d9fff monitored = 0 entry_point = 0x8b5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 26787 start_va = 0x900000 end_va = 0x9fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 26788 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 26789 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 26790 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 26791 start_va = 0x450000 end_va = 0x45ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 26792 start_va = 0xa00000 end_va = 0xb80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a00000" filename = "" Region: id = 26793 start_va = 0xb90000 end_va = 0xd4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 26794 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 26795 start_va = 0xb90000 end_va = 0xc20fff monitored = 0 entry_point = 0xbc8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 26796 start_va = 0xd40000 end_va = 0xd4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d40000" filename = "" Region: id = 26812 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 26813 start_va = 0x8b0000 end_va = 0x8b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 26814 start_va = 0x8c0000 end_va = 0x8c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 26815 start_va = 0x8c0000 end_va = 0x8c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 26833 start_va = 0x8c0000 end_va = 0x8c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 26834 start_va = 0x8d0000 end_va = 0x8d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008d0000" filename = "" Region: id = 26835 start_va = 0x8c0000 end_va = 0x8c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 26843 start_va = 0x8d0000 end_va = 0x8d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008d0000" filename = "" Region: id = 26844 start_va = 0x8c0000 end_va = 0x8c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 26845 start_va = 0x8d0000 end_va = 0x8d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008d0000" filename = "" Thread: id = 775 os_tid = 0x960 [0257.235] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0257.235] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0257.235] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0257.235] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0257.235] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0257.235] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0257.236] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0257.236] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0257.237] GetProcessHeap () returned 0x900000 [0257.237] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0257.237] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0257.237] GetLastError () returned 0x7e [0257.237] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0257.237] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0257.237] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x364) returned 0x910a48 [0257.238] SetLastError (dwErrCode=0x7e) [0257.238] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0xe00) returned 0x910db8 [0257.239] GetStartupInfoW (in: lpStartupInfo=0x18fcd0 | out: lpStartupInfo=0x18fcd0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0257.239] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0257.239] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0257.239] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0257.239] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_initialize /fn_args=\"1\"" [0257.239] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_initialize /fn_args=\"1\"" [0257.239] GetACP () returned 0x4e4 [0257.239] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x0, Size=0x220) returned 0x911bc0 [0257.239] IsValidCodePage (CodePage=0x4e4) returned 1 [0257.240] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fcf0 | out: lpCPInfo=0x18fcf0) returned 1 [0257.240] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f5b8 | out: lpCPInfo=0x18f5b8) returned 1 [0257.240] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fbcc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0257.240] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fbcc, cbMultiByte=256, lpWideCharStr=0x18f358, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0257.240] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f5cc | out: lpCharType=0x18f5cc) returned 1 [0257.240] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fbcc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0257.240] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fbcc, cbMultiByte=256, lpWideCharStr=0x18f308, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0257.240] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0257.240] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0257.240] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0257.240] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f0f8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0257.240] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18facc, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x87\x16j.\x08ý\x18", lpUsedDefaultChar=0x0) returned 256 [0257.240] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fbcc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0257.240] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fbcc, cbMultiByte=256, lpWideCharStr=0x18f328, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0257.240] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0257.240] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f118, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0257.240] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f9cc, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x87\x16j.\x08ý\x18", lpUsedDefaultChar=0x0) returned 256 [0257.240] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x0, Size=0x80) returned 0x903850 [0257.241] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0257.241] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x178) returned 0x911de8 [0257.241] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0257.241] GetLastError () returned 0x0 [0257.241] SetLastError (dwErrCode=0x0) [0257.241] GetEnvironmentStringsW () returned 0x911f68* [0257.241] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x0, Size=0xa8c) returned 0x912a00 [0257.241] FreeEnvironmentStringsW (penv=0x911f68) returned 1 [0257.241] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x90) returned 0x904540 [0257.241] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x3e) returned 0x90add0 [0257.241] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x5c) returned 0x908a78 [0257.241] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x6e) returned 0x904608 [0257.241] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x78) returned 0x9135c0 [0257.242] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x62) returned 0x904c38 [0257.242] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x28) returned 0x903d70 [0257.242] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x48) returned 0x903fc0 [0257.242] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x1a) returned 0x900570 [0257.242] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x3a) returned 0x90aa70 [0257.242] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x62) returned 0x903bd0 [0257.242] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x2a) returned 0x9089d0 [0257.242] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x2e) returned 0x908848 [0257.242] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x1c) returned 0x903da0 [0257.242] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x144) returned 0x909c90 [0257.242] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x7c) returned 0x9082d8 [0257.242] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x36) returned 0x90e4d8 [0257.242] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x3a) returned 0x90ae60 [0257.242] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x90) returned 0x904378 [0257.242] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x24) returned 0x9038f0 [0257.242] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x30) returned 0x9088b8 [0257.242] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x36) returned 0x90e518 [0257.242] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x48) returned 0x9028f0 [0257.242] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x52) returned 0x9004b8 [0257.242] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x3c) returned 0x90aab8 [0257.242] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0xd6) returned 0x909e50 [0257.242] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x2e) returned 0x9088f0 [0257.242] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x1e) returned 0x902940 [0257.242] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x2c) returned 0x908928 [0257.242] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x54) returned 0x903de8 [0257.242] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x52) returned 0x904048 [0257.242] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x24) returned 0x903e48 [0257.242] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x42) returned 0x9040a8 [0257.242] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x2c) returned 0x908960 [0257.242] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x44) returned 0x909f80 [0257.242] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x24) returned 0x903920 [0257.243] HeapFree (in: hHeap=0x900000, dwFlags=0x0, lpMem=0x912a00 | out: hHeap=0x900000) returned 1 [0257.324] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x800) returned 0x911f68 [0257.325] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0257.325] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0257.325] GetStartupInfoW (in: lpStartupInfo=0x18fd34 | out: lpStartupInfo=0x18fd34*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0257.325] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_initialize /fn_args=\"1\"" [0257.325] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_initialize /fn_args=\"1\"", pNumArgs=0x18fd20 | out: pNumArgs=0x18fd20) returned 0x912bb8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0257.326] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0257.328] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x0, Size=0x1000) returned 0x9144a0 [0257.328] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x0, Size=0x26) returned 0x90a6c8 [0257.328] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_initialize", cchWideChar=-1, lpMultiByteStr=0x90a6c8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_initialize", lpUsedDefaultChar=0x0) returned 19 [0257.328] GetLastError () returned 0x0 [0257.328] SetLastError (dwErrCode=0x0) [0257.328] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_initializeW") returned 0x0 [0257.329] GetLastError () returned 0x7f [0257.329] SetLastError (dwErrCode=0x7f) [0257.329] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_initializeA") returned 0x0 [0257.329] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_initialize") returned 0x647caad2 [0257.329] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x0, Size=0x4) returned 0x9037f8 [0257.329] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x9037f8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0257.329] GetActiveWindow () returned 0x0 [0257.330] GetLastError () returned 0x7f [0257.331] SetLastError (dwErrCode=0x7f) Thread: id = 777 os_tid = 0x11cc Process: id = "369" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x5712000" os_pid = "0x11c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "368" os_parent_pid = "0x11f8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_initialize /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "370" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x5797000" os_pid = "0x13cc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_logout /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 26858 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 26859 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 26860 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 26861 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 26862 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 26863 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 26864 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 26865 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 26866 start_va = 0x820000 end_va = 0x821fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 26867 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 26868 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 26869 start_va = 0x7f060000 end_va = 0x7f082fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f060000" filename = "" Region: id = 26870 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 26871 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 26872 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 26873 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 26886 start_va = 0x400000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 26887 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 26888 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 26889 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 26890 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 26893 start_va = 0x830000 end_va = 0xa6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 26894 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 26895 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 26899 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 26900 start_va = 0x7ef60000 end_va = 0x7f05ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ef60000" filename = "" Region: id = 26901 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 26902 start_va = 0x580000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 26903 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 26904 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 26905 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 26906 start_va = 0x590000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 26907 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 26908 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 26909 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 26910 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 26911 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 26912 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 26913 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 26914 start_va = 0x820000 end_va = 0x823fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 26915 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 26916 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 26917 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 26921 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 26922 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 26923 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 26924 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 26925 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 26926 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 26927 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 26928 start_va = 0x690000 end_va = 0x817fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 26929 start_va = 0x830000 end_va = 0x859fff monitored = 0 entry_point = 0x835680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 26930 start_va = 0x970000 end_va = 0xa6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Region: id = 26931 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 26932 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 26933 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 26934 start_va = 0x830000 end_va = 0x95ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 26935 start_va = 0xa70000 end_va = 0xbf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a70000" filename = "" Region: id = 26936 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 26937 start_va = 0x830000 end_va = 0x8c0fff monitored = 0 entry_point = 0x868cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 26938 start_va = 0x950000 end_va = 0x95ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 26941 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 26942 start_va = 0x830000 end_va = 0x83ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 26943 start_va = 0x840000 end_va = 0x93ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 26944 start_va = 0xc00000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 26945 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26946 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26947 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26948 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26949 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26950 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26951 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26952 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26953 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26954 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26955 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26956 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26957 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26958 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26959 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26960 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26961 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26962 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26963 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26964 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26965 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26966 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26967 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26968 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26969 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26970 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26971 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26972 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26973 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26974 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26975 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26976 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26977 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26978 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26979 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26980 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26981 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26982 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26983 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26984 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26985 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26986 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26987 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26988 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26989 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26990 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26991 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26992 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26993 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26994 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26995 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26996 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26997 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26998 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 26999 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27000 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27001 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27002 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27003 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27004 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27005 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27006 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27007 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27008 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27009 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27010 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27011 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27012 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27013 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27014 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27015 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27016 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27017 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27018 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27019 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27020 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27021 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27022 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27023 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27024 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27025 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27026 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27027 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27028 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27029 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27030 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27031 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27032 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27033 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27034 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27035 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27036 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27037 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27038 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27039 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27040 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27041 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27042 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27043 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27044 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27045 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27046 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27047 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27048 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27049 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27050 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27051 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27052 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27053 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27054 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27055 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27056 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27057 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27058 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27059 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27060 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27061 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27062 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27063 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27064 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27065 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27066 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27067 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27068 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27069 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27070 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27071 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27072 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27075 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27076 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27077 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27078 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27079 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27080 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27081 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27082 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27083 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27084 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27085 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27086 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27087 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27088 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27089 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27090 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27091 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27092 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27093 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27094 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27095 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27096 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27097 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27098 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27099 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27100 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27101 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27102 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27103 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27104 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27105 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27106 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27107 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27108 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27109 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27110 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27111 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27112 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27113 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27114 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27115 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27116 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27117 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27118 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27119 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27120 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27121 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27122 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27123 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27124 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27125 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27126 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27127 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27128 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27129 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27130 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27131 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27132 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27133 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27134 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27135 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27148 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27149 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27150 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27151 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27152 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27153 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27154 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27155 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27156 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27157 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27158 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27159 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27160 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27161 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27162 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27163 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27164 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27165 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27166 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27167 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27168 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27169 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27170 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27171 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27172 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27173 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27174 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27175 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27176 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27177 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27178 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27179 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27180 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27181 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27182 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27183 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27184 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27185 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27186 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27187 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27188 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27189 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27190 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27191 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27192 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27193 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27194 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27195 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27196 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27197 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27198 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27199 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27200 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27208 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27209 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27210 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27211 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27212 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27213 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27214 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27215 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 27216 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 31395 start_va = 0x830000 end_va = 0x83ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 31396 start_va = 0xc00000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 31397 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 31398 start_va = 0x830000 end_va = 0x835fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Thread: id = 779 os_tid = 0x13ec [0258.383] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0258.383] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0258.384] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0258.384] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0258.385] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0258.385] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0258.386] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0258.386] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0258.386] GetProcessHeap () returned 0x970000 [0258.386] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0258.386] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0258.386] GetLastError () returned 0x7e [0258.387] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0258.387] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0258.387] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x364) returned 0x980a40 [0258.387] SetLastError (dwErrCode=0x7e) [0258.387] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0xe00) returned 0x980db0 [0258.518] GetStartupInfoW (in: lpStartupInfo=0x18fc18 | out: lpStartupInfo=0x18fc18*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0258.518] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0258.518] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0258.518] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0258.518] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_logout /fn_args=\"1\"" [0258.518] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_logout /fn_args=\"1\"" [0258.518] GetACP () returned 0x4e4 [0258.518] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x0, Size=0x220) returned 0x981bb8 [0258.518] IsValidCodePage (CodePage=0x4e4) returned 1 [0258.518] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fc38 | out: lpCPInfo=0x18fc38) returned 1 [0258.518] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f500 | out: lpCPInfo=0x18f500) returned 1 [0258.518] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb14, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0258.518] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb14, cbMultiByte=256, lpWideCharStr=0x18f2a8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0258.518] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f514 | out: lpCharType=0x18f514) returned 1 [0258.519] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb14, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0258.519] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb14, cbMultiByte=256, lpWideCharStr=0x18f258, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0258.519] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0258.519] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0258.519] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0258.519] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f048, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0258.519] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fa14, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿê÷N\x81Pü\x18", lpUsedDefaultChar=0x0) returned 256 [0258.519] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb14, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0258.519] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb14, cbMultiByte=256, lpWideCharStr=0x18f278, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0258.519] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0258.519] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f068, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0258.519] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f914, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿê÷N\x81Pü\x18", lpUsedDefaultChar=0x0) returned 256 [0258.519] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x0, Size=0x80) returned 0x973848 [0258.519] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0258.519] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x170) returned 0x981de0 [0258.519] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0258.519] GetLastError () returned 0x0 [0258.520] SetLastError (dwErrCode=0x0) [0258.520] GetEnvironmentStringsW () returned 0x981f58* [0258.520] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x0, Size=0xa8c) returned 0x9829f0 [0258.520] FreeEnvironmentStringsW (penv=0x981f58) returned 1 [0258.520] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x90) returned 0x974538 [0258.520] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x3e) returned 0x97afc0 [0258.520] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x5c) returned 0x978810 [0258.520] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x6e) returned 0x974600 [0258.520] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x78) returned 0x983eb0 [0258.520] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x62) returned 0x9749d0 [0258.520] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x28) returned 0x973d68 [0258.520] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x48) returned 0x973fb8 [0258.520] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x1a) returned 0x970570 [0258.521] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x3a) returned 0x97b098 [0258.521] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x62) returned 0x973bc8 [0258.521] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x2a) returned 0x978618 [0258.521] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x2e) returned 0x978650 [0258.521] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x1c) returned 0x973d98 [0258.521] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x144) returned 0x979c88 [0258.521] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x7c) returned 0x978070 [0258.521] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x36) returned 0x97e550 [0258.521] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x3a) returned 0x97b008 [0258.521] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x90) returned 0x974370 [0258.521] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x24) returned 0x9738e8 [0258.521] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x30) returned 0x978458 [0258.521] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x36) returned 0x97e2d0 [0258.521] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x48) returned 0x9728e8 [0258.521] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x52) returned 0x9704b8 [0258.521] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x3c) returned 0x97acf0 [0258.521] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0xd6) returned 0x979e48 [0258.521] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x2e) returned 0x978570 [0258.521] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x1e) returned 0x972938 [0258.521] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x2c) returned 0x978730 [0258.521] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x54) returned 0x973de0 [0258.521] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x52) returned 0x974040 [0258.521] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x24) returned 0x973e40 [0258.521] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x42) returned 0x9740a0 [0258.521] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x2c) returned 0x978490 [0258.521] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x44) returned 0x979f78 [0258.521] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x24) returned 0x973918 [0258.522] HeapFree (in: hHeap=0x970000, dwFlags=0x0, lpMem=0x9829f0 | out: hHeap=0x970000) returned 1 [0258.522] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x8, Size=0x800) returned 0x981f58 [0258.522] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0258.522] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0258.522] GetStartupInfoW (in: lpStartupInfo=0x18fc7c | out: lpStartupInfo=0x18fc7c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0258.522] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_logout /fn_args=\"1\"" [0258.522] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_logout /fn_args=\"1\"", pNumArgs=0x18fc68 | out: pNumArgs=0x18fc68) returned 0x982ba8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0258.523] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0258.525] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x0, Size=0x1000) returned 0x984490 [0258.525] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x0, Size=0x1e) returned 0x97a6c0 [0258.525] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_logout", cchWideChar=-1, lpMultiByteStr=0x97a6c0, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_logout", lpUsedDefaultChar=0x0) returned 15 [0258.525] GetLastError () returned 0x0 [0258.525] SetLastError (dwErrCode=0x0) [0258.526] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_logoutW") returned 0x0 [0258.526] GetLastError () returned 0x7f [0258.526] SetLastError (dwErrCode=0x7f) [0258.526] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_logoutA") returned 0x0 [0258.526] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_logout") returned 0x647cbcee [0258.526] RtlAllocateHeap (HeapHandle=0x970000, Flags=0x0, Size=0x4) returned 0x9737f0 [0258.526] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x9737f0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0258.526] GetActiveWindow () returned 0x0 [0258.526] HeapFree (in: hHeap=0x970000, dwFlags=0x0, lpMem=0x984490 | out: hHeap=0x970000) returned 1 [0258.526] HeapFree (in: hHeap=0x970000, dwFlags=0x0, lpMem=0x97a6c0 | out: hHeap=0x970000) returned 1 [0258.527] HeapFree (in: hHeap=0x970000, dwFlags=0x0, lpMem=0x9737f0 | out: hHeap=0x970000) returned 1 [0258.527] GetCurrentProcessId () returned 0x13cc [0258.527] GetCurrentThreadId () returned 0x13ec [0258.527] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0258.541] Thread32First (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.542] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.542] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.543] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.543] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.582] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.583] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.583] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.584] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.585] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.585] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.586] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.587] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.587] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.588] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.588] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.589] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.590] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.590] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.591] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.593] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.594] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.594] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.595] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.595] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.596] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.597] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.597] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.598] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.599] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.599] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.600] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.600] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.601] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.601] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.602] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.603] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.603] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.604] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.604] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.605] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.605] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.606] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.607] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.608] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.608] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.609] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.609] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.610] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.610] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.611] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.612] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.612] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.613] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.613] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.614] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.615] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.615] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.616] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.616] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.617] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.618] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.619] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.619] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.620] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.620] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.621] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.622] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.665] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.665] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.666] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.666] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.667] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.668] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.668] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.669] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.670] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.671] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.672] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.672] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.673] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.673] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.674] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.674] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.675] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.676] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.676] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.677] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.677] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.678] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.678] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.679] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.680] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.680] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.681] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.681] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.682] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.682] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.683] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.684] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.684] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.685] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.686] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.686] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.687] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.688] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.688] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.689] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.689] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.690] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.691] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.691] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.692] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.692] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.693] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.694] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.694] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.695] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.695] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.696] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.696] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.697] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.698] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.698] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.699] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.699] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.700] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.726] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.726] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.727] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.728] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.728] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.729] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.729] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.730] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.731] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.731] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.732] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.732] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.733] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.734] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.734] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.735] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.736] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.736] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.737] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.737] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.738] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.739] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.739] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.740] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.740] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.741] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.742] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.742] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.743] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.744] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.744] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.745] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.746] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.746] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.747] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.748] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.748] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.749] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.749] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.750] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.751] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.751] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.752] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.752] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.753] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.754] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.754] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.755] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.755] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.756] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.756] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.757] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.758] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.758] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.759] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.759] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.760] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.761] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.761] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.762] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.762] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.868] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.869] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.869] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.870] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.871] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.872] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.873] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.874] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.875] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.875] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.876] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.877] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.878] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.879] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.879] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.880] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.881] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.882] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.882] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.883] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.883] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.884] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.885] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.886] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.886] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.887] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.887] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.888] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.889] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.889] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.890] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.891] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.891] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.892] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.892] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.893] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.893] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.894] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.895] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.895] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.896] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.896] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.897] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.898] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.898] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.899] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.899] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.900] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.900] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.901] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.902] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.903] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0258.903] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0259.045] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0259.045] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0259.046] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0259.047] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0259.047] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0259.048] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0259.048] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0259.049] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0259.050] Thread32Next (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0260.065] CloseHandle (hObject=0x150) returned 1 [0260.065] OpenThread (dwDesiredAccess=0x100000, bInheritHandle=0, dwThreadId=0x13d4) returned 0x150 [0260.065] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xffffffff) returned 0x0 [0289.311] CloseHandle (hObject=0x150) returned 1 [0289.311] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0289.319] Thread32First (hSnapshot=0x150, lpte=0x18fc4c) returned 1 [0291.545] CloseHandle (hObject=0x150) returned 1 [0291.545] FreeLibrary (hLibModule=0x647c0000) returned 1 [0291.547] LocalFree (hMem=0x982ba8) returned 0x0 [0291.547] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0291.547] GetModuleHandleW (lpModuleName=0x0) returned 0x1310000 [0291.548] HeapFree (in: hHeap=0x970000, dwFlags=0x0, lpMem=0x973848 | out: hHeap=0x970000) returned 1 [0291.549] HeapFree (in: hHeap=0x970000, dwFlags=0x0, lpMem=0x981f58 | out: hHeap=0x970000) returned 1 [0291.651] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-2", hFile=0x0, dwFlags=0x800) returned 0x772e0000 [0291.652] GetProcAddress (hModule=0x772e0000, lpProcName="AppPolicyGetProcessTerminationMethod") returned 0x0 [0291.652] GetModuleHandleExW (in: dwFlags=0x0, lpModuleName="mscoree.dll", phModule=0x18fc74 | out: phModule=0x18fc74) returned 0 [0291.652] ExitProcess (uExitCode=0x0) [0291.653] HeapFree (in: hHeap=0x970000, dwFlags=0x0, lpMem=0x980a40 | out: hHeap=0x970000) returned 1 Thread: id = 781 os_tid = 0x13d4 Process: id = "371" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x50ad000" os_pid = "0x1148" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_createSession /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27217 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27218 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27219 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 27220 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 27221 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 27222 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 27223 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 27224 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 27225 start_va = 0xcf0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 27226 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 27227 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 27228 start_va = 0x7f000000 end_va = 0x7f022fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f000000" filename = "" Region: id = 27229 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 27230 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 27231 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27232 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 27238 start_va = 0x400000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 27266 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 27267 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 27268 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 27269 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 27270 start_va = 0xd00000 end_va = 0xf8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 27271 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 27272 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 27273 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27274 start_va = 0x7ef00000 end_va = 0x7effffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ef00000" filename = "" Region: id = 27275 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27276 start_va = 0x530000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 27277 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 27278 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 27279 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 27280 start_va = 0x540000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 27281 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 27284 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 27285 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 27286 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 27287 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 27288 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 27289 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 27290 start_va = 0xcf0000 end_va = 0xcf3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 27291 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 27292 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 27293 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 27294 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 27295 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 27296 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 27297 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 27298 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 27299 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 27300 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 27301 start_va = 0x640000 end_va = 0x7c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 27302 start_va = 0xd00000 end_va = 0xd29fff monitored = 0 entry_point = 0xd05680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 27303 start_va = 0xe90000 end_va = 0xf8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e90000" filename = "" Region: id = 27304 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 27305 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 27306 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 27307 start_va = 0x7d0000 end_va = 0x950fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 27308 start_va = 0xd00000 end_va = 0xe0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 27309 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 27310 start_va = 0xd00000 end_va = 0xd90fff monitored = 0 entry_point = 0xd38cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 27311 start_va = 0xe00000 end_va = 0xe0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Region: id = 27312 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 27313 start_va = 0xd00000 end_va = 0xd00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 27314 start_va = 0xd10000 end_va = 0xd10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 27315 start_va = 0xd10000 end_va = 0xd17fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 27316 start_va = 0xd10000 end_va = 0xd10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d10000" filename = "" Region: id = 27317 start_va = 0xd20000 end_va = 0xd21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d20000" filename = "" Region: id = 27318 start_va = 0xd10000 end_va = 0xd10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d10000" filename = "" Region: id = 27319 start_va = 0xd20000 end_va = 0xd20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d20000" filename = "" Region: id = 27320 start_va = 0xd10000 end_va = 0xd10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d10000" filename = "" Region: id = 27321 start_va = 0xd20000 end_va = 0xd20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Thread: id = 783 os_tid = 0x1150 [0260.043] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0260.043] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0260.044] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0260.044] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0260.044] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0260.044] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0260.045] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0260.045] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0260.045] GetProcessHeap () returned 0xe90000 [0260.045] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0260.046] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0260.046] GetLastError () returned 0x7e [0260.046] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0260.046] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0260.046] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x364) returned 0xea09a0 [0260.046] SetLastError (dwErrCode=0x7e) [0260.046] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0xe00) returned 0xea0d10 [0260.048] GetStartupInfoW (in: lpStartupInfo=0x18f8c8 | out: lpStartupInfo=0x18f8c8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0260.048] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0260.048] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0260.048] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0260.048] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_createSession /fn_args=\"1\"" [0260.048] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_createSession /fn_args=\"1\"" [0260.048] GetACP () returned 0x4e4 [0260.048] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x0, Size=0x220) returned 0xea1b18 [0260.048] IsValidCodePage (CodePage=0x4e4) returned 1 [0260.048] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f8e8 | out: lpCPInfo=0x18f8e8) returned 1 [0260.048] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f1b0 | out: lpCPInfo=0x18f1b0) returned 1 [0260.048] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7c4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0260.048] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7c4, cbMultiByte=256, lpWideCharStr=0x18ef58, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0260.048] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f1c4 | out: lpCharType=0x18f1c4) returned 1 [0260.048] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7c4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0260.048] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7c4, cbMultiByte=256, lpWideCharStr=0x18ef08, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0260.049] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0260.049] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0260.049] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0260.049] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ecf8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0260.049] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f6c4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿó\x1a¹S", lpUsedDefaultChar=0x0) returned 256 [0260.049] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7c4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0260.049] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7c4, cbMultiByte=256, lpWideCharStr=0x18ef28, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0260.049] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0260.049] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ed18, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0260.049] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f5c4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿó\x1a¹S", lpUsedDefaultChar=0x0) returned 256 [0260.049] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x0, Size=0x80) returned 0xe93878 [0260.049] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0260.049] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x18e) returned 0xea1d40 [0260.049] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0260.049] GetLastError () returned 0x0 [0260.049] SetLastError (dwErrCode=0x0) [0260.049] GetEnvironmentStringsW () returned 0xea1ed8* [0260.050] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x0, Size=0xa8c) returned 0xea2970 [0260.050] FreeEnvironmentStringsW (penv=0xea1ed8) returned 1 [0260.050] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x90) returned 0xe947c8 [0260.050] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x3e) returned 0xe9aa98 [0260.050] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x5c) returned 0xe98aa0 [0260.050] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x6e) returned 0xe94890 [0260.050] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x78) returned 0xea3430 [0260.050] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x62) returned 0xe94c60 [0260.050] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x28) returned 0xe93d98 [0260.051] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x48) returned 0xe94248 [0260.051] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x1a) returned 0xe90570 [0260.051] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x3a) returned 0xe9adf8 [0260.051] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x62) returned 0xe93bf8 [0260.051] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x2a) returned 0xe98838 [0260.051] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x2e) returned 0xe986e8 [0260.051] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x1c) returned 0xe93dc8 [0260.051] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x144) returned 0xe99cb8 [0260.051] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x7c) returned 0xe98300 [0260.051] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x36) returned 0xe9e2b0 [0260.051] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x3a) returned 0xe9ac00 [0260.051] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x90) returned 0xe94600 [0260.051] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x24) returned 0xe93918 [0260.051] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x30) returned 0xe98678 [0260.051] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x36) returned 0xe9def0 [0260.051] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x48) returned 0xe92908 [0260.051] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x52) returned 0xe904b8 [0260.051] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x3c) returned 0xe9b158 [0260.051] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0xd6) returned 0xe99e78 [0260.051] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x2e) returned 0xe98870 [0260.051] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x1e) returned 0xe92958 [0260.051] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x2c) returned 0xe988a8 [0260.051] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x54) returned 0xe93e10 [0260.051] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x52) returned 0xe942d0 [0260.051] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x24) returned 0xe93e70 [0260.051] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x42) returned 0xe94330 [0260.051] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x2c) returned 0xe988e0 [0260.051] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x44) returned 0xe99fa8 [0260.051] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x24) returned 0xe93948 [0260.052] HeapFree (in: hHeap=0xe90000, dwFlags=0x0, lpMem=0xea2970 | out: hHeap=0xe90000) returned 1 [0260.052] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x8, Size=0x800) returned 0xea1ed8 [0260.052] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0260.052] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0260.052] GetStartupInfoW (in: lpStartupInfo=0x18f92c | out: lpStartupInfo=0x18f92c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0260.053] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_createSession /fn_args=\"1\"" [0260.053] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_createSession /fn_args=\"1\"", pNumArgs=0x18f918 | out: pNumArgs=0x18f918) returned 0xea2b28*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0260.053] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0260.080] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x0, Size=0x1000) returned 0xea4410 [0260.080] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x0, Size=0x3c) returned 0xe9aae0 [0260.080] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_openssl_createSession", cchWideChar=-1, lpMultiByteStr=0xe9aae0, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_openssl_createSession", lpUsedDefaultChar=0x0) returned 30 [0260.080] GetLastError () returned 0x0 [0260.080] SetLastError (dwErrCode=0x0) [0260.081] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_createSessionW") returned 0x0 [0260.081] GetLastError () returned 0x7f [0260.081] SetLastError (dwErrCode=0x7f) [0260.081] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_createSessionA") returned 0x0 [0260.081] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_createSession") returned 0x647cef31 [0260.081] RtlAllocateHeap (HeapHandle=0xe90000, Flags=0x0, Size=0x4) returned 0xe93820 [0260.081] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0xe93820, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0260.081] GetActiveWindow () returned 0x0 [0260.082] GetLastError () returned 0x7f [0260.082] SetLastError (dwErrCode=0x7f) Thread: id = 785 os_tid = 0xdac Process: id = "372" image_name = "werfault.exe" filename = "c:\\windows\\syswow64\\werfault.exe" page_root = "0x61d8f000" os_pid = "0x13f8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "371" os_parent_pid = "0x1148" cmd_line = "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 4424 -s 364" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27322 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27323 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27324 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 27325 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 27326 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 27327 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 27328 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 27329 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 27330 start_va = 0x670000 end_va = 0x670fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 27331 start_va = 0x10e0000 end_va = 0x1122fff monitored = 0 entry_point = 0x1100f50 region_type = mapped_file name = "werfault.exe" filename = "\\Windows\\SysWOW64\\WerFault.exe" (normalized: "c:\\windows\\syswow64\\werfault.exe") Region: id = 27332 start_va = 0x1130000 end_va = 0x512ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 27333 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 27334 start_va = 0x7e290000 end_va = 0x7e2b2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e290000" filename = "" Region: id = 27335 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 27336 start_va = 0x7fff0000 end_va = 0x7dfb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 27337 start_va = 0x7dfb201b0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfb201b0000" filename = "" Region: id = 27338 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27339 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 27340 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 27341 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 27342 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 27343 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 27344 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 27345 start_va = 0x680000 end_va = 0x92ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 27346 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 27347 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 27348 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27349 start_va = 0x7e190000 end_va = 0x7e28ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e190000" filename = "" Region: id = 27350 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27351 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 27352 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 27353 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 27354 start_va = 0x5f0000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 27355 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 27356 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 27357 start_va = 0x6fb30000 end_va = 0x6fbb6fff monitored = 0 entry_point = 0x6fb9dbc0 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\SysWOW64\\wer.dll" (normalized: "c:\\windows\\syswow64\\wer.dll") Region: id = 27358 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 27359 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 27360 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 27361 start_va = 0x670000 end_va = 0x673fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 27362 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 27363 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 27364 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 27365 start_va = 0x6fbc0000 end_va = 0x6fcfefff monitored = 0 entry_point = 0x6fbed880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 27366 start_va = 0x6fb00000 end_va = 0x6fb21fff monitored = 0 entry_point = 0x6fb091f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 27367 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 27368 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 27369 start_va = 0x6faa0000 end_va = 0x6faf3fff monitored = 0 entry_point = 0x6fad10d0 region_type = mapped_file name = "faultrep.dll" filename = "\\Windows\\SysWOW64\\Faultrep.dll" (normalized: "c:\\windows\\syswow64\\faultrep.dll") Region: id = 27370 start_va = 0x6fa70000 end_va = 0x6fa90fff monitored = 0 entry_point = 0x6fa8a910 region_type = mapped_file name = "dbgcore.dll" filename = "\\Windows\\SysWOW64\\dbgcore.dll" (normalized: "c:\\windows\\syswow64\\dbgcore.dll") Region: id = 27371 start_va = 0x680000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 27372 start_va = 0x830000 end_va = 0x92ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 27373 start_va = 0x930000 end_va = 0xa6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 27374 start_va = 0x680000 end_va = 0x683fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 27375 start_va = 0x700000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 27392 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 27393 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 27394 start_va = 0x440000 end_va = 0x5c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 27395 start_va = 0x690000 end_va = 0x6b9fff monitored = 0 entry_point = 0x695680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 27396 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 27397 start_va = 0xa70000 end_va = 0xbf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a70000" filename = "" Region: id = 27398 start_va = 0x5130000 end_va = 0x652ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005130000" filename = "" Region: id = 27399 start_va = 0x690000 end_va = 0x693fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werfault.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\WerFault.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werfault.exe.mui") Region: id = 27408 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 27409 start_va = 0x5d0000 end_va = 0x5d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 27410 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 27411 start_va = 0x6a0000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 27449 start_va = 0x6a0000 end_va = 0x6a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 27450 start_va = 0x6b0000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 27451 start_va = 0x6c0000 end_va = 0x6c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 27452 start_va = 0x6d0000 end_va = 0x6d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 27453 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 27454 start_va = 0x6d0000 end_va = 0x6d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 27455 start_va = 0x6530000 end_va = 0x6d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006530000" filename = "" Region: id = 27456 start_va = 0x6d0000 end_va = 0x6d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 27457 start_va = 0x6d0000 end_va = 0x6d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 27458 start_va = 0x6d0000 end_va = 0x6d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 27459 start_va = 0x6d0000 end_va = 0x6d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 27460 start_va = 0x6d0000 end_va = 0x6d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 27461 start_va = 0x6d0000 end_va = 0x6d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 27462 start_va = 0x6d0000 end_va = 0x6d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 27463 start_va = 0x6d0000 end_va = 0x6d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 27464 start_va = 0x6d0000 end_va = 0x6d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 27465 start_va = 0x6d0000 end_va = 0x6d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 27466 start_va = 0x6d0000 end_va = 0x6d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 27467 start_va = 0x6d0000 end_va = 0x6d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 27468 start_va = 0x6d0000 end_va = 0x6d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 27469 start_va = 0x6d0000 end_va = 0x6d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 27474 start_va = 0x6d0000 end_va = 0x6d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 27475 start_va = 0x6d0000 end_va = 0x6d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 27476 start_va = 0x6d0000 end_va = 0x6d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 27477 start_va = 0x6d0000 end_va = 0x6d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 27478 start_va = 0x6d0000 end_va = 0x6d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 27479 start_va = 0x6d0000 end_va = 0x6d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 27480 start_va = 0x6d0000 end_va = 0x6d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 27481 start_va = 0x6d0000 end_va = 0x6d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 27482 start_va = 0x6d0000 end_va = 0x6d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 27483 start_va = 0x6d0000 end_va = 0x6d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 27484 start_va = 0x6d0000 end_va = 0x6d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 27485 start_va = 0x6d0000 end_va = 0x6d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 27486 start_va = 0x6d0000 end_va = 0x6d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 27487 start_va = 0x600000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 27488 start_va = 0x710000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 27489 start_va = 0x750000 end_va = 0x7cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 27496 start_va = 0x6d0000 end_va = 0x6d1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "faultrep.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\faultrep.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\faultrep.dll.mui") Region: id = 27497 start_va = 0x6e0000 end_va = 0x6e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 27498 start_va = 0x6ed00000 end_va = 0x6f11dfff monitored = 0 entry_point = 0x6edfee80 region_type = mapped_file name = "dbgeng.dll" filename = "\\Windows\\SysWOW64\\dbgeng.dll" (normalized: "c:\\windows\\syswow64\\dbgeng.dll") Region: id = 27499 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 27500 start_va = 0x6f850000 end_va = 0x6f8bffff monitored = 0 entry_point = 0x6f8a4b90 region_type = mapped_file name = "dbgmodel.dll" filename = "\\Windows\\SysWOW64\\DbgModel.dll" (normalized: "c:\\windows\\syswow64\\dbgmodel.dll") Region: id = 27501 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 27502 start_va = 0x930000 end_va = 0xa19fff monitored = 0 entry_point = 0x96d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 27503 start_va = 0xa60000 end_va = 0xa6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 27527 start_va = 0x70050000 end_va = 0x70059fff monitored = 0 entry_point = 0x70053200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 27528 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 27529 start_va = 0x6f5d0000 end_va = 0x6f5d7fff monitored = 0 entry_point = 0x6f5d17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 27530 start_va = 0x930000 end_va = 0xa2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 27531 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 27544 start_va = 0xc00000 end_va = 0xf36fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 27545 start_va = 0x6e0000 end_va = 0x6e1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 27546 start_va = 0x6e0000 end_va = 0x6e3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 27547 start_va = 0x6e0000 end_va = 0x6e5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 27548 start_va = 0x6e0000 end_va = 0x6e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 27549 start_va = 0xf40000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 27550 start_va = 0x6e0000 end_va = 0x6e9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 27551 start_va = 0x6e0000 end_va = 0x6ebfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 27552 start_va = 0x6e0000 end_va = 0x6edfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 27553 start_va = 0x6e0000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 27554 start_va = 0x6e0000 end_va = 0x6f1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 27555 start_va = 0x6e0000 end_va = 0x6f3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 27556 start_va = 0x6e0000 end_va = 0x6f5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 27557 start_va = 0x6e0000 end_va = 0x6f7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 27558 start_va = 0x6e0000 end_va = 0x6f9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 27596 start_va = 0x6e0000 end_va = 0x6fbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 27597 start_va = 0x6e0000 end_va = 0x6fdfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 27598 start_va = 0x6e0000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 27617 start_va = 0x6530000 end_va = 0x660ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 27706 start_va = 0x6610000 end_va = 0x66dafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006610000" filename = "" Region: id = 27708 start_va = 0x66e0000 end_va = 0x6797fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000066e0000" filename = "" Region: id = 27718 start_va = 0x67a0000 end_va = 0x6848fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000067a0000" filename = "" Region: id = 27784 start_va = 0x6e0000 end_va = 0x6e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 27785 start_va = 0x6f0000 end_va = 0x6f2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wer.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wer.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wer.dll.mui") Region: id = 27786 start_va = 0x710000 end_va = 0x713fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 27787 start_va = 0x6610000 end_va = 0x6e0ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006610000" filename = "" Region: id = 27788 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 27789 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 27790 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 27791 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 27792 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 27793 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 27794 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 27795 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 27796 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 27814 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 27815 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 27816 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 27817 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 27818 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 27819 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 27820 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 27821 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 27822 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 27823 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 27824 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 27825 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 27826 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 27827 start_va = 0x6610000 end_va = 0x670ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006610000" filename = "" Region: id = 27828 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 27829 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 27830 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 27831 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 27832 start_va = 0x720000 end_va = 0x726fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 27833 start_va = 0x6fa00000 end_va = 0x6fa63fff monitored = 0 entry_point = 0x6fa3e270 region_type = mapped_file name = "werui.dll" filename = "\\Windows\\SysWOW64\\werui.dll" (normalized: "c:\\windows\\syswow64\\werui.dll") Region: id = 27834 start_va = 0x5e0000 end_va = 0x5e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 27835 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 27836 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 27837 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 27838 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 27839 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 27840 start_va = 0x731b0000 end_va = 0x733befff monitored = 0 entry_point = 0x7325b0a0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 27853 start_va = 0x6f460000 end_va = 0x6f5c6fff monitored = 0 entry_point = 0x6f4db9d0 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\SysWOW64\\dui70.dll" (normalized: "c:\\windows\\syswow64\\dui70.dll") Region: id = 27854 start_va = 0x600000 end_va = 0x601fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 27855 start_va = 0x6f430000 end_va = 0x6f457fff monitored = 0 entry_point = 0x6f437820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 27856 start_va = 0x720000 end_va = 0x720fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 27857 start_va = 0x610000 end_va = 0x611fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 27858 start_va = 0x720000 end_va = 0x720fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 27859 start_va = 0x759b0000 end_va = 0x75a33fff monitored = 0 entry_point = 0x759d6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 27860 start_va = 0x730000 end_va = 0x730fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000730000" filename = "" Region: id = 27861 start_va = 0x6f800000 end_va = 0x6f833fff monitored = 0 entry_point = 0x6f818280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 28252 start_va = 0x7d0000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 28253 start_va = 0x1040000 end_va = 0x107ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 28254 start_va = 0x1080000 end_va = 0x10bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001080000" filename = "" Region: id = 28255 start_va = 0x6710000 end_va = 0x674ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006710000" filename = "" Region: id = 28256 start_va = 0x6750000 end_va = 0x678ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006750000" filename = "" Region: id = 28257 start_va = 0x6790000 end_va = 0x67cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006790000" filename = "" Region: id = 28258 start_va = 0x6f8b0000 end_va = 0x6f8b8fff monitored = 0 entry_point = 0x6f8b3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 28646 start_va = 0x720000 end_va = 0x720fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 28647 start_va = 0x6f800000 end_va = 0x6f833fff monitored = 0 entry_point = 0x6f818280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 28935 start_va = 0x6f8b0000 end_va = 0x6f8b8fff monitored = 0 entry_point = 0x6f8b3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 29102 start_va = 0x720000 end_va = 0x724fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werui.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\werui.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werui.dll.mui") Region: id = 29103 start_va = 0x740000 end_va = 0x740fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 29104 start_va = 0x6f800000 end_va = 0x6f833fff monitored = 0 entry_point = 0x6f818280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 29509 start_va = 0x6f8b0000 end_va = 0x6f8b8fff monitored = 0 entry_point = 0x6f8b3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 29650 start_va = 0x67d0000 end_va = 0x680ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000067d0000" filename = "" Region: id = 29651 start_va = 0x6810000 end_va = 0x684ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006810000" filename = "" Region: id = 29656 start_va = 0x740000 end_va = 0x740fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 29657 start_va = 0x6f880000 end_va = 0x6f8b3fff monitored = 0 entry_point = 0x6f898280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 29840 start_va = 0x6f870000 end_va = 0x6f878fff monitored = 0 entry_point = 0x6f873830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 30098 start_va = 0x620000 end_va = 0x621fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 30099 start_va = 0x6f6c0000 end_va = 0x6f73afff monitored = 0 entry_point = 0x6f6e4d80 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\SysWOW64\\duser.dll" (normalized: "c:\\windows\\syswow64\\duser.dll") Region: id = 30108 start_va = 0x6850000 end_va = 0x688ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006850000" filename = "" Region: id = 30109 start_va = 0x6890000 end_va = 0x68cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006890000" filename = "" Region: id = 30110 start_va = 0x6f630000 end_va = 0x6f6b0fff monitored = 0 entry_point = 0x6f636310 region_type = mapped_file name = "riched20.dll" filename = "\\Windows\\SysWOW64\\riched20.dll" (normalized: "c:\\windows\\syswow64\\riched20.dll") Region: id = 30111 start_va = 0x6f790000 end_va = 0x6f7a5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 30112 start_va = 0x6f750000 end_va = 0x6f780fff monitored = 0 entry_point = 0x6f7622d0 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\SysWOW64\\msls31.dll" (normalized: "c:\\windows\\syswow64\\msls31.dll") Region: id = 30113 start_va = 0x740000 end_va = 0x740fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 30114 start_va = 0x68d0000 end_va = 0x698bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000068d0000" filename = "" Region: id = 30115 start_va = 0x740000 end_va = 0x743fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 30116 start_va = 0x74230000 end_va = 0x7424cfff monitored = 0 entry_point = 0x74233b10 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 30117 start_va = 0x810000 end_va = 0x813fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 30118 start_va = 0x820000 end_va = 0x820fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 30119 start_va = 0xa30000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 30120 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 30125 start_va = 0xa40000 end_va = 0xa40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "duser.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\duser.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\duser.dll.mui") Region: id = 30126 start_va = 0x6f9f0000 end_va = 0x6f9fcfff monitored = 0 entry_point = 0x6f9f7d80 region_type = mapped_file name = "atlthunk.dll" filename = "\\Windows\\SysWOW64\\atlthunk.dll" (normalized: "c:\\windows\\syswow64\\atlthunk.dll") Region: id = 30127 start_va = 0xa50000 end_va = 0xa52fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui") Region: id = 30128 start_va = 0x640000 end_va = 0x642fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 30129 start_va = 0x6990000 end_va = 0x6e81fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006990000" filename = "" Region: id = 30142 start_va = 0x6e90000 end_va = 0x7ecffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 30161 start_va = 0x7ed0000 end_va = 0x7f11fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007ed0000" filename = "" Region: id = 30174 start_va = 0x630000 end_va = 0x630fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 30175 start_va = 0x77500000 end_va = 0x7761efff monitored = 0 entry_point = 0x77545980 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Thread: id = 786 os_tid = 0xc84 Thread: id = 787 os_tid = 0x12a0 Thread: id = 791 os_tid = 0x938 Thread: id = 813 os_tid = 0xe68 Thread: id = 814 os_tid = 0xc54 Thread: id = 815 os_tid = 0xab0 Thread: id = 849 os_tid = 0xb50 Thread: id = 864 os_tid = 0xc6c Process: id = "373" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x461c3000" os_pid = "0x12ac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_freeSession /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27376 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27377 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27378 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 27379 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 27380 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 27381 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 27382 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 27383 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 27384 start_va = 0x820000 end_va = 0x821fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 27385 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 27386 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 27387 start_va = 0x7ec10000 end_va = 0x7ec32fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ec10000" filename = "" Region: id = 27388 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 27389 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 27390 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27391 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 27400 start_va = 0x400000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 27401 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 27402 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 27403 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 27404 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 27405 start_va = 0x830000 end_va = 0xa2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 27406 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 27407 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 27412 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27413 start_va = 0x7eb10000 end_va = 0x7ec0ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eb10000" filename = "" Region: id = 27414 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27415 start_va = 0x5e0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 27416 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 27417 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 27418 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 27419 start_va = 0x4c0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 27420 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 27421 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 27422 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 27423 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 27424 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 27425 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 27426 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 27427 start_va = 0x820000 end_va = 0x823fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 27428 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 27429 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 27430 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 27431 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 27432 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 27433 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 27434 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 27435 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 27436 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 27437 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 27438 start_va = 0x5f0000 end_va = 0x777fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 27439 start_va = 0x830000 end_va = 0x859fff monitored = 0 entry_point = 0x835680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 27440 start_va = 0x930000 end_va = 0xa2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 27441 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 27442 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 27443 start_va = 0x5c0000 end_va = 0x5c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 27444 start_va = 0x830000 end_va = 0x91ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 27445 start_va = 0xa30000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 27446 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 27447 start_va = 0x830000 end_va = 0x8c0fff monitored = 0 entry_point = 0x868cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 27448 start_va = 0x910000 end_va = 0x91ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000910000" filename = "" Region: id = 27470 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 27471 start_va = 0x830000 end_va = 0x830fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 27472 start_va = 0x840000 end_va = 0x840fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 27473 start_va = 0x840000 end_va = 0x847fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 27490 start_va = 0x840000 end_va = 0x840fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 27491 start_va = 0x850000 end_va = 0x851fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 27492 start_va = 0x840000 end_va = 0x840fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 27493 start_va = 0x850000 end_va = 0x850fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 27494 start_va = 0x840000 end_va = 0x840fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 27495 start_va = 0x850000 end_va = 0x850fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Thread: id = 788 os_tid = 0x13b8 [0260.791] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0260.791] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0260.791] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0260.792] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0260.792] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0260.792] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0260.792] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0260.792] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0260.793] GetProcessHeap () returned 0x930000 [0260.793] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0260.793] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0260.793] GetLastError () returned 0x7e [0260.793] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0260.794] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0260.794] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x364) returned 0x9409a0 [0260.794] SetLastError (dwErrCode=0x7e) [0260.892] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0xe00) returned 0x940d10 [0260.893] GetStartupInfoW (in: lpStartupInfo=0x18f768 | out: lpStartupInfo=0x18f768*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0260.893] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0260.894] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0260.894] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0260.894] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_freeSession /fn_args=\"1\"" [0260.894] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_freeSession /fn_args=\"1\"" [0260.894] GetACP () returned 0x4e4 [0260.894] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x0, Size=0x220) returned 0x941b18 [0260.894] IsValidCodePage (CodePage=0x4e4) returned 1 [0260.894] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f788 | out: lpCPInfo=0x18f788) returned 1 [0260.894] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f050 | out: lpCPInfo=0x18f050) returned 1 [0260.894] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f664, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0260.894] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f664, cbMultiByte=256, lpWideCharStr=0x18edf8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0260.894] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f064 | out: lpCharType=0x18f064) returned 1 [0260.894] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f664, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0260.894] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f664, cbMultiByte=256, lpWideCharStr=0x18eda8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0260.894] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0260.895] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0260.895] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0260.895] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18eb98, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0260.895] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f564, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ<\x9fnM ÷\x18", lpUsedDefaultChar=0x0) returned 256 [0260.895] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f664, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0260.895] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f664, cbMultiByte=256, lpWideCharStr=0x18edc8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0260.895] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0260.895] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ebb8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0260.895] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f464, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ<\x9fnM ÷\x18", lpUsedDefaultChar=0x0) returned 256 [0260.895] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x0, Size=0x80) returned 0x933870 [0260.895] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0260.895] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x18a) returned 0x941d40 [0260.895] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0260.895] GetLastError () returned 0x0 [0260.895] SetLastError (dwErrCode=0x0) [0260.895] GetEnvironmentStringsW () returned 0x941ed8* [0260.896] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x0, Size=0xa8c) returned 0x942970 [0260.896] FreeEnvironmentStringsW (penv=0x941ed8) returned 1 [0260.896] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x90) returned 0x934568 [0260.896] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x3e) returned 0x93aed0 [0260.896] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x5c) returned 0x938840 [0260.896] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x6e) returned 0x93a690 [0260.896] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x78) returned 0x943bb0 [0260.896] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x62) returned 0x934a00 [0260.896] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x28) returned 0x93a378 [0260.896] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x48) returned 0x933d90 [0260.896] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x1a) returned 0x93a3a8 [0260.896] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x3a) returned 0x93ae40 [0260.896] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x62) returned 0x933fe8 [0260.896] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x2a) returned 0x938728 [0260.896] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x2e) returned 0x9385d8 [0260.896] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x1c) returned 0x930570 [0260.896] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x144) returned 0x939a58 [0260.896] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x7c) returned 0x9380a0 [0260.897] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x36) returned 0x93e130 [0260.897] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x3a) returned 0x93adb0 [0260.897] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x90) returned 0x9343a0 [0260.897] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x24) returned 0x934630 [0260.897] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x30) returned 0x938610 [0260.897] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x36) returned 0x93e4b0 [0260.897] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x48) returned 0x933bf0 [0260.897] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x52) returned 0x933910 [0260.897] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x3c) returned 0x93ab70 [0260.897] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0xd6) returned 0x939c18 [0260.897] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x2e) returned 0x938798 [0260.897] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x1e) returned 0x933c40 [0260.897] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x2c) returned 0x9384c0 [0260.897] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x54) returned 0x932900 [0260.897] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x52) returned 0x9304b8 [0260.897] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x24) returned 0x934660 [0260.897] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x42) returned 0x933e08 [0260.897] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x2c) returned 0x9386f0 [0260.897] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x44) returned 0x933e58 [0260.897] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x24) returned 0x934070 [0260.898] HeapFree (in: hHeap=0x930000, dwFlags=0x0, lpMem=0x942970 | out: hHeap=0x930000) returned 1 [0260.898] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x800) returned 0x941ed8 [0260.898] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0260.898] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0260.898] GetStartupInfoW (in: lpStartupInfo=0x18f7cc | out: lpStartupInfo=0x18f7cc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0260.898] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_freeSession /fn_args=\"1\"" [0260.899] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_freeSession /fn_args=\"1\"", pNumArgs=0x18f7b8 | out: pNumArgs=0x18f7b8) returned 0x942b28*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0260.899] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0260.905] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x0, Size=0x1000) returned 0x944410 [0260.906] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x0, Size=0x38) returned 0x93e570 [0260.906] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_openssl_freeSession", cchWideChar=-1, lpMultiByteStr=0x93e570, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_openssl_freeSession", lpUsedDefaultChar=0x0) returned 28 [0260.906] GetLastError () returned 0x0 [0260.906] SetLastError (dwErrCode=0x0) [0260.906] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_freeSessionW") returned 0x0 [0260.906] GetLastError () returned 0x7f [0260.906] SetLastError (dwErrCode=0x7f) [0260.906] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_freeSessionA") returned 0x0 [0260.907] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_freeSession") returned 0x647cf0be [0260.907] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x0, Size=0x4) returned 0x93a818 [0260.907] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x93a818, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0260.907] GetActiveWindow () returned 0x0 [0260.908] GetLastError () returned 0x7f [0260.908] SetLastError (dwErrCode=0x7f) Thread: id = 790 os_tid = 0xe28 Process: id = "374" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x2e2a2000" os_pid = "0x1338" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "371" os_parent_pid = "0x1148" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_createSession /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "375" image_name = "werfault.exe" filename = "c:\\windows\\syswow64\\werfault.exe" page_root = "0x3e96000" os_pid = "0xb94" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "373" os_parent_pid = "0x12ac" cmd_line = "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 4780 -s 364" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27504 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27505 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27506 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 27507 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 27508 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 27509 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 27510 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 27511 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 27512 start_va = 0x470000 end_va = 0x470fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 27513 start_va = 0x10e0000 end_va = 0x1122fff monitored = 0 entry_point = 0x1100f50 region_type = mapped_file name = "werfault.exe" filename = "\\Windows\\SysWOW64\\WerFault.exe" (normalized: "c:\\windows\\syswow64\\werfault.exe") Region: id = 27514 start_va = 0x1130000 end_va = 0x512ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 27515 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 27516 start_va = 0x7ed10000 end_va = 0x7ed32fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed10000" filename = "" Region: id = 27517 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 27518 start_va = 0x7fff0000 end_va = 0x7dfb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 27519 start_va = 0x7dfb201b0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfb201b0000" filename = "" Region: id = 27520 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27521 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 27522 start_va = 0x100000 end_va = 0x1bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 27523 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 27524 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 27525 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 27526 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 27532 start_va = 0x480000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 27533 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 27534 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 27535 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27536 start_va = 0x7ec10000 end_va = 0x7ed0ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ec10000" filename = "" Region: id = 27537 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27538 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 27539 start_va = 0x100000 end_va = 0x13ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 27540 start_va = 0x140000 end_va = 0x17ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 27541 start_va = 0x1b0000 end_va = 0x1bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 27542 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 27543 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 27559 start_va = 0x6fb30000 end_va = 0x6fbb6fff monitored = 0 entry_point = 0x6fb9dbc0 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\SysWOW64\\wer.dll" (normalized: "c:\\windows\\syswow64\\wer.dll") Region: id = 27560 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 27561 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 27562 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 27563 start_va = 0x4c0000 end_va = 0x4c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 27564 start_va = 0x660000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 27565 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 27566 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 27567 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 27568 start_va = 0x6fbc0000 end_va = 0x6fcfefff monitored = 0 entry_point = 0x6fbed880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 27569 start_va = 0x6fb00000 end_va = 0x6fb21fff monitored = 0 entry_point = 0x6fb091f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 27570 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 27571 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 27572 start_va = 0x6faa0000 end_va = 0x6faf3fff monitored = 0 entry_point = 0x6fad10d0 region_type = mapped_file name = "faultrep.dll" filename = "\\Windows\\SysWOW64\\Faultrep.dll" (normalized: "c:\\windows\\syswow64\\faultrep.dll") Region: id = 27573 start_va = 0x6fa70000 end_va = 0x6fa90fff monitored = 0 entry_point = 0x6fa8a910 region_type = mapped_file name = "dbgcore.dll" filename = "\\Windows\\SysWOW64\\dbgcore.dll" (normalized: "c:\\windows\\syswow64\\dbgcore.dll") Region: id = 27574 start_va = 0x760000 end_va = 0x95ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 27575 start_va = 0x760000 end_va = 0x8fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 27576 start_va = 0x950000 end_va = 0x95ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 27577 start_va = 0x4d0000 end_va = 0x4d3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 27599 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 27600 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 27601 start_va = 0x4e0000 end_va = 0x509fff monitored = 0 entry_point = 0x4e5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 27602 start_va = 0x760000 end_va = 0x8e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 27603 start_va = 0x8f0000 end_va = 0x8fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 27604 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 27605 start_va = 0x960000 end_va = 0xae0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000960000" filename = "" Region: id = 27606 start_va = 0x5130000 end_va = 0x652ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005130000" filename = "" Region: id = 27607 start_va = 0x4e0000 end_va = 0x4e3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werfault.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\WerFault.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werfault.exe.mui") Region: id = 27618 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 27619 start_va = 0x180000 end_va = 0x180fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 27620 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 27621 start_va = 0xaf0000 end_va = 0xc6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 27658 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 27659 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 27660 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 27661 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 27662 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 27663 start_va = 0x6530000 end_va = 0x6d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006530000" filename = "" Region: id = 27664 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 27665 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 27666 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 27667 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 27668 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 27669 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 27670 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 27671 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 27672 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 27673 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 27674 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 27681 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 27682 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 27683 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 27684 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 27685 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 27686 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 27687 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 27688 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 27689 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 27690 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 27691 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 27692 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 27693 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 27694 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 27695 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 27696 start_va = 0x510000 end_va = 0x516fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 27698 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 27699 start_va = 0x510000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 27700 start_va = 0x550000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 27707 start_va = 0x510000 end_va = 0x511fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "faultrep.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\faultrep.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\faultrep.dll.mui") Region: id = 27709 start_va = 0x520000 end_va = 0x520fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 27710 start_va = 0x6ed00000 end_va = 0x6f11dfff monitored = 0 entry_point = 0x6edfee80 region_type = mapped_file name = "dbgeng.dll" filename = "\\Windows\\SysWOW64\\dbgeng.dll" (normalized: "c:\\windows\\syswow64\\dbgeng.dll") Region: id = 27711 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 27712 start_va = 0x6f850000 end_va = 0x6f8bffff monitored = 0 entry_point = 0x6f8a4b90 region_type = mapped_file name = "dbgmodel.dll" filename = "\\Windows\\SysWOW64\\DbgModel.dll" (normalized: "c:\\windows\\syswow64\\dbgmodel.dll") Region: id = 27713 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 27714 start_va = 0xaf0000 end_va = 0xbd9fff monitored = 0 entry_point = 0xb2d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 27715 start_va = 0xc60000 end_va = 0xc6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 27716 start_va = 0x70050000 end_va = 0x70059fff monitored = 0 entry_point = 0x70053200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 27717 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 27719 start_va = 0x6f5d0000 end_va = 0x6f5d7fff monitored = 0 entry_point = 0x6f5d17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 27720 start_va = 0xaf0000 end_va = 0xbeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 27721 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 27722 start_va = 0xc70000 end_va = 0xfa6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 27723 start_va = 0x520000 end_va = 0x521fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 27724 start_va = 0x520000 end_va = 0x523fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 27725 start_va = 0x520000 end_va = 0x525fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 27726 start_va = 0x520000 end_va = 0x527fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 27727 start_va = 0xfb0000 end_va = 0x10affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 27728 start_va = 0x520000 end_va = 0x529fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 27729 start_va = 0x520000 end_va = 0x52bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 27730 start_va = 0x520000 end_va = 0x52dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 27731 start_va = 0x520000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 27732 start_va = 0x520000 end_va = 0x531fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 27733 start_va = 0x520000 end_va = 0x533fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 27734 start_va = 0x520000 end_va = 0x535fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 27735 start_va = 0x520000 end_va = 0x537fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 27736 start_va = 0x520000 end_va = 0x539fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 27737 start_va = 0x520000 end_va = 0x53bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 27738 start_va = 0x520000 end_va = 0x53dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 27739 start_va = 0x520000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 27740 start_va = 0x6530000 end_va = 0x660ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 27862 start_va = 0x6610000 end_va = 0x66dcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006610000" filename = "" Region: id = 27863 start_va = 0x66e0000 end_va = 0x6793fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000066e0000" filename = "" Region: id = 27872 start_va = 0x67a0000 end_va = 0x6843fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000067a0000" filename = "" Region: id = 27873 start_va = 0x520000 end_va = 0x520fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 27874 start_va = 0x530000 end_va = 0x532fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wer.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wer.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wer.dll.mui") Region: id = 27875 start_va = 0x540000 end_va = 0x543fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 27876 start_va = 0x6610000 end_va = 0x6e0ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006610000" filename = "" Region: id = 27877 start_va = 0x5d0000 end_va = 0x5d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 27878 start_va = 0x5d0000 end_va = 0x5d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 27879 start_va = 0x5d0000 end_va = 0x5d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 27880 start_va = 0x5d0000 end_va = 0x5d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 27881 start_va = 0x5d0000 end_va = 0x5d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 27882 start_va = 0x5d0000 end_va = 0x5d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 27883 start_va = 0x5d0000 end_va = 0x5d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 27884 start_va = 0x5d0000 end_va = 0x5d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 27885 start_va = 0x5d0000 end_va = 0x5d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 27886 start_va = 0x5d0000 end_va = 0x5d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 27887 start_va = 0x5d0000 end_va = 0x5d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 27888 start_va = 0x5d0000 end_va = 0x5d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 27889 start_va = 0x5d0000 end_va = 0x5d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 27890 start_va = 0x5d0000 end_va = 0x5d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 27891 start_va = 0x5d0000 end_va = 0x5d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 27892 start_va = 0x5d0000 end_va = 0x5d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 27893 start_va = 0x5d0000 end_va = 0x5d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 27894 start_va = 0x5d0000 end_va = 0x5d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 27895 start_va = 0x5d0000 end_va = 0x5d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 27896 start_va = 0x5d0000 end_va = 0x5d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 27897 start_va = 0x5d0000 end_va = 0x5d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 27898 start_va = 0x5d0000 end_va = 0x5d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 27899 start_va = 0x6610000 end_va = 0x670ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006610000" filename = "" Region: id = 27900 start_va = 0x5d0000 end_va = 0x5d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 27901 start_va = 0x5d0000 end_va = 0x5d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 27902 start_va = 0x5d0000 end_va = 0x5d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 27903 start_va = 0x5d0000 end_va = 0x5d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 27904 start_va = 0x5d0000 end_va = 0x5d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 27905 start_va = 0x6fa00000 end_va = 0x6fa63fff monitored = 0 entry_point = 0x6fa3e270 region_type = mapped_file name = "werui.dll" filename = "\\Windows\\SysWOW64\\werui.dll" (normalized: "c:\\windows\\syswow64\\werui.dll") Region: id = 27906 start_va = 0x190000 end_va = 0x191fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 27907 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 27908 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 27909 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 27910 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 27911 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 27912 start_va = 0x731b0000 end_va = 0x733befff monitored = 0 entry_point = 0x7325b0a0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 27913 start_va = 0x6f460000 end_va = 0x6f5c6fff monitored = 0 entry_point = 0x6f4db9d0 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\SysWOW64\\dui70.dll" (normalized: "c:\\windows\\syswow64\\dui70.dll") Region: id = 27914 start_va = 0x1a0000 end_va = 0x1a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 27915 start_va = 0x6f430000 end_va = 0x6f457fff monitored = 0 entry_point = 0x6f437820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 27916 start_va = 0x5d0000 end_va = 0x5d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 27917 start_va = 0x1c0000 end_va = 0x1c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 27918 start_va = 0x5d0000 end_va = 0x5d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 27919 start_va = 0x759b0000 end_va = 0x75a33fff monitored = 0 entry_point = 0x759d6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 27920 start_va = 0x5e0000 end_va = 0x5e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 27921 start_va = 0x6f800000 end_va = 0x6f833fff monitored = 0 entry_point = 0x6f818280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 28283 start_va = 0x5f0000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 28284 start_va = 0x900000 end_va = 0x93ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 28285 start_va = 0xbf0000 end_va = 0xc2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bf0000" filename = "" Region: id = 28286 start_va = 0x6710000 end_va = 0x674ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006710000" filename = "" Region: id = 28287 start_va = 0x6750000 end_va = 0x678ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006750000" filename = "" Region: id = 28288 start_va = 0x6790000 end_va = 0x67cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006790000" filename = "" Region: id = 28289 start_va = 0x6f8b0000 end_va = 0x6f8b8fff monitored = 0 entry_point = 0x6f8b3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 28658 start_va = 0x5d0000 end_va = 0x5d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 28659 start_va = 0x6f800000 end_va = 0x6f833fff monitored = 0 entry_point = 0x6f818280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 28985 start_va = 0x6f8b0000 end_va = 0x6f8b8fff monitored = 0 entry_point = 0x6f8b3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 29310 start_va = 0x5d0000 end_va = 0x5d4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werui.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\werui.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werui.dll.mui") Region: id = 29311 start_va = 0x630000 end_va = 0x630fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 29312 start_va = 0x6f800000 end_va = 0x6f833fff monitored = 0 entry_point = 0x6f818280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 29510 start_va = 0x6f8b0000 end_va = 0x6f8b8fff monitored = 0 entry_point = 0x6f8b3830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 29662 start_va = 0x67d0000 end_va = 0x680ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000067d0000" filename = "" Region: id = 29663 start_va = 0x6810000 end_va = 0x684ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006810000" filename = "" Region: id = 29664 start_va = 0x630000 end_va = 0x630fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 29665 start_va = 0x6f880000 end_va = 0x6f8b3fff monitored = 0 entry_point = 0x6f898280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 29848 start_va = 0x6f870000 end_va = 0x6f878fff monitored = 0 entry_point = 0x6f873830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 30106 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 30107 start_va = 0x6f6c0000 end_va = 0x6f73afff monitored = 0 entry_point = 0x6f6e4d80 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\SysWOW64\\duser.dll" (normalized: "c:\\windows\\syswow64\\duser.dll") Region: id = 30130 start_va = 0x6850000 end_va = 0x688ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006850000" filename = "" Region: id = 30131 start_va = 0x6890000 end_va = 0x68cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006890000" filename = "" Region: id = 30132 start_va = 0x6f630000 end_va = 0x6f6b0fff monitored = 0 entry_point = 0x6f636310 region_type = mapped_file name = "riched20.dll" filename = "\\Windows\\SysWOW64\\riched20.dll" (normalized: "c:\\windows\\syswow64\\riched20.dll") Region: id = 30133 start_va = 0x6f790000 end_va = 0x6f7a5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 30134 start_va = 0x6f750000 end_va = 0x6f780fff monitored = 0 entry_point = 0x6f7622d0 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\SysWOW64\\msls31.dll" (normalized: "c:\\windows\\syswow64\\msls31.dll") Region: id = 30135 start_va = 0x630000 end_va = 0x630fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 30136 start_va = 0x68d0000 end_va = 0x698bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000068d0000" filename = "" Region: id = 30137 start_va = 0x630000 end_va = 0x633fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 30138 start_va = 0x74230000 end_va = 0x7424cfff monitored = 0 entry_point = 0x74233b10 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 30139 start_va = 0x640000 end_va = 0x643fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 30140 start_va = 0x650000 end_va = 0x650fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 30141 start_va = 0x940000 end_va = 0x940fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 30162 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 30163 start_va = 0xc30000 end_va = 0xc30fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "duser.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\duser.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\duser.dll.mui") Region: id = 30164 start_va = 0x6f9f0000 end_va = 0x6f9fcfff monitored = 0 entry_point = 0x6f9f7d80 region_type = mapped_file name = "atlthunk.dll" filename = "\\Windows\\SysWOW64\\atlthunk.dll" (normalized: "c:\\windows\\syswow64\\atlthunk.dll") Region: id = 30165 start_va = 0xc40000 end_va = 0xc42fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui") Region: id = 30166 start_va = 0x1f0000 end_va = 0x1f2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 30167 start_va = 0x6990000 end_va = 0x6e81fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006990000" filename = "" Region: id = 30168 start_va = 0x6e90000 end_va = 0x7ecffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 30176 start_va = 0x7ed0000 end_va = 0x7f11fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007ed0000" filename = "" Region: id = 30226 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 30227 start_va = 0x77500000 end_va = 0x7761efff monitored = 0 entry_point = 0x77545980 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Thread: id = 792 os_tid = 0xc78 Thread: id = 794 os_tid = 0x13a0 Thread: id = 800 os_tid = 0x83c Thread: id = 816 os_tid = 0xcd0 Thread: id = 819 os_tid = 0xd3c Thread: id = 820 os_tid = 0xe7c Thread: id = 850 os_tid = 0x1078 Thread: id = 865 os_tid = 0xf58 Process: id = "376" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x3ee2000" os_pid = "0x131c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getCleanupHook /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27578 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27579 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27580 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 27581 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 27582 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 27583 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 27584 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 27585 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 27586 start_va = 0x7ed20000 end_va = 0x7ed42fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed20000" filename = "" Region: id = 27587 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 27588 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 27589 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27590 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 27591 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 27592 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 27593 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 27608 start_va = 0x410000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 27609 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 27610 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 27611 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 27612 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 27613 start_va = 0x410000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 27614 start_va = 0x5d0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 27615 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 27616 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 27622 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27623 start_va = 0x7ec20000 end_va = 0x7ed1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ec20000" filename = "" Region: id = 27624 start_va = 0x5e0000 end_va = 0x69dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27625 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 27626 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 27627 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 27628 start_va = 0x6a0000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 27629 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 27630 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 27631 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 27632 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 27633 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 27634 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 27635 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 27636 start_va = 0x400000 end_va = 0x403fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 27637 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 27638 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 27639 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 27640 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 27641 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 27642 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 27643 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 27644 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 27645 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 27646 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 27647 start_va = 0x410000 end_va = 0x439fff monitored = 0 entry_point = 0x415680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 27648 start_va = 0x490000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 27649 start_va = 0x7a0000 end_va = 0x927fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 27650 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 27651 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 27652 start_va = 0x410000 end_va = 0x410fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 27653 start_va = 0x930000 end_va = 0xab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 27654 start_va = 0xac0000 end_va = 0xb9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 27655 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 27656 start_va = 0xac0000 end_va = 0xb50fff monitored = 0 entry_point = 0xaf8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 27657 start_va = 0xb90000 end_va = 0xb9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 27677 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 27678 start_va = 0x420000 end_va = 0x420fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 27679 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 27680 start_va = 0x430000 end_va = 0x437fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 27697 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 27701 start_va = 0x440000 end_va = 0x441fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 27702 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 27703 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 27704 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 27705 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Thread: id = 795 os_tid = 0x7a0 [0261.932] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0261.933] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0261.933] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0261.933] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0261.933] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0261.933] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0261.934] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0261.934] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0261.934] GetProcessHeap () returned 0x490000 [0261.935] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0261.935] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0261.935] GetLastError () returned 0x7e [0261.935] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0261.935] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0261.935] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x364) returned 0x4a09a0 [0261.936] SetLastError (dwErrCode=0x7e) [0261.936] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xe00) returned 0x4a0d10 [0261.937] GetStartupInfoW (in: lpStartupInfo=0x18fe48 | out: lpStartupInfo=0x18fe48*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0261.937] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0261.937] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0261.938] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0261.938] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getCleanupHook /fn_args=\"1\"" [0261.938] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getCleanupHook /fn_args=\"1\"" [0261.938] GetACP () returned 0x4e4 [0261.938] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x0, Size=0x220) returned 0x4a1b18 [0261.938] IsValidCodePage (CodePage=0x4e4) returned 1 [0261.938] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fe68 | out: lpCPInfo=0x18fe68) returned 1 [0261.938] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f730 | out: lpCPInfo=0x18f730) returned 1 [0261.938] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd44, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0261.938] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd44, cbMultiByte=256, lpWideCharStr=0x18f4d8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0261.938] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f744 | out: lpCharType=0x18f744) returned 1 [0261.938] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd44, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0261.938] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd44, cbMultiByte=256, lpWideCharStr=0x18f488, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0261.938] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0261.938] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0261.938] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0261.938] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f278, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0261.938] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fc44, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x0bËòB\x80þ\x18", lpUsedDefaultChar=0x0) returned 256 [0261.939] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd44, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0261.939] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd44, cbMultiByte=256, lpWideCharStr=0x18f4a8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0261.939] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0261.939] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f298, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0261.939] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fb44, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x0bËòB\x80þ\x18", lpUsedDefaultChar=0x0) returned 256 [0261.939] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x0, Size=0x80) returned 0x493878 [0261.939] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0261.939] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x190) returned 0x4a1d40 [0261.939] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0261.939] GetLastError () returned 0x0 [0261.939] SetLastError (dwErrCode=0x0) [0261.939] GetEnvironmentStringsW () returned 0x4a1ed8* [0261.939] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x0, Size=0xa8c) returned 0x4a2970 [0261.940] FreeEnvironmentStringsW (penv=0x4a1ed8) returned 1 [0261.940] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x90) returned 0x494568 [0261.940] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x3e) returned 0x49ae40 [0261.940] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x5c) returned 0x498aa0 [0261.940] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x6e) returned 0x494630 [0261.940] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x78) returned 0x4a34b0 [0261.940] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x62) returned 0x494a00 [0261.940] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x28) returned 0x493d98 [0261.940] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x48) returned 0x493fe8 [0261.940] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x1a) returned 0x490570 [0261.940] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x3a) returned 0x49ab28 [0261.940] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x62) returned 0x493bf8 [0261.940] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x2a) returned 0x498418 [0261.940] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x2e) returned 0x4984c0 [0261.940] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x1c) returned 0x493dc8 [0261.940] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x144) returned 0x499cb8 [0261.940] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x7c) returned 0x4980a0 [0261.940] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x36) returned 0x49e430 [0261.940] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x3a) returned 0x49ab70 [0261.940] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x90) returned 0x4943a0 [0261.940] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x24) returned 0x493918 [0261.940] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x30) returned 0x4984f8 [0261.940] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x36) returned 0x49e2f0 [0261.940] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x48) returned 0x492908 [0261.940] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x52) returned 0x4904b8 [0261.941] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x3c) returned 0x49b110 [0261.941] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xd6) returned 0x499e78 [0261.941] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x2e) returned 0x498680 [0261.941] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x1e) returned 0x492958 [0261.941] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x2c) returned 0x4985a0 [0261.941] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x54) returned 0x493e10 [0261.941] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x52) returned 0x494070 [0261.941] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x24) returned 0x493e70 [0261.941] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x42) returned 0x4940d0 [0261.941] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x2c) returned 0x498568 [0261.941] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x44) returned 0x499fa8 [0261.941] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x24) returned 0x493948 [0261.941] HeapFree (in: hHeap=0x490000, dwFlags=0x0, lpMem=0x4a2970 | out: hHeap=0x490000) returned 1 [0261.941] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x800) returned 0x4a1ed8 [0261.942] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0261.942] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0261.942] GetStartupInfoW (in: lpStartupInfo=0x18feac | out: lpStartupInfo=0x18feac*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0261.942] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getCleanupHook /fn_args=\"1\"" [0261.942] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getCleanupHook /fn_args=\"1\"", pNumArgs=0x18fe98 | out: pNumArgs=0x18fe98) returned 0x4a2b28*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0261.942] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0261.945] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x0, Size=0x1000) returned 0x4a4410 [0261.945] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x0, Size=0x3e) returned 0x49adf8 [0261.945] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_openssl_getCleanupHook", cchWideChar=-1, lpMultiByteStr=0x49adf8, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_openssl_getCleanupHook", lpUsedDefaultChar=0x0) returned 31 [0261.945] GetLastError () returned 0x0 [0261.945] SetLastError (dwErrCode=0x0) [0261.945] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_getCleanupHookW") returned 0x0 [0261.945] GetLastError () returned 0x7f [0261.945] SetLastError (dwErrCode=0x7f) [0261.945] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_getCleanupHookA") returned 0x0 [0261.945] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_getCleanupHook") returned 0x647cf05a [0261.945] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x0, Size=0x4) returned 0x493820 [0261.945] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x493820, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0261.946] GetActiveWindow () returned 0x0 [0261.946] GetLastError () returned 0x7f [0261.946] SetLastError (dwErrCode=0x7f) Thread: id = 799 os_tid = 0x1354 Process: id = "377" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x72f72000" os_pid = "0xda0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "373" os_parent_pid = "0x12ac" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_freeSession /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "378" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x2f3f000" os_pid = "0x340" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "376" os_parent_pid = "0x131c" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getCleanupHook /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "379" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x23f1000" os_pid = "0x11ec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getX509 /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27748 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27749 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27750 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 27751 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 27752 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 27753 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 27754 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 27755 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 27756 start_va = 0x920000 end_va = 0x921fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000920000" filename = "" Region: id = 27757 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 27758 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 27759 start_va = 0x7ea20000 end_va = 0x7ea42fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ea20000" filename = "" Region: id = 27760 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 27761 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 27762 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27763 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 27764 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 27765 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 27766 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 27767 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 27768 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 27769 start_va = 0x930000 end_va = 0xa8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 27770 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 27771 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 27772 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27773 start_va = 0x7e920000 end_va = 0x7ea1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e920000" filename = "" Region: id = 27774 start_va = 0x480000 end_va = 0x53dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27775 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 27776 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 27777 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 27778 start_va = 0x540000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 27779 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 27780 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 27781 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 27782 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 27783 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 27797 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 27798 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 27799 start_va = 0x920000 end_va = 0x923fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000920000" filename = "" Region: id = 27800 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 27801 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 27802 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 27803 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 27804 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 27805 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 27806 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 27807 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 27808 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 27809 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 27810 start_va = 0x640000 end_va = 0x7c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 27811 start_va = 0x930000 end_va = 0x959fff monitored = 0 entry_point = 0x935680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 27812 start_va = 0x990000 end_va = 0xa8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 27813 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 27841 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 27842 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 27843 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 27844 start_va = 0x930000 end_va = 0x95ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 27845 start_va = 0xa90000 end_va = 0xc10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a90000" filename = "" Region: id = 27846 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 27847 start_va = 0xc20000 end_va = 0xcb0fff monitored = 0 entry_point = 0xc58cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 27848 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 27849 start_va = 0x930000 end_va = 0x930fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 27850 start_va = 0x950000 end_va = 0x95ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 27851 start_va = 0x940000 end_va = 0x940fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 27852 start_va = 0x940000 end_va = 0x947fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 27866 start_va = 0x940000 end_va = 0x940fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 27867 start_va = 0x960000 end_va = 0x961fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000960000" filename = "" Region: id = 27868 start_va = 0x940000 end_va = 0x940fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 27869 start_va = 0x960000 end_va = 0x960fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000960000" filename = "" Region: id = 27870 start_va = 0x940000 end_va = 0x940fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 27871 start_va = 0x960000 end_va = 0x960fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Thread: id = 801 os_tid = 0x1378 [0263.083] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0263.083] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0263.083] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0263.083] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0263.083] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0263.084] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0263.084] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0263.085] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0263.085] GetProcessHeap () returned 0x990000 [0263.085] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0263.085] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0263.085] GetLastError () returned 0x7e [0263.086] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0263.086] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0263.086] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x364) returned 0x9a0a58 [0263.086] SetLastError (dwErrCode=0x7e) [0263.086] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0xe00) returned 0x9a0dc8 [0263.088] GetStartupInfoW (in: lpStartupInfo=0x18f6c0 | out: lpStartupInfo=0x18f6c0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0263.088] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0263.088] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0263.088] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0263.088] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getX509 /fn_args=\"1\"" [0263.088] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getX509 /fn_args=\"1\"" [0263.088] GetACP () returned 0x4e4 [0263.088] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x0, Size=0x220) returned 0x9a1bd0 [0263.088] IsValidCodePage (CodePage=0x4e4) returned 1 [0263.088] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f6e0 | out: lpCPInfo=0x18f6e0) returned 1 [0263.088] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18efa8 | out: lpCPInfo=0x18efa8) returned 1 [0263.088] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f5bc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0263.088] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f5bc, cbMultiByte=256, lpWideCharStr=0x18ed48, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0263.089] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18efbc | out: lpCharType=0x18efbc) returned 1 [0263.089] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f5bc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0263.089] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f5bc, cbMultiByte=256, lpWideCharStr=0x18ecf8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0263.089] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0263.089] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0263.089] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0263.089] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18eae8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0263.089] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f4bc, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÆ\x9b \x16øö\x18", lpUsedDefaultChar=0x0) returned 256 [0263.089] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f5bc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0263.089] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f5bc, cbMultiByte=256, lpWideCharStr=0x18ed18, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0263.089] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0263.089] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18eb08, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0263.089] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f3bc, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÆ\x9b \x16øö\x18", lpUsedDefaultChar=0x0) returned 256 [0263.089] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x0, Size=0x80) returned 0x993860 [0263.089] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0263.090] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x182) returned 0x9a1df8 [0263.090] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0263.090] GetLastError () returned 0x0 [0263.090] SetLastError (dwErrCode=0x0) [0263.090] GetEnvironmentStringsW () returned 0x9a1f88* [0263.090] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x0, Size=0xa8c) returned 0x9a2a20 [0263.090] FreeEnvironmentStringsW (penv=0x9a1f88) returned 1 [0263.090] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x90) returned 0x994550 [0263.090] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x3e) returned 0x99ad98 [0263.090] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x5c) returned 0x998a88 [0263.090] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x6e) returned 0x994618 [0263.090] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x78) returned 0x9a3c60 [0263.091] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x62) returned 0x994c48 [0263.091] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x28) returned 0x993d80 [0263.091] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x48) returned 0x993fd0 [0263.091] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x1a) returned 0x990570 [0263.091] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x3a) returned 0x99ade0 [0263.091] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x62) returned 0x993be0 [0263.091] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x2a) returned 0x998970 [0263.092] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x2e) returned 0x9989a8 [0263.092] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x1c) returned 0x993db0 [0263.092] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x144) returned 0x999ca0 [0263.092] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x7c) returned 0x9982e8 [0263.092] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x36) returned 0x99e6a8 [0263.092] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x3a) returned 0x99a9a8 [0263.092] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x90) returned 0x994388 [0263.092] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x24) returned 0x993900 [0263.092] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x30) returned 0x9988c8 [0263.092] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x36) returned 0x99e468 [0263.092] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x48) returned 0x9928f8 [0263.092] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x52) returned 0x9904b8 [0263.092] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x3c) returned 0x99aa80 [0263.092] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0xd6) returned 0x999e60 [0263.092] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x2e) returned 0x9989e0 [0263.092] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x1e) returned 0x992948 [0263.092] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x2c) returned 0x998660 [0263.092] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x54) returned 0x993df8 [0263.092] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x52) returned 0x994058 [0263.092] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x24) returned 0x993e58 [0263.093] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x42) returned 0x9940b8 [0263.093] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x2c) returned 0x998740 [0263.093] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x44) returned 0x999f90 [0263.093] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x24) returned 0x993930 [0263.093] HeapFree (in: hHeap=0x990000, dwFlags=0x0, lpMem=0x9a2a20 | out: hHeap=0x990000) returned 1 [0263.093] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x8, Size=0x800) returned 0x9a1f88 [0263.093] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0263.093] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0263.094] GetStartupInfoW (in: lpStartupInfo=0x18f724 | out: lpStartupInfo=0x18f724*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0263.094] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getX509 /fn_args=\"1\"" [0263.094] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getX509 /fn_args=\"1\"", pNumArgs=0x18f710 | out: pNumArgs=0x18f710) returned 0x9a2bd8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0263.094] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0263.097] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x0, Size=0x1000) returned 0x9a44c0 [0263.097] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x0, Size=0x30) returned 0x998698 [0263.097] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_openssl_getX509", cchWideChar=-1, lpMultiByteStr=0x998698, cbMultiByte=48, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_openssl_getX509", lpUsedDefaultChar=0x0) returned 24 [0263.097] GetLastError () returned 0x0 [0263.097] SetLastError (dwErrCode=0x0) [0263.097] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_getX509W") returned 0x0 [0263.097] GetLastError () returned 0x7f [0263.097] SetLastError (dwErrCode=0x7f) [0263.097] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_getX509A") returned 0x0 [0263.097] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_getX509") returned 0x647ced54 [0263.098] RtlAllocateHeap (HeapHandle=0x990000, Flags=0x0, Size=0x4) returned 0x993808 [0263.098] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x993808, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0263.098] GetActiveWindow () returned 0x0 [0263.100] GetLastError () returned 0x7f [0263.100] SetLastError (dwErrCode=0x7f) Thread: id = 803 os_tid = 0xd9c Process: id = "380" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x47480000" os_pid = "0x784" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "379" os_parent_pid = "0x11ec" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_getX509 /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "381" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x20709000" os_pid = "0xd44" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getEVP /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 27922 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 27923 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 27924 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 27925 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 27926 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 27927 start_va = 0x670000 end_va = 0x671fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 27928 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 27929 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 27930 start_va = 0x7e9c0000 end_va = 0x7e9e2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e9c0000" filename = "" Region: id = 27931 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 27932 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 27933 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 27934 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 27935 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 27936 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 27937 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 27938 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 27939 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 27940 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 27941 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 27942 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 27943 start_va = 0x680000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 27944 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 27945 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 27946 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 27947 start_va = 0x7e8c0000 end_va = 0x7e9bffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e8c0000" filename = "" Region: id = 27948 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 27949 start_va = 0x5f0000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 27950 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 27951 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 27952 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 27953 start_va = 0x4c0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 27954 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 27955 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 27956 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 27957 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 27958 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 27959 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 27960 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 27961 start_va = 0x670000 end_va = 0x673fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 27962 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 27963 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 27964 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 27965 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 27966 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 27967 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 27968 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 27969 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 27970 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 27971 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 27972 start_va = 0x680000 end_va = 0x6a9fff monitored = 0 entry_point = 0x685680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 27973 start_va = 0x760000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 27974 start_va = 0x860000 end_va = 0x9e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000860000" filename = "" Region: id = 27975 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 27976 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 27977 start_va = 0x5c0000 end_va = 0x5c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 27978 start_va = 0x680000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 27979 start_va = 0x9f0000 end_va = 0xb70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 27980 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 28014 start_va = 0xb80000 end_va = 0xc10fff monitored = 0 entry_point = 0xbb8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 28017 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 28018 start_va = 0x680000 end_va = 0x680fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 28019 start_va = 0x6e0000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 28020 start_va = 0x690000 end_va = 0x690fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 28021 start_va = 0x690000 end_va = 0x697fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 28022 start_va = 0x690000 end_va = 0x690fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 28023 start_va = 0x6a0000 end_va = 0x6a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 28024 start_va = 0x690000 end_va = 0x690fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 28025 start_va = 0x6a0000 end_va = 0x6a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 28026 start_va = 0x690000 end_va = 0x690fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 28027 start_va = 0x6a0000 end_va = 0x6a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Thread: id = 804 os_tid = 0xd08 [0264.286] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0264.287] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0264.287] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0264.287] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0264.287] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0264.287] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0264.288] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0264.288] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0264.288] GetProcessHeap () returned 0x760000 [0264.288] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0264.288] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0264.289] GetLastError () returned 0x7e [0264.289] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0264.289] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0264.289] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x364) returned 0x7709a0 [0264.289] SetLastError (dwErrCode=0x7e) [0264.289] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xe00) returned 0x770d10 [0264.291] GetStartupInfoW (in: lpStartupInfo=0x18fc70 | out: lpStartupInfo=0x18fc70*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0264.291] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0264.291] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0264.291] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0264.291] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getEVP /fn_args=\"1\"" [0264.291] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getEVP /fn_args=\"1\"" [0264.291] GetACP () returned 0x4e4 [0264.291] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x220) returned 0x771b18 [0264.291] IsValidCodePage (CodePage=0x4e4) returned 1 [0264.291] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fc90 | out: lpCPInfo=0x18fc90) returned 1 [0264.291] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f558 | out: lpCPInfo=0x18f558) returned 1 [0264.291] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb6c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0264.291] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb6c, cbMultiByte=256, lpWideCharStr=0x18f2f8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0264.291] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f56c | out: lpCharType=0x18f56c) returned 1 [0264.291] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb6c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0264.291] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb6c, cbMultiByte=256, lpWideCharStr=0x18f2a8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0264.291] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0264.292] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0264.292] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0264.292] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f098, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0264.292] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fa6c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x0fÚËÙ¨ü\x18", lpUsedDefaultChar=0x0) returned 256 [0264.292] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb6c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0264.292] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb6c, cbMultiByte=256, lpWideCharStr=0x18f2c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0264.292] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0264.292] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f0b8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0264.292] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f96c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x0fÚËÙ¨ü\x18", lpUsedDefaultChar=0x0) returned 256 [0264.292] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x80) returned 0x763878 [0264.292] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0264.292] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x190) returned 0x771d40 [0264.292] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0264.292] GetLastError () returned 0x0 [0264.292] SetLastError (dwErrCode=0x0) [0264.292] GetEnvironmentStringsW () returned 0x771ed8* [0264.293] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0xa8c) returned 0x772970 [0264.293] FreeEnvironmentStringsW (penv=0x771ed8) returned 1 [0264.293] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x90) returned 0x764568 [0264.293] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x3e) returned 0x76b158 [0264.293] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x5c) returned 0x768840 [0264.293] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x6e) returned 0x764630 [0264.293] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x78) returned 0x773730 [0264.293] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x62) returned 0x764a00 [0264.293] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x28) returned 0x763d98 [0264.293] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x48) returned 0x763fe8 [0264.293] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x1a) returned 0x760570 [0264.293] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x3a) returned 0x76ac00 [0264.293] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x62) returned 0x763bf8 [0264.293] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x2a) returned 0x7685d8 [0264.293] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x2e) returned 0x768450 [0264.293] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x1c) returned 0x763dc8 [0264.293] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x144) returned 0x769cb8 [0264.293] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x7c) returned 0x7680a0 [0264.293] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x36) returned 0x76e130 [0264.293] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x3a) returned 0x76ab70 [0264.294] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x90) returned 0x7643a0 [0264.294] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x24) returned 0x763918 [0264.294] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x30) returned 0x768648 [0264.294] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x36) returned 0x76e630 [0264.294] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x48) returned 0x762908 [0264.294] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x52) returned 0x7604b8 [0264.294] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x3c) returned 0x76af18 [0264.294] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0xd6) returned 0x769e78 [0264.294] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x2e) returned 0x768530 [0264.294] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x1e) returned 0x762958 [0264.294] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x2c) returned 0x768488 [0264.294] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x54) returned 0x763e10 [0264.294] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x52) returned 0x764070 [0264.294] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x24) returned 0x763e70 [0264.294] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x42) returned 0x7640d0 [0264.294] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x2c) returned 0x7686f0 [0264.294] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x44) returned 0x769fa8 [0264.294] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x24) returned 0x763948 [0264.295] HeapFree (in: hHeap=0x760000, dwFlags=0x0, lpMem=0x772970 | out: hHeap=0x760000) returned 1 [0264.295] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x8, Size=0x800) returned 0x771ed8 [0264.296] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0264.296] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0264.296] GetStartupInfoW (in: lpStartupInfo=0x18fcd4 | out: lpStartupInfo=0x18fcd4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0264.296] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getEVP /fn_args=\"1\"" [0264.296] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getEVP /fn_args=\"1\"", pNumArgs=0x18fcc0 | out: pNumArgs=0x18fcc0) returned 0x772b28*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0264.296] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0264.299] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x1000) returned 0x774410 [0264.299] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x3e) returned 0x76abb8 [0264.299] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_openssl_session_getEVP", cchWideChar=-1, lpMultiByteStr=0x76abb8, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_openssl_session_getEVP", lpUsedDefaultChar=0x0) returned 31 [0264.299] GetLastError () returned 0x0 [0264.299] SetLastError (dwErrCode=0x0) [0264.299] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_session_getEVPW") returned 0x0 [0264.299] GetLastError () returned 0x7f [0264.299] SetLastError (dwErrCode=0x7f) [0264.299] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_session_getEVPA") returned 0x0 [0264.300] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_session_getEVP") returned 0x647cf371 [0264.300] RtlAllocateHeap (HeapHandle=0x760000, Flags=0x0, Size=0x4) returned 0x763820 [0264.300] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x763820, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0264.300] GetActiveWindow () returned 0x0 [0264.300] GetLastError () returned 0x7f [0264.301] SetLastError (dwErrCode=0x7f) Thread: id = 806 os_tid = 0x11e0 Process: id = "382" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x79705000" os_pid = "0x1324" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "381" os_parent_pid = "0xd44" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getEVP /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "383" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x63021000" os_pid = "0x464" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getRSA /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28030 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28031 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 28032 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 28033 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 28034 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 28035 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 28036 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 28037 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 28038 start_va = 0xc80000 end_va = 0xc81fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 28039 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 28040 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 28041 start_va = 0x7ef70000 end_va = 0x7ef92fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ef70000" filename = "" Region: id = 28042 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 28043 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 28044 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28045 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 28046 start_va = 0x1c0000 end_va = 0x1dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 28047 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 28048 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 28049 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 28050 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 28051 start_va = 0xc90000 end_va = 0xe2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c90000" filename = "" Region: id = 28052 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 28053 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 28054 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 28055 start_va = 0x7ee70000 end_va = 0x7ef6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ee70000" filename = "" Region: id = 28056 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 28057 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 28058 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 28059 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 28060 start_va = 0x500000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 28061 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 28062 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 28063 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 28064 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 28065 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 28066 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 28067 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 28068 start_va = 0xc80000 end_va = 0xc83fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 28069 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 28070 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 28071 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 28072 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 28073 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 28074 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 28075 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 28076 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 28077 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 28078 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 28079 start_va = 0x600000 end_va = 0x787fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 28080 start_va = 0xc90000 end_va = 0xcb9fff monitored = 0 entry_point = 0xc95680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 28081 start_va = 0xd30000 end_va = 0xe2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d30000" filename = "" Region: id = 28082 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 28083 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 28084 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 28085 start_va = 0x1d0000 end_va = 0x1dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 28086 start_va = 0x790000 end_va = 0x910fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 28087 start_va = 0xe30000 end_va = 0xf5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e30000" filename = "" Region: id = 28088 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 28089 start_va = 0xc90000 end_va = 0xd20fff monitored = 0 entry_point = 0xcc8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 28090 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 28091 start_va = 0xc90000 end_va = 0xc90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c90000" filename = "" Region: id = 28092 start_va = 0xca0000 end_va = 0xca0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 28093 start_va = 0xca0000 end_va = 0xca7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 28094 start_va = 0xca0000 end_va = 0xca0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ca0000" filename = "" Region: id = 28095 start_va = 0xcb0000 end_va = 0xcb1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cb0000" filename = "" Region: id = 28096 start_va = 0xca0000 end_va = 0xca0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ca0000" filename = "" Region: id = 28097 start_va = 0xcb0000 end_va = 0xcb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cb0000" filename = "" Region: id = 28098 start_va = 0xca0000 end_va = 0xca0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 28099 start_va = 0xcb0000 end_va = 0xcb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Thread: id = 807 os_tid = 0x1210 [0264.771] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0264.771] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0264.771] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0264.771] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0264.771] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0264.772] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0264.772] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0264.772] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0264.773] GetProcessHeap () returned 0xd30000 [0264.773] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0264.773] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0264.773] GetLastError () returned 0x7e [0264.773] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0264.773] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0264.773] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x364) returned 0xd409a0 [0264.773] SetLastError (dwErrCode=0x7e) [0264.773] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0xe00) returned 0xd40d10 [0264.775] GetStartupInfoW (in: lpStartupInfo=0x18fcac | out: lpStartupInfo=0x18fcac*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0264.775] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0264.775] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0264.775] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0264.775] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getRSA /fn_args=\"1\"" [0264.775] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getRSA /fn_args=\"1\"" [0264.775] GetACP () returned 0x4e4 [0264.775] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x0, Size=0x220) returned 0xd41b18 [0264.775] IsValidCodePage (CodePage=0x4e4) returned 1 [0264.775] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fccc | out: lpCPInfo=0x18fccc) returned 1 [0264.775] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f594 | out: lpCPInfo=0x18f594) returned 1 [0264.775] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fba8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0264.775] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fba8, cbMultiByte=256, lpWideCharStr=0x18f338, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0264.775] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f5a8 | out: lpCharType=0x18f5a8) returned 1 [0264.776] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fba8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0264.776] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fba8, cbMultiByte=256, lpWideCharStr=0x18f2e8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0264.776] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0264.776] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0264.776] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0264.776] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f0d8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0264.776] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18faa8, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿk¡P¦äü\x18", lpUsedDefaultChar=0x0) returned 256 [0264.776] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fba8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0264.776] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fba8, cbMultiByte=256, lpWideCharStr=0x18f308, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0264.776] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0264.776] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f0f8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0264.776] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f9a8, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿk¡P¦äü\x18", lpUsedDefaultChar=0x0) returned 256 [0264.776] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x0, Size=0x80) returned 0xd33878 [0264.776] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0264.776] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x190) returned 0xd41d40 [0264.776] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0264.777] GetLastError () returned 0x0 [0264.777] SetLastError (dwErrCode=0x0) [0264.777] GetEnvironmentStringsW () returned 0xd41ed8* [0264.777] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x0, Size=0xa8c) returned 0xd42970 [0264.777] FreeEnvironmentStringsW (penv=0xd41ed8) returned 1 [0264.777] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x90) returned 0xd347c8 [0264.777] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x3e) returned 0xd3acd8 [0264.777] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x5c) returned 0xd38aa0 [0264.777] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x6e) returned 0xd34890 [0264.777] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x78) returned 0xd437b0 [0264.777] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x62) returned 0xd34c60 [0264.778] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x28) returned 0xd33d98 [0264.778] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x48) returned 0xd33fe8 [0264.778] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x1a) returned 0xd30570 [0264.778] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x3a) returned 0xd3aa08 [0264.778] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x62) returned 0xd33bf8 [0264.778] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x2a) returned 0xd38720 [0264.778] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x2e) returned 0xd38800 [0264.778] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x1c) returned 0xd33dc8 [0264.778] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x144) returned 0xd39cb8 [0264.778] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x7c) returned 0xd38300 [0264.778] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x36) returned 0xd3dff0 [0264.778] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x3a) returned 0xd3ad20 [0264.778] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x90) returned 0xd34600 [0264.778] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x24) returned 0xd33918 [0264.778] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x30) returned 0xd38758 [0264.778] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x36) returned 0xd3e0b0 [0264.778] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x48) returned 0xd32908 [0264.778] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x52) returned 0xd304b8 [0264.778] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x3c) returned 0xd3b0c8 [0264.778] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0xd6) returned 0xd39e78 [0264.778] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x2e) returned 0xd388e0 [0264.778] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x1e) returned 0xd32958 [0264.778] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x2c) returned 0xd388a8 [0264.778] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x54) returned 0xd33e10 [0264.778] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x52) returned 0xd34070 [0264.778] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x24) returned 0xd33e70 [0264.779] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x42) returned 0xd340d0 [0264.779] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x2c) returned 0xd386e8 [0264.779] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x44) returned 0xd39fa8 [0264.779] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x24) returned 0xd33948 [0264.780] HeapFree (in: hHeap=0xd30000, dwFlags=0x0, lpMem=0xd42970 | out: hHeap=0xd30000) returned 1 [0264.780] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x8, Size=0x800) returned 0xd41ed8 [0264.780] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0264.780] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0264.780] GetStartupInfoW (in: lpStartupInfo=0x18fd10 | out: lpStartupInfo=0x18fd10*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0264.780] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getRSA /fn_args=\"1\"" [0264.780] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getRSA /fn_args=\"1\"", pNumArgs=0x18fcfc | out: pNumArgs=0x18fcfc) returned 0xd42b28*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0264.781] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0264.783] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x0, Size=0x1000) returned 0xd44410 [0264.784] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x0, Size=0x3e) returned 0xd3aa98 [0264.784] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_openssl_session_getRSA", cchWideChar=-1, lpMultiByteStr=0xd3aa98, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_openssl_session_getRSA", lpUsedDefaultChar=0x0) returned 31 [0264.784] GetLastError () returned 0x0 [0264.784] SetLastError (dwErrCode=0x0) [0264.784] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_session_getRSAW") returned 0x0 [0264.784] GetLastError () returned 0x7f [0264.784] SetLastError (dwErrCode=0x7f) [0264.784] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_session_getRSAA") returned 0x0 [0264.784] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_session_getRSA") returned 0x647cf249 [0264.784] RtlAllocateHeap (HeapHandle=0xd30000, Flags=0x0, Size=0x4) returned 0xd33820 [0264.784] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0xd33820, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0264.785] GetActiveWindow () returned 0x0 [0264.785] GetLastError () returned 0x7f [0264.785] SetLastError (dwErrCode=0x7f) Thread: id = 809 os_tid = 0x13a8 Process: id = "384" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x3241b000" os_pid = "0xaac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "383" os_parent_pid = "0x464" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getRSA /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "385" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x47939000" os_pid = "0x13fc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getX509 /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28103 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28104 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 28105 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 28106 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 28107 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 28108 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 28109 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 28110 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 28111 start_va = 0x610000 end_va = 0x611fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 28112 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 28113 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 28114 start_va = 0x7f2d0000 end_va = 0x7f2f2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f2d0000" filename = "" Region: id = 28115 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 28116 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 28117 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28118 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 28119 start_va = 0x400000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 28120 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 28121 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 28122 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 28123 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 28124 start_va = 0x620000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 28125 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 28126 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 28127 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 28128 start_va = 0x7f1d0000 end_va = 0x7f2cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f1d0000" filename = "" Region: id = 28129 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 28130 start_va = 0x5a0000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 28131 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 28132 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 28133 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 28134 start_va = 0x750000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 28135 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 28136 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 28137 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 28138 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 28139 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 28140 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 28141 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 28142 start_va = 0x610000 end_va = 0x613fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 28143 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 28144 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 28145 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 28146 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 28147 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 28148 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 28149 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 28150 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 28151 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 28152 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 28153 start_va = 0x620000 end_va = 0x649fff monitored = 0 entry_point = 0x625680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 28154 start_va = 0x650000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 28155 start_va = 0x850000 end_va = 0x9d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 28156 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 28157 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 28158 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 28159 start_va = 0x9e0000 end_va = 0xb60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009e0000" filename = "" Region: id = 28160 start_va = 0xb70000 end_va = 0xd4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 28161 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 28162 start_va = 0xb70000 end_va = 0xc00fff monitored = 0 entry_point = 0xba8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 28163 start_va = 0xd40000 end_va = 0xd4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d40000" filename = "" Region: id = 28164 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 28165 start_va = 0x620000 end_va = 0x620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 28166 start_va = 0x630000 end_va = 0x630fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 28167 start_va = 0x630000 end_va = 0x637fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 28168 start_va = 0x630000 end_va = 0x630fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 28169 start_va = 0x640000 end_va = 0x641fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 28170 start_va = 0x630000 end_va = 0x630fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 28171 start_va = 0x640000 end_va = 0x640fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 28172 start_va = 0x630000 end_va = 0x630fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 28173 start_va = 0x640000 end_va = 0x640fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Thread: id = 810 os_tid = 0x3b8 [0265.210] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0265.210] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0265.210] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0265.210] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0265.211] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0265.211] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0265.211] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0265.212] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0265.212] GetProcessHeap () returned 0x650000 [0265.212] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0265.212] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0265.212] GetLastError () returned 0x7e [0265.212] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0265.213] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0265.213] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x364) returned 0x6609a0 [0265.213] SetLastError (dwErrCode=0x7e) [0265.213] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xe00) returned 0x660d10 [0265.215] GetStartupInfoW (in: lpStartupInfo=0x18fd5c | out: lpStartupInfo=0x18fd5c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0265.215] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0265.215] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0265.215] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0265.215] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getX509 /fn_args=\"1\"" [0265.215] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getX509 /fn_args=\"1\"" [0265.215] GetACP () returned 0x4e4 [0265.215] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x220) returned 0x661b18 [0265.215] IsValidCodePage (CodePage=0x4e4) returned 1 [0265.215] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fd7c | out: lpCPInfo=0x18fd7c) returned 1 [0265.215] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f644 | out: lpCPInfo=0x18f644) returned 1 [0265.215] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc58, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0265.215] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc58, cbMultiByte=256, lpWideCharStr=0x18f3e8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0265.216] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f658 | out: lpCharType=0x18f658) returned 1 [0265.216] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc58, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0265.216] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc58, cbMultiByte=256, lpWideCharStr=0x18f398, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0265.219] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0265.219] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0265.219] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0265.219] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f188, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0265.220] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fb58, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿg\x02p\"\x94ý\x18", lpUsedDefaultChar=0x0) returned 256 [0265.220] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc58, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0265.220] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc58, cbMultiByte=256, lpWideCharStr=0x18f3b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0265.220] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0265.220] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f1a8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0265.220] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fa58, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿg\x02p\"\x94ý\x18", lpUsedDefaultChar=0x0) returned 256 [0265.220] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x80) returned 0x653878 [0265.220] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0265.220] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x192) returned 0x661d40 [0265.220] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0265.220] GetLastError () returned 0x0 [0265.220] SetLastError (dwErrCode=0x0) [0265.220] GetEnvironmentStringsW () returned 0x661ee0* [0265.221] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0xa8c) returned 0x662978 [0265.221] FreeEnvironmentStringsW (penv=0x661ee0) returned 1 [0265.221] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x90) returned 0x6547c8 [0265.221] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x3e) returned 0x65ac90 [0265.221] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x5c) returned 0x658aa0 [0265.221] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x6e) returned 0x654890 [0265.221] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x78) returned 0x663c38 [0265.221] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x62) returned 0x654c60 [0265.221] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x28) returned 0x653d98 [0265.221] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x48) returned 0x653fe8 [0265.221] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x1a) returned 0x650570 [0265.221] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x3a) returned 0x65aa50 [0265.221] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x62) returned 0x653bf8 [0265.221] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x2a) returned 0x6588a8 [0265.222] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x2e) returned 0x658988 [0265.222] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x1c) returned 0x653dc8 [0265.222] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x144) returned 0x659cb8 [0265.222] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x7c) returned 0x658300 [0265.222] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x36) returned 0x65deb0 [0265.222] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x3a) returned 0x65aa98 [0265.222] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x90) returned 0x6543a0 [0265.222] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x24) returned 0x653918 [0265.222] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x30) returned 0x6589f8 [0265.222] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x36) returned 0x65e4f0 [0265.222] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x48) returned 0x652908 [0265.222] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x52) returned 0x6504b8 [0265.222] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x3c) returned 0x65aae0 [0265.222] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0xd6) returned 0x659e78 [0265.222] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x2e) returned 0x658678 [0265.222] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x1e) returned 0x652958 [0265.222] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x2c) returned 0x6586b0 [0265.222] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x54) returned 0x653e10 [0265.222] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x52) returned 0x654070 [0265.222] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x24) returned 0x653e70 [0265.222] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x42) returned 0x6540d0 [0265.222] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x2c) returned 0x6587c8 [0265.222] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x44) returned 0x659fa8 [0265.222] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x24) returned 0x653948 [0265.223] HeapFree (in: hHeap=0x650000, dwFlags=0x0, lpMem=0x662978 | out: hHeap=0x650000) returned 1 [0265.223] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x8, Size=0x800) returned 0x661ee0 [0265.223] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0265.223] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0265.224] GetStartupInfoW (in: lpStartupInfo=0x18fdc0 | out: lpStartupInfo=0x18fdc0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0265.224] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getX509 /fn_args=\"1\"" [0265.224] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getX509 /fn_args=\"1\"", pNumArgs=0x18fdac | out: pNumArgs=0x18fdac) returned 0x662b30*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0265.224] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0265.227] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x1000) returned 0x664418 [0265.227] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x40) returned 0x65ad20 [0265.227] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_openssl_session_getX509", cchWideChar=-1, lpMultiByteStr=0x65ad20, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_openssl_session_getX509", lpUsedDefaultChar=0x0) returned 32 [0265.227] GetLastError () returned 0x0 [0265.228] SetLastError (dwErrCode=0x0) [0265.228] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_session_getX509W") returned 0x0 [0265.228] GetLastError () returned 0x7f [0265.228] SetLastError (dwErrCode=0x7f) [0265.228] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_session_getX509A") returned 0x0 [0265.228] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_session_getX509") returned 0x647cf5b2 [0265.228] RtlAllocateHeap (HeapHandle=0x650000, Flags=0x0, Size=0x4) returned 0x653820 [0265.228] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x653820, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0265.228] GetActiveWindow () returned 0x0 [0265.230] GetLastError () returned 0x7f [0265.231] SetLastError (dwErrCode=0x7f) Thread: id = 812 os_tid = 0x113c Process: id = "386" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6839c000" os_pid = "0xc44" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "385" os_parent_pid = "0x13fc" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_session_getX509 /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "387" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x18d51000" os_pid = "0xd58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_setCleanupHook /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28176 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28177 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 28178 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 28179 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 28180 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 28181 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 28182 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 28183 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 28184 start_va = 0xfe0000 end_va = 0xfe1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 28185 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 28186 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 28187 start_va = 0x7f370000 end_va = 0x7f392fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f370000" filename = "" Region: id = 28188 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 28189 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 28190 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28191 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 28192 start_va = 0x400000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 28193 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 28194 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 28195 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 28196 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 28197 start_va = 0xff0000 end_va = 0x117ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ff0000" filename = "" Region: id = 28198 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 28199 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 28200 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 28201 start_va = 0x7f270000 end_va = 0x7f36ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f270000" filename = "" Region: id = 28202 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 28203 start_va = 0x5d0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 28204 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 28205 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 28206 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 28207 start_va = 0x4c0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 28208 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 28209 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 28210 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 28211 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 28215 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 28216 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 28217 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 28218 start_va = 0xfe0000 end_va = 0xfe3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 28219 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 28220 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 28221 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 28222 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 28223 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 28224 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 28225 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 28226 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 28227 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 28228 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 28229 start_va = 0x5e0000 end_va = 0x767fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 28230 start_va = 0xff0000 end_va = 0x1019fff monitored = 0 entry_point = 0xff5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 28231 start_va = 0x1080000 end_va = 0x117ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001080000" filename = "" Region: id = 28232 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 28233 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 28234 start_va = 0x5c0000 end_va = 0x5c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 28235 start_va = 0x770000 end_va = 0x8f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 28236 start_va = 0x1180000 end_va = 0x12cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001180000" filename = "" Region: id = 28237 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 28238 start_va = 0x1180000 end_va = 0x1210fff monitored = 0 entry_point = 0x11b8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 28239 start_va = 0x12c0000 end_va = 0x12cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012c0000" filename = "" Region: id = 28242 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 28243 start_va = 0xff0000 end_va = 0xff0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ff0000" filename = "" Region: id = 28244 start_va = 0x1000000 end_va = 0x1000fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001000000" filename = "" Region: id = 28245 start_va = 0x1000000 end_va = 0x1007fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001000000" filename = "" Region: id = 28246 start_va = 0x1000000 end_va = 0x1000fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 28247 start_va = 0x1010000 end_va = 0x1011fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001010000" filename = "" Region: id = 28248 start_va = 0x1000000 end_va = 0x1000fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 28249 start_va = 0x1010000 end_va = 0x1010fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001010000" filename = "" Region: id = 28250 start_va = 0x1000000 end_va = 0x1000fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001000000" filename = "" Region: id = 28251 start_va = 0x1010000 end_va = 0x1010fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001010000" filename = "" Thread: id = 817 os_tid = 0xe98 [0265.850] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0265.850] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0265.850] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0265.850] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0265.851] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0265.851] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0265.851] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0265.852] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0265.852] GetProcessHeap () returned 0x1080000 [0265.852] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0265.852] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0265.852] GetLastError () returned 0x7e [0265.852] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0265.853] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0265.853] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x364) returned 0x10909a0 [0265.853] SetLastError (dwErrCode=0x7e) [0265.853] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0xe00) returned 0x1090d10 [0265.855] GetStartupInfoW (in: lpStartupInfo=0x18fd4c | out: lpStartupInfo=0x18fd4c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0265.855] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0265.855] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0265.855] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0265.855] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_setCleanupHook /fn_args=\"1\"" [0265.855] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_setCleanupHook /fn_args=\"1\"" [0265.855] GetACP () returned 0x4e4 [0265.855] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x0, Size=0x220) returned 0x1091b18 [0265.855] IsValidCodePage (CodePage=0x4e4) returned 1 [0265.855] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fd6c | out: lpCPInfo=0x18fd6c) returned 1 [0265.855] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f634 | out: lpCPInfo=0x18f634) returned 1 [0265.855] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc48, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0265.855] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc48, cbMultiByte=256, lpWideCharStr=0x18f3d8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0265.855] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f648 | out: lpCharType=0x18f648) returned 1 [0265.856] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc48, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0265.856] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc48, cbMultiByte=256, lpWideCharStr=0x18f388, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0265.856] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0265.856] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0265.856] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0265.856] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f178, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0265.856] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fb48, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ9foÚ\x84ý\x18", lpUsedDefaultChar=0x0) returned 256 [0265.856] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc48, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0265.856] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc48, cbMultiByte=256, lpWideCharStr=0x18f3a8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0265.856] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0265.856] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f198, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0265.856] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fa48, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ9foÚ\x84ý\x18", lpUsedDefaultChar=0x0) returned 256 [0265.880] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x0, Size=0x80) returned 0x1083878 [0265.880] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0265.880] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x190) returned 0x1091d40 [0265.880] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0265.880] GetLastError () returned 0x0 [0265.880] SetLastError (dwErrCode=0x0) [0265.880] GetEnvironmentStringsW () returned 0x1091ed8* [0265.880] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x0, Size=0xa8c) returned 0x1092970 [0265.880] FreeEnvironmentStringsW (penv=0x1091ed8) returned 1 [0265.880] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x90) returned 0x10847c8 [0265.880] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x3e) returned 0x108af18 [0265.881] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x5c) returned 0x1088aa0 [0265.881] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x6e) returned 0x1084890 [0265.881] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x78) returned 0x10940b0 [0265.881] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x62) returned 0x1084c60 [0265.881] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x28) returned 0x1083d98 [0265.881] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x48) returned 0x1083fe8 [0265.881] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x1a) returned 0x1080570 [0265.881] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x3a) returned 0x108ac00 [0265.881] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x62) returned 0x1083bf8 [0265.881] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x2a) returned 0x1088678 [0265.881] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x2e) returned 0x10886b0 [0265.881] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x1c) returned 0x1083dc8 [0265.881] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x144) returned 0x1089cb8 [0265.881] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x7c) returned 0x1088300 [0265.881] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x36) returned 0x108e630 [0265.881] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x3a) returned 0x108af60 [0265.881] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x90) returned 0x1084600 [0265.881] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x24) returned 0x1083918 [0265.881] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x30) returned 0x1088790 [0265.881] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x36) returned 0x108e4f0 [0265.881] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x48) returned 0x1082908 [0265.881] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x52) returned 0x10804b8 [0265.881] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x3c) returned 0x108b038 [0265.881] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0xd6) returned 0x1089e78 [0265.881] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x2e) returned 0x10888a8 [0265.881] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x1e) returned 0x1082958 [0265.882] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x2c) returned 0x1088870 [0265.882] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x54) returned 0x1083e10 [0265.882] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x52) returned 0x1084070 [0265.882] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x24) returned 0x1083e70 [0265.882] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x42) returned 0x10840d0 [0265.882] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x2c) returned 0x10888e0 [0265.882] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x44) returned 0x1089fa8 [0265.882] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x24) returned 0x1083948 [0265.882] HeapFree (in: hHeap=0x1080000, dwFlags=0x0, lpMem=0x1092970 | out: hHeap=0x1080000) returned 1 [0265.882] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x8, Size=0x800) returned 0x1091ed8 [0265.882] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0265.882] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0265.883] GetStartupInfoW (in: lpStartupInfo=0x18fdb0 | out: lpStartupInfo=0x18fdb0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0265.883] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_setCleanupHook /fn_args=\"1\"" [0265.883] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_setCleanupHook /fn_args=\"1\"", pNumArgs=0x18fd9c | out: pNumArgs=0x18fd9c) returned 0x1092b28*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0265.883] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0265.886] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x0, Size=0x1000) returned 0x1094410 [0265.886] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x0, Size=0x3e) returned 0x108aa08 [0265.886] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_openssl_setCleanupHook", cchWideChar=-1, lpMultiByteStr=0x108aa08, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_openssl_setCleanupHook", lpUsedDefaultChar=0x0) returned 31 [0265.886] GetLastError () returned 0x0 [0265.886] SetLastError (dwErrCode=0x0) [0265.886] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_setCleanupHookW") returned 0x0 [0265.886] GetLastError () returned 0x7f [0265.886] SetLastError (dwErrCode=0x7f) [0265.886] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_setCleanupHookA") returned 0x0 [0265.886] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_openssl_setCleanupHook") returned 0x647cf08a [0265.887] RtlAllocateHeap (HeapHandle=0x1080000, Flags=0x0, Size=0x4) returned 0x1083820 [0265.887] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x1083820, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0265.887] GetActiveWindow () returned 0x0 [0265.887] GetLastError () returned 0x7f [0265.887] SetLastError (dwErrCode=0x7f) Thread: id = 821 os_tid = 0xd04 Process: id = "388" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x74ab0000" os_pid = "0x118c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "387" os_parent_pid = "0xd58" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_openssl_setCleanupHook /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "389" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x45268000" os_pid = "0x10e8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_plugAndPlay /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28259 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28260 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 28261 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 28262 start_va = 0x90000 end_va = 0x93fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 28263 start_va = 0xa0000 end_va = 0xa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 28264 start_va = 0xb0000 end_va = 0xb1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 28265 start_va = 0x180000 end_va = 0x181fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 28266 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 28267 start_va = 0x400000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 28268 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 28269 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 28270 start_va = 0x7f1c0000 end_va = 0x7f1e2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f1c0000" filename = "" Region: id = 28271 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 28272 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 28273 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28274 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 28275 start_va = 0xc0000 end_va = 0x12ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 28276 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 28277 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 28278 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 28279 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 28280 start_va = 0x500000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 28281 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 28282 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 28290 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 28291 start_va = 0x7f0c0000 end_va = 0x7f1bffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f0c0000" filename = "" Region: id = 28292 start_va = 0x130000 end_va = 0x1edfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 28293 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 28294 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 28295 start_va = 0xc0000 end_va = 0xfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 28296 start_va = 0x120000 end_va = 0x12ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 28297 start_va = 0x640000 end_va = 0x73ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 28298 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 28299 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 28300 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 28301 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 28302 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 28303 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 28304 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 28305 start_va = 0x1f0000 end_va = 0x1f3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 28306 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 28307 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 28308 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 28309 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 28310 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 28311 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 28312 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 28313 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 28314 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 28315 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 28316 start_va = 0x500000 end_va = 0x529fff monitored = 0 entry_point = 0x505680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 28317 start_va = 0x540000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 28318 start_va = 0x740000 end_va = 0x8c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 28319 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 28320 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 28321 start_va = 0x100000 end_va = 0x100fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 28322 start_va = 0x8d0000 end_va = 0xa50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008d0000" filename = "" Region: id = 28323 start_va = 0xa60000 end_va = 0xbeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 28324 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 28325 start_va = 0xa60000 end_va = 0xaf0fff monitored = 0 entry_point = 0xa98cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 28326 start_va = 0xbe0000 end_va = 0xbeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000be0000" filename = "" Region: id = 28327 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 28328 start_va = 0x500000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 28329 start_va = 0xa60000 end_va = 0xb5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 28330 start_va = 0x500000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 28331 start_va = 0x520000 end_va = 0x525fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 28332 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28333 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28334 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28335 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28336 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28337 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28338 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28339 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28340 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28341 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28342 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28343 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28344 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28345 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28346 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28347 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28348 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28349 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28350 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28351 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28352 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28353 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28354 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28355 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28356 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28357 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28358 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28359 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28360 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28361 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28362 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28363 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28364 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28365 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28366 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28367 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28368 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28369 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28370 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28371 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28372 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28373 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28374 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28375 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28376 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28377 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28378 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28379 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28380 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28381 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28382 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28383 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28384 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28385 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28386 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28387 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28388 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28389 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28390 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28391 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28392 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28393 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28394 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28395 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28396 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28397 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28398 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28399 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28400 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28401 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28402 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28403 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28404 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28405 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28406 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28407 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28408 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28409 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28410 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28411 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28412 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28413 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28414 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28415 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28416 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28417 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28420 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28421 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28422 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28423 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28424 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28425 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28426 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28427 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28428 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28429 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28430 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28431 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28432 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28433 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28434 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28435 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28436 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28437 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28438 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28439 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28440 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28441 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28442 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28443 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28444 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28445 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28446 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28447 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28448 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28449 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28450 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28451 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28452 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28453 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28454 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28455 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28456 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28457 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28458 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28459 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28460 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28461 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28462 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28463 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28464 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28465 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28466 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28467 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28468 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28469 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28470 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28471 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28472 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28473 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28474 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28475 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28476 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28477 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28478 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28479 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28480 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28481 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28482 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28483 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28484 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28485 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28486 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28487 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28488 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28489 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28490 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28491 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28492 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28493 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28494 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28495 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28496 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28497 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28498 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28499 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28500 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28501 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28502 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28503 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28504 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28505 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28506 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28507 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28508 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28509 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28510 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28511 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28512 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28513 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28514 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28515 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28516 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28517 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28518 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28519 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28520 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28521 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28522 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28523 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28524 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28525 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28526 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28527 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28528 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28529 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28530 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28531 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28532 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28533 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28534 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28535 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28536 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28537 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28538 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28539 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28540 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28541 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28542 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28543 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28544 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28545 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28546 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28547 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28548 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28549 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28550 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28551 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28552 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28553 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28554 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28555 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28556 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28557 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28558 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28559 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28560 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28561 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28562 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28563 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28564 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28565 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28566 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28567 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28568 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28569 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28570 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28571 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28572 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28573 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28574 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28575 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28576 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28577 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28578 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28579 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28580 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28581 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28582 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 28583 start_va = 0x500000 end_va = 0x505fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Thread: id = 822 os_tid = 0x97c [0266.241] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0266.241] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0266.241] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0266.241] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0266.241] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0266.241] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0266.242] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0266.242] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0266.243] GetProcessHeap () returned 0x540000 [0266.243] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0266.243] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0266.243] GetLastError () returned 0x7e [0266.243] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0266.243] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0266.243] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x364) returned 0x550a50 [0266.243] SetLastError (dwErrCode=0x7e) [0266.243] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0xe00) returned 0x550dc0 [0266.245] GetStartupInfoW (in: lpStartupInfo=0x4ffe28 | out: lpStartupInfo=0x4ffe28*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0266.245] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0266.245] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0266.245] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0266.245] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_plugAndPlay /fn_args=\"1\"" [0266.245] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_plugAndPlay /fn_args=\"1\"" [0266.245] GetACP () returned 0x4e4 [0266.245] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x0, Size=0x220) returned 0x551bc8 [0266.245] IsValidCodePage (CodePage=0x4e4) returned 1 [0266.245] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x4ffe48 | out: lpCPInfo=0x4ffe48) returned 1 [0266.245] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x4ff710 | out: lpCPInfo=0x4ff710) returned 1 [0266.246] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4ffd24, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0266.246] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4ffd24, cbMultiByte=256, lpWideCharStr=0x4ff4b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0266.246] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x4ff724 | out: lpCharType=0x4ff724) returned 1 [0266.246] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4ffd24, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0266.246] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4ffd24, cbMultiByte=256, lpWideCharStr=0x4ff468, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0266.246] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0266.246] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0266.246] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0266.246] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x4ff258, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0266.246] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x4ffc24, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÒ\x86Å/`þO", lpUsedDefaultChar=0x0) returned 256 [0266.246] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4ffd24, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0266.246] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4ffd24, cbMultiByte=256, lpWideCharStr=0x4ff488, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0266.246] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0266.246] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x4ff278, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0266.246] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x4ffb24, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÒ\x86Å/`þO", lpUsedDefaultChar=0x0) returned 256 [0266.246] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x0, Size=0x80) returned 0x543858 [0266.247] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0266.247] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x17a) returned 0x551df0 [0266.247] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0266.247] GetLastError () returned 0x0 [0266.247] SetLastError (dwErrCode=0x0) [0266.247] GetEnvironmentStringsW () returned 0x551f78* [0266.247] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x0, Size=0xa8c) returned 0x552a10 [0266.252] FreeEnvironmentStringsW (penv=0x551f78) returned 1 [0266.252] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x90) returned 0x544548 [0266.252] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x3e) returned 0x54a9a0 [0266.252] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x5c) returned 0x548820 [0266.252] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x6e) returned 0x544610 [0266.253] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x78) returned 0x554350 [0266.253] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x62) returned 0x5449e0 [0266.253] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x28) returned 0x543d78 [0266.253] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x48) returned 0x543fc8 [0266.253] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x1a) returned 0x540570 [0266.253] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x3a) returned 0x54aef8 [0266.253] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x62) returned 0x543bd8 [0266.253] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x2a) returned 0x5483f8 [0266.253] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x2e) returned 0x548510 [0266.253] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x1c) returned 0x543da8 [0266.253] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x144) returned 0x549a38 [0266.253] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x7c) returned 0x548080 [0266.253] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x36) returned 0x54e220 [0266.253] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x3a) returned 0x54ab50 [0266.253] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x90) returned 0x544380 [0266.253] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x24) returned 0x5438f8 [0266.253] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x30) returned 0x548708 [0266.253] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x36) returned 0x54e4e0 [0266.253] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x48) returned 0x5428f0 [0266.253] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x52) returned 0x5404b8 [0266.253] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x3c) returned 0x54b138 [0266.253] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0xd6) returned 0x549e58 [0266.253] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x2e) returned 0x548548 [0266.253] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x1e) returned 0x542940 [0266.253] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x2c) returned 0x548580 [0266.254] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x54) returned 0x543df0 [0266.254] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x52) returned 0x544050 [0266.254] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x24) returned 0x543e50 [0266.254] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x42) returned 0x5440b0 [0266.254] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x2c) returned 0x5485f0 [0266.254] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x44) returned 0x549f88 [0266.254] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x24) returned 0x543928 [0266.254] HeapFree (in: hHeap=0x540000, dwFlags=0x0, lpMem=0x552a10 | out: hHeap=0x540000) returned 1 [0266.254] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x800) returned 0x551f78 [0266.254] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0266.254] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0266.255] GetStartupInfoW (in: lpStartupInfo=0x4ffe8c | out: lpStartupInfo=0x4ffe8c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0266.255] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_plugAndPlay /fn_args=\"1\"" [0266.255] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_plugAndPlay /fn_args=\"1\"", pNumArgs=0x4ffe78 | out: pNumArgs=0x4ffe78) returned 0x552bc8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0266.255] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0266.257] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x0, Size=0x1000) returned 0x5544b0 [0266.258] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x0, Size=0x28) returned 0x54a6d0 [0266.258] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_plugAndPlay", cchWideChar=-1, lpMultiByteStr=0x54a6d0, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_plugAndPlay", lpUsedDefaultChar=0x0) returned 20 [0266.258] GetLastError () returned 0x0 [0266.258] SetLastError (dwErrCode=0x0) [0266.258] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_plugAndPlayW") returned 0x0 [0266.258] GetLastError () returned 0x7f [0266.258] SetLastError (dwErrCode=0x7f) [0266.258] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_plugAndPlayA") returned 0x0 [0266.258] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_plugAndPlay") returned 0x647cbbbd [0266.258] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x0, Size=0x4) returned 0x543800 [0266.259] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x543800, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0266.259] GetActiveWindow () returned 0x0 [0266.271] HeapFree (in: hHeap=0x540000, dwFlags=0x0, lpMem=0x5544b0 | out: hHeap=0x540000) returned 1 [0266.272] HeapFree (in: hHeap=0x540000, dwFlags=0x0, lpMem=0x54a6d0 | out: hHeap=0x540000) returned 1 [0266.272] HeapFree (in: hHeap=0x540000, dwFlags=0x0, lpMem=0x543800 | out: hHeap=0x540000) returned 1 [0266.272] GetCurrentProcessId () returned 0x10e8 [0266.272] GetCurrentThreadId () returned 0x97c [0266.272] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0266.287] Thread32First (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.288] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.288] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.289] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.290] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.290] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.291] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.291] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.292] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.293] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.293] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.294] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.297] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.297] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.298] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.298] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.299] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.300] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.300] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.301] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.301] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.302] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.302] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.303] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.304] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.304] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.305] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.305] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.306] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.307] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.307] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.308] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.308] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.309] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.309] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.310] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.311] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.312] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.312] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.313] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.313] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.314] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.314] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.315] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.316] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.316] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.317] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.317] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.318] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.319] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.319] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.320] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.320] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.321] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.321] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.322] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.323] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.323] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.324] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.324] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.325] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.326] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.326] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.327] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.328] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.328] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.329] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.329] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.330] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.331] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.331] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.332] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.332] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.333] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.334] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.334] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.335] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.335] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.336] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.337] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.337] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.338] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.338] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.339] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.340] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.340] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.348] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.349] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.349] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.350] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.350] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.351] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.352] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.352] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.353] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.353] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.354] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.355] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.355] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.356] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.358] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.359] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.359] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.360] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.361] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.361] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.362] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.362] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.363] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.364] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.364] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.365] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.365] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.366] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.367] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.367] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.368] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.368] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.369] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.369] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.370] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.371] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.371] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.372] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.373] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.374] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.374] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.375] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.376] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.376] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.377] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.377] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.378] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.379] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.379] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.380] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.380] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.381] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.381] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.382] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.383] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.383] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.384] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.384] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.385] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.385] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.386] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.387] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.387] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.388] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.389] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.389] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.390] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.390] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.391] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.391] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.392] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.393] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.393] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.414] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.415] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.416] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.416] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.417] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.417] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.418] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.418] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.420] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.421] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.421] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.422] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.422] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.423] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.423] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.424] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.425] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.425] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.426] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.426] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.427] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.427] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.428] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.429] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.429] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.430] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.430] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.431] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.432] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.432] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.433] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.433] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.434] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.434] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.435] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.436] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.436] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.437] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.438] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.438] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.439] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.439] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.440] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.440] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.441] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.442] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.442] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.443] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.443] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.444] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.445] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.445] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.446] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.446] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.447] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.447] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.448] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.449] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.449] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.450] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.454] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.454] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.455] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.456] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.456] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.457] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.457] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.458] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.458] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.459] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.460] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.460] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.461] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.461] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.462] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.463] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.463] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.464] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.464] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.465] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.465] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.468] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.468] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.469] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.469] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.470] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.470] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.471] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.472] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.472] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.473] Thread32Next (hSnapshot=0x150, lpte=0x4ffe5c) returned 1 [0266.918] CloseHandle (hObject=0x150) returned 1 [0266.918] OpenThread (dwDesiredAccess=0x100000, bInheritHandle=0, dwThreadId=0xcb4) returned 0x150 [0266.918] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xffffffff) Thread: id = 824 os_tid = 0xcb4 Process: id = "390" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x177d000" os_pid = "0xd50" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_removeProvider /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28586 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28587 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 28588 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 28589 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 28590 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 28591 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 28592 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 28593 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 28594 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 28595 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 28596 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 28597 start_va = 0x7f410000 end_va = 0x7f432fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f410000" filename = "" Region: id = 28598 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 28599 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 28600 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28601 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 28602 start_va = 0x410000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 28603 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 28604 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 28605 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 28606 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 28607 start_va = 0x410000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 28608 start_va = 0x600000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 28609 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 28610 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 28611 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 28612 start_va = 0x7f310000 end_va = 0x7f40ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f310000" filename = "" Region: id = 28613 start_va = 0x530000 end_va = 0x5edfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 28614 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 28615 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 28616 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 28617 start_va = 0x610000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 28618 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 28619 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 28620 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 28621 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 28622 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 28623 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 28624 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 28625 start_va = 0x400000 end_va = 0x403fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 28626 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 28627 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 28628 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 28629 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 28630 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 28631 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 28632 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 28633 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 28634 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 28635 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 28636 start_va = 0x710000 end_va = 0x897fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28637 start_va = 0x8a0000 end_va = 0x8c9fff monitored = 0 entry_point = 0x8a5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 28638 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 28639 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 28640 start_va = 0x410000 end_va = 0x410fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 28641 start_va = 0x420000 end_va = 0x42ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 28642 start_va = 0x430000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 28643 start_va = 0x8a0000 end_va = 0xa20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 28644 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 28645 start_va = 0xa30000 end_va = 0xac0fff monitored = 0 entry_point = 0xa68cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 28648 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 28649 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 28650 start_va = 0xa30000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 28651 start_va = 0xa30000 end_va = 0xa37fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 28652 start_va = 0xa30000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 28653 start_va = 0xa40000 end_va = 0xa41fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a40000" filename = "" Region: id = 28654 start_va = 0xa30000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 28655 start_va = 0xa40000 end_va = 0xa40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a40000" filename = "" Region: id = 28656 start_va = 0xa30000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 28657 start_va = 0xa40000 end_va = 0xa40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Thread: id = 826 os_tid = 0xed8 [0267.096] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0267.096] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0267.096] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0267.096] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0267.097] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0267.097] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0267.099] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0267.099] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0267.099] GetProcessHeap () returned 0x430000 [0267.099] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0267.099] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0267.100] GetLastError () returned 0x7e [0267.100] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0267.100] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0267.100] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x364) returned 0x440a58 [0267.100] SetLastError (dwErrCode=0x7e) [0267.100] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xe00) returned 0x440dc8 [0267.102] GetStartupInfoW (in: lpStartupInfo=0x18f994 | out: lpStartupInfo=0x18f994*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0267.102] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0267.102] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0267.102] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0267.102] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_removeProvider /fn_args=\"1\"" [0267.103] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_removeProvider /fn_args=\"1\"" [0267.103] GetACP () returned 0x4e4 [0267.103] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x0, Size=0x220) returned 0x441bd0 [0267.103] IsValidCodePage (CodePage=0x4e4) returned 1 [0267.103] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f9b4 | out: lpCPInfo=0x18f9b4) returned 1 [0267.103] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f27c | out: lpCPInfo=0x18f27c) returned 1 [0267.103] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f890, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0267.103] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f890, cbMultiByte=256, lpWideCharStr=0x18f018, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0267.103] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f290 | out: lpCharType=0x18f290) returned 1 [0267.103] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f890, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0267.103] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f890, cbMultiByte=256, lpWideCharStr=0x18efd8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0267.103] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0267.104] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0267.104] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0267.104] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18edc8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0267.104] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f790, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿg\x87écÌù\x18", lpUsedDefaultChar=0x0) returned 256 [0267.104] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f890, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0267.104] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f890, cbMultiByte=256, lpWideCharStr=0x18efe8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0267.104] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0267.104] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18edd8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0267.104] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f690, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿg\x87écÌù\x18", lpUsedDefaultChar=0x0) returned 256 [0267.104] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x0, Size=0x80) returned 0x433860 [0267.104] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0267.104] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x180) returned 0x441df8 [0267.104] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0267.104] GetLastError () returned 0x0 [0267.104] SetLastError (dwErrCode=0x0) [0267.104] GetEnvironmentStringsW () returned 0x441f80* [0267.105] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x0, Size=0xa8c) returned 0x442a18 [0267.105] FreeEnvironmentStringsW (penv=0x441f80) returned 1 [0267.105] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x90) returned 0x434550 [0267.105] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x3e) returned 0x43af00 [0267.105] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x5c) returned 0x438a88 [0267.105] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x6e) returned 0x434618 [0267.105] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x78) returned 0x4435d8 [0267.106] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x62) returned 0x434c48 [0267.106] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x28) returned 0x433d80 [0267.106] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x48) returned 0x433fd0 [0267.106] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x1a) returned 0x430570 [0267.106] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x3a) returned 0x43b020 [0267.106] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x62) returned 0x433be0 [0267.106] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x2a) returned 0x4389a8 [0267.106] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x2e) returned 0x438970 [0267.106] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x1c) returned 0x433db0 [0267.106] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x144) returned 0x439ca0 [0267.106] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x7c) returned 0x4382e8 [0267.106] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x36) returned 0x43e4a8 [0267.106] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x3a) returned 0x43afd8 [0267.106] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x90) returned 0x434388 [0267.106] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x24) returned 0x433900 [0267.106] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x30) returned 0x438820 [0267.106] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x36) returned 0x43e1e8 [0267.106] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x48) returned 0x4328f8 [0267.106] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x52) returned 0x4304b8 [0267.106] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x3c) returned 0x43b0b0 [0267.107] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0xd6) returned 0x439e60 [0267.107] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x2e) returned 0x4388c8 [0267.107] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x1e) returned 0x432948 [0267.107] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x2c) returned 0x4389e0 [0267.107] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x54) returned 0x433df8 [0267.107] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x52) returned 0x434058 [0267.107] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x24) returned 0x433e58 [0267.107] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x42) returned 0x4340b8 [0267.107] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x2c) returned 0x438778 [0267.107] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x44) returned 0x439f90 [0267.107] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x24) returned 0x433930 [0267.109] HeapFree (in: hHeap=0x430000, dwFlags=0x0, lpMem=0x442a18 | out: hHeap=0x430000) returned 1 [0267.109] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x8, Size=0x800) returned 0x441f80 [0267.109] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0267.109] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0267.109] GetStartupInfoW (in: lpStartupInfo=0x18f9f8 | out: lpStartupInfo=0x18f9f8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0267.109] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_removeProvider /fn_args=\"1\"" [0267.109] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_removeProvider /fn_args=\"1\"", pNumArgs=0x18f9e4 | out: pNumArgs=0x18f9e4) returned 0x442bd0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0267.110] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0267.113] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x0, Size=0x1000) returned 0x4444b8 [0267.113] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x0, Size=0x2e) returned 0x438900 [0267.113] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_removeProvider", cchWideChar=-1, lpMultiByteStr=0x438900, cbMultiByte=46, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_removeProvider", lpUsedDefaultChar=0x0) returned 23 [0267.113] GetLastError () returned 0x0 [0267.113] SetLastError (dwErrCode=0x0) [0267.113] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_removeProviderW") returned 0x0 [0267.113] GetLastError () returned 0x7f [0267.113] SetLastError (dwErrCode=0x7f) [0267.114] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_removeProviderA") returned 0x0 [0267.114] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_removeProvider") returned 0x647cb8c9 [0267.114] RtlAllocateHeap (HeapHandle=0x430000, Flags=0x0, Size=0x4) returned 0x433808 [0267.114] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x433808, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0267.114] GetActiveWindow () returned 0x0 [0267.115] GetLastError () returned 0x7f [0267.115] SetLastError (dwErrCode=0x7f) Thread: id = 828 os_tid = 0xe9c Process: id = "391" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x5220f000" os_pid = "0x10e4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "390" os_parent_pid = "0xd50" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_removeProvider /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "392" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x1795000" os_pid = "0xd40" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setForkMode /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28662 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28663 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 28664 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 28665 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 28666 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 28667 start_va = 0x700000 end_va = 0x701fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 28668 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 28669 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 28670 start_va = 0x7f2b0000 end_va = 0x7f2d2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f2b0000" filename = "" Region: id = 28671 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 28672 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 28673 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 28674 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 28675 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 28676 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 28677 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 28678 start_va = 0x400000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 28679 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 28680 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 28681 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 28682 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 28683 start_va = 0x710000 end_va = 0x91ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 28684 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 28685 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 28686 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 28687 start_va = 0x7f1b0000 end_va = 0x7f2affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f1b0000" filename = "" Region: id = 28688 start_va = 0x4a0000 end_va = 0x55dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 28689 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 28690 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 28691 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 28692 start_va = 0x560000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 28693 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 28694 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 28695 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 28696 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 28697 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 28698 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 28699 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 28700 start_va = 0x700000 end_va = 0x703fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 28701 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 28702 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 28703 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 28704 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 28705 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 28706 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 28707 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 28708 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 28709 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 28710 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 28711 start_va = 0x710000 end_va = 0x739fff monitored = 0 entry_point = 0x715680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 28712 start_va = 0x820000 end_va = 0x91ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 28713 start_va = 0x920000 end_va = 0xaa7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000920000" filename = "" Region: id = 28714 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 28717 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 28718 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 28719 start_va = 0x490000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 28720 start_va = 0x710000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 28721 start_va = 0xab0000 end_va = 0xc30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 28722 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 28723 start_va = 0x710000 end_va = 0x7a0fff monitored = 0 entry_point = 0x748cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 28724 start_va = 0x810000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 28727 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 28728 start_va = 0x710000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 28729 start_va = 0xc40000 end_va = 0xd3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 28730 start_va = 0x710000 end_va = 0x72ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 28731 start_va = 0x730000 end_va = 0x735fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000730000" filename = "" Region: id = 28732 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28733 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28734 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28735 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28736 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28737 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28738 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28739 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28740 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28741 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28742 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28743 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28744 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28745 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28746 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28747 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28748 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28749 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28750 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28751 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28752 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28753 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28754 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28755 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28756 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28757 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28758 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28759 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28760 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28761 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28762 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28763 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28764 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28765 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28766 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28767 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28768 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28769 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28770 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28771 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28772 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28773 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28774 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28775 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28776 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28777 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28778 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28779 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28780 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28781 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28782 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28783 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28784 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28785 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28786 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28787 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28788 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28789 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28790 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28791 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28792 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28793 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28794 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28795 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28796 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28797 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28798 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28799 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28800 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28801 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28802 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28803 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28804 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28805 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28806 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28807 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28808 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28809 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28810 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28811 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28812 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28813 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28814 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28815 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28816 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28817 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28818 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28819 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28820 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28821 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28822 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28823 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28824 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28825 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28826 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28827 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28828 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28829 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28830 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28831 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28832 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28833 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28834 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28835 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28836 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28837 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28838 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28839 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28840 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28841 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28842 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28843 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28844 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28845 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28846 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28847 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28848 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28849 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28850 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28851 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28852 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28853 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28854 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28855 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28856 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28857 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28858 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28859 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28860 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28861 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28862 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28863 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28864 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28865 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28866 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28867 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28868 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28869 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28870 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28871 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28872 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28873 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28874 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28875 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28876 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28877 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28878 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28879 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28880 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28881 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28882 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28883 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28884 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28885 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28886 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28887 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28888 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28889 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28890 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28891 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28892 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28893 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28894 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28895 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28896 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28897 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28898 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28899 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28900 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28901 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28902 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28903 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28904 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28905 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28906 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28907 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28908 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28909 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28910 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28911 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28912 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28913 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28914 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28915 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28916 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28917 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28918 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28919 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28920 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28921 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28922 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28923 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28924 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28925 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28926 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28927 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28928 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28929 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28930 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28931 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28932 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28933 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28934 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28936 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28937 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28938 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28939 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28940 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28941 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28942 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28943 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28944 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28945 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28946 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28947 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28948 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28949 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28950 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28951 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28952 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28953 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28954 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28955 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28956 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28957 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28958 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28959 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28960 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28961 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28962 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28963 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28964 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28965 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28966 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28967 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28968 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28969 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28970 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28971 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28972 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28973 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28974 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28975 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28976 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28977 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28978 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28979 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28980 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28981 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 28982 start_va = 0x710000 end_va = 0x715fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Thread: id = 829 os_tid = 0xb3c [0267.644] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0267.644] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0267.644] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0267.644] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0267.644] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0267.645] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0267.645] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0267.646] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0267.646] GetProcessHeap () returned 0x820000 [0267.646] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0267.646] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0267.646] GetLastError () returned 0x7e [0267.646] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0267.647] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0267.647] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x364) returned 0x830a50 [0267.647] SetLastError (dwErrCode=0x7e) [0267.647] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0xe00) returned 0x830dc0 [0267.649] GetStartupInfoW (in: lpStartupInfo=0x18fbc8 | out: lpStartupInfo=0x18fbc8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0267.649] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0267.649] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0267.649] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0267.649] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setForkMode /fn_args=\"1\"" [0267.649] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setForkMode /fn_args=\"1\"" [0267.649] GetACP () returned 0x4e4 [0267.649] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x0, Size=0x220) returned 0x831bc8 [0267.649] IsValidCodePage (CodePage=0x4e4) returned 1 [0267.649] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fbe8 | out: lpCPInfo=0x18fbe8) returned 1 [0267.649] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f4b0 | out: lpCPInfo=0x18f4b0) returned 1 [0267.649] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fac4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0267.649] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fac4, cbMultiByte=256, lpWideCharStr=0x18f258, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0267.649] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f4c4 | out: lpCharType=0x18f4c4) returned 1 [0267.649] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fac4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0267.649] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fac4, cbMultiByte=256, lpWideCharStr=0x18f208, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0267.649] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0267.650] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0267.650] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0267.650] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18eff8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0267.650] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f9c4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x95d\x9eo", lpUsedDefaultChar=0x0) returned 256 [0267.650] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fac4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0267.650] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fac4, cbMultiByte=256, lpWideCharStr=0x18f228, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0267.650] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0267.650] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f018, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0267.650] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f8c4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x95d\x9eo", lpUsedDefaultChar=0x0) returned 256 [0267.650] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x0, Size=0x80) returned 0x823858 [0267.650] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0267.650] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x17a) returned 0x831df0 [0267.650] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0267.650] GetLastError () returned 0x0 [0267.650] SetLastError (dwErrCode=0x0) [0267.650] GetEnvironmentStringsW () returned 0x831f78* [0267.651] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x0, Size=0xa8c) returned 0x832a10 [0267.651] FreeEnvironmentStringsW (penv=0x831f78) returned 1 [0267.651] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x90) returned 0x8247a8 [0267.651] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x3e) returned 0x82add8 [0267.651] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x5c) returned 0x828a80 [0267.651] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x6e) returned 0x824870 [0267.651] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x78) returned 0x8340d0 [0267.651] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x62) returned 0x824c40 [0267.651] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x28) returned 0x823d78 [0267.651] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x48) returned 0x823fc8 [0267.651] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x1a) returned 0x820570 [0267.651] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x3a) returned 0x82ad00 [0267.651] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x62) returned 0x823bd8 [0267.651] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x2a) returned 0x8288c0 [0267.651] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x2e) returned 0x828818 [0267.651] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x1c) returned 0x823da8 [0267.651] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x144) returned 0x829c98 [0267.651] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x7c) returned 0x8282e0 [0267.651] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x36) returned 0x82e420 [0267.651] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x3a) returned 0x82b018 [0267.651] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x90) returned 0x8245e0 [0267.652] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x24) returned 0x8238f8 [0267.652] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x30) returned 0x828690 [0267.652] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x36) returned 0x82e6e0 [0267.652] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x48) returned 0x8228f0 [0267.652] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x52) returned 0x8204b8 [0267.652] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x3c) returned 0x82afd0 [0267.652] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0xd6) returned 0x829e58 [0267.652] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x2e) returned 0x8289d8 [0267.652] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x1e) returned 0x822940 [0267.652] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x2c) returned 0x828658 [0267.652] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x54) returned 0x823df0 [0267.652] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x52) returned 0x824050 [0267.652] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x24) returned 0x823e50 [0267.652] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x42) returned 0x8240b0 [0267.652] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x2c) returned 0x8288f8 [0267.652] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x44) returned 0x829f88 [0267.652] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x24) returned 0x823928 [0267.653] HeapFree (in: hHeap=0x820000, dwFlags=0x0, lpMem=0x832a10 | out: hHeap=0x820000) returned 1 [0267.653] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x8, Size=0x800) returned 0x831f78 [0267.653] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0267.653] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0267.653] GetStartupInfoW (in: lpStartupInfo=0x18fc2c | out: lpStartupInfo=0x18fc2c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0267.653] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setForkMode /fn_args=\"1\"" [0267.654] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setForkMode /fn_args=\"1\"", pNumArgs=0x18fc18 | out: pNumArgs=0x18fc18) returned 0x832bc8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0267.654] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0267.657] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x0, Size=0x1000) returned 0x8344b0 [0267.657] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x0, Size=0x28) returned 0x82a6d0 [0267.657] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_setForkMode", cchWideChar=-1, lpMultiByteStr=0x82a6d0, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_setForkMode", lpUsedDefaultChar=0x0) returned 20 [0267.657] GetLastError () returned 0x0 [0267.657] SetLastError (dwErrCode=0x0) [0267.658] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setForkModeW") returned 0x0 [0267.658] GetLastError () returned 0x7f [0267.658] SetLastError (dwErrCode=0x7f) [0267.658] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setForkModeA") returned 0x0 [0267.658] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setForkMode") returned 0x647cb012 [0267.658] RtlAllocateHeap (HeapHandle=0x820000, Flags=0x0, Size=0x4) returned 0x823800 [0267.658] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x823800, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0267.658] GetActiveWindow () returned 0x0 [0267.659] HeapFree (in: hHeap=0x820000, dwFlags=0x0, lpMem=0x8344b0 | out: hHeap=0x820000) returned 1 [0267.660] HeapFree (in: hHeap=0x820000, dwFlags=0x0, lpMem=0x82a6d0 | out: hHeap=0x820000) returned 1 [0267.660] HeapFree (in: hHeap=0x820000, dwFlags=0x0, lpMem=0x823800 | out: hHeap=0x820000) returned 1 [0267.660] GetCurrentProcessId () returned 0xd40 [0267.660] GetCurrentThreadId () returned 0xb3c [0267.660] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0267.674] Thread32First (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.674] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.675] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.676] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.676] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.677] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.678] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.679] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.679] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.680] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.681] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.682] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.682] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.683] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.684] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.684] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.688] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.688] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.689] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.690] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.691] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.691] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.692] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.693] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.694] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.694] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.695] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.696] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.697] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.697] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.698] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.699] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.699] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.700] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.736] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.736] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.737] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.738] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.738] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.739] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.740] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.740] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.741] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.742] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.742] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.743] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.744] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.744] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.745] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.746] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.747] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.747] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.748] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.749] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.749] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.750] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.751] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.752] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.752] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.753] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.754] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.754] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.755] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.756] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.756] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.757] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.758] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.759] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.759] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.760] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.761] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.761] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.762] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.763] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.772] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.773] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.774] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.775] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.775] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.776] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.777] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.777] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.778] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.781] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.782] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.782] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.783] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.784] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.785] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.786] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.786] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.787] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.788] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.788] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.789] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.790] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.791] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.792] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.793] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.794] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.796] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.797] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.798] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.799] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.800] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.801] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.802] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.803] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.804] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.804] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.805] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.806] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.807] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.808] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.809] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.817] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.818] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.819] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.820] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.821] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.821] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.822] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.823] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.824] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.825] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.827] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.828] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.829] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.830] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.831] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.832] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.833] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.833] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.834] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.835] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.836] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.837] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.838] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.839] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.840] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.841] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.844] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.845] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.845] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.846] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.847] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.848] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.849] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.850] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.851] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.852] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.853] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.854] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.855] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.855] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.856] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.860] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.861] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.862] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.863] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.864] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.865] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.866] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.867] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.868] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.869] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.870] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.871] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.872] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.873] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.875] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.876] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.877] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.878] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.879] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.880] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.881] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.882] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.883] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.884] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.885] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.886] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.887] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.891] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.892] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.893] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.894] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.894] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.895] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.895] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.896] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.896] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.897] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.898] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.898] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.899] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.899] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.900] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.900] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.901] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.902] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.902] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.903] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.914] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.914] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.915] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.916] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.916] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.917] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.917] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.918] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.918] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.920] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.920] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.921] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.921] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.922] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.922] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.923] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.924] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.924] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.925] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.925] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.926] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.927] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.927] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.928] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.928] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.929] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.929] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.930] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.931] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.931] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.932] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.932] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.933] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.933] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.934] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.935] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.935] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.936] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.936] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.937] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.938] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.938] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.939] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.939] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.940] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.940] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0267.941] Thread32Next (hSnapshot=0x150, lpte=0x18fbfc) returned 1 [0268.443] CloseHandle (hObject=0x150) returned 1 [0268.443] OpenThread (dwDesiredAccess=0x100000, bInheritHandle=0, dwThreadId=0xee4) returned 0x150 [0268.443] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xffffffff) Thread: id = 831 os_tid = 0xee4 Process: id = "393" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x73cad000" os_pid = "0xf70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogHook /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 28986 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 28987 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 28988 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 28989 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 28990 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 28991 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 28992 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 28993 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 28994 start_va = 0x640000 end_va = 0x641fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 28995 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 28996 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 28997 start_va = 0x7f920000 end_va = 0x7f942fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f920000" filename = "" Region: id = 28998 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 28999 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 29000 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29001 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 29002 start_va = 0x400000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 29003 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 29004 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 29005 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 29006 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 29007 start_va = 0x650000 end_va = 0x86ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 29008 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 29009 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 29010 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 29011 start_va = 0x7f820000 end_va = 0x7f91ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f820000" filename = "" Region: id = 29012 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 29013 start_va = 0x520000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 29014 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 29015 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 29016 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 29017 start_va = 0x530000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 29018 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 29019 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 29020 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 29021 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 29022 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 29023 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 29024 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 29025 start_va = 0x640000 end_va = 0x643fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 29026 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 29027 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 29028 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 29029 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 29030 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 29031 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 29032 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 29033 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 29034 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 29035 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 29036 start_va = 0x650000 end_va = 0x679fff monitored = 0 entry_point = 0x655680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 29037 start_va = 0x770000 end_va = 0x86ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 29038 start_va = 0x870000 end_va = 0x9f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 29039 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 29040 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 29041 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 29042 start_va = 0xa00000 end_va = 0xb80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a00000" filename = "" Region: id = 29043 start_va = 0xb90000 end_va = 0xd6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 29044 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 29045 start_va = 0x650000 end_va = 0x6e0fff monitored = 0 entry_point = 0x688cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 29048 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 29049 start_va = 0x650000 end_va = 0x650fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 29050 start_va = 0x660000 end_va = 0x660fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 29051 start_va = 0x660000 end_va = 0x667fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 29052 start_va = 0x660000 end_va = 0x660fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 29053 start_va = 0x670000 end_va = 0x671fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 29054 start_va = 0x660000 end_va = 0x660fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 29055 start_va = 0x670000 end_va = 0x670fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 29056 start_va = 0x660000 end_va = 0x660fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 29057 start_va = 0x670000 end_va = 0x670fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Thread: id = 833 os_tid = 0x1038 [0268.528] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0268.528] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0268.529] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0268.529] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0268.529] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0268.529] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0268.530] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0268.530] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0268.530] GetProcessHeap () returned 0x770000 [0268.530] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0268.530] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0268.530] GetLastError () returned 0x7e [0268.531] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0268.531] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0268.531] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x364) returned 0x780a50 [0268.531] SetLastError (dwErrCode=0x7e) [0268.531] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0xe00) returned 0x780dc0 [0268.533] GetStartupInfoW (in: lpStartupInfo=0x18fe24 | out: lpStartupInfo=0x18fe24*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0268.533] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0268.533] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0268.533] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0268.533] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogHook /fn_args=\"1\"" [0268.533] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogHook /fn_args=\"1\"" [0268.533] GetACP () returned 0x4e4 [0268.533] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x0, Size=0x220) returned 0x781bc8 [0268.533] IsValidCodePage (CodePage=0x4e4) returned 1 [0268.533] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fe44 | out: lpCPInfo=0x18fe44) returned 1 [0268.533] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f70c | out: lpCPInfo=0x18f70c) returned 1 [0268.533] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd20, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0268.533] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd20, cbMultiByte=256, lpWideCharStr=0x18f4a8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0268.533] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f720 | out: lpCharType=0x18f720) returned 1 [0268.533] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd20, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0268.533] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd20, cbMultiByte=256, lpWideCharStr=0x18f468, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0268.534] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0268.534] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0268.534] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0268.534] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f258, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0268.534] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fc20, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÐb\x84×\\þ\x18", lpUsedDefaultChar=0x0) returned 256 [0268.534] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd20, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0268.534] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd20, cbMultiByte=256, lpWideCharStr=0x18f478, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0268.534] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0268.534] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f268, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0268.534] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fb20, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÐb\x84×\\þ\x18", lpUsedDefaultChar=0x0) returned 256 [0268.534] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x0, Size=0x80) returned 0x773850 [0268.534] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0268.534] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x178) returned 0x781df0 [0268.534] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0268.534] GetLastError () returned 0x0 [0268.534] SetLastError (dwErrCode=0x0) [0268.535] GetEnvironmentStringsW () returned 0x781f70* [0268.535] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x0, Size=0xa8c) returned 0x782a08 [0268.535] FreeEnvironmentStringsW (penv=0x781f70) returned 1 [0268.535] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x90) returned 0x774540 [0268.535] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x3e) returned 0x77afd0 [0268.535] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x5c) returned 0x778a80 [0268.535] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x6e) returned 0x774838 [0268.535] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x78) returned 0x783548 [0268.536] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x62) returned 0x7749d8 [0268.536] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x28) returned 0x773d70 [0268.536] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x48) returned 0x773fc0 [0268.536] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x1a) returned 0x773da0 [0268.536] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x3a) returned 0x77ad90 [0268.536] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x62) returned 0x774608 [0268.536] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x2a) returned 0x778930 [0268.536] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x2e) returned 0x778690 [0268.536] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x1c) returned 0x7747a8 [0268.536] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x144) returned 0x779c98 [0268.536] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x7c) returned 0x774378 [0268.536] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x36) returned 0x77e1e0 [0268.536] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x3a) returned 0x77ae68 [0268.536] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x90) returned 0x773de8 [0268.536] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x24) returned 0x7747d0 [0268.536] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x30) returned 0x778700 [0268.536] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x36) returned 0x77e120 [0268.536] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x48) returned 0x773bd0 [0268.536] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x52) returned 0x7738f0 [0268.536] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x3c) returned 0x77ab98 [0268.536] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0xd6) returned 0x779e58 [0268.536] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x2e) returned 0x7788c0 [0268.536] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x1e) returned 0x773c20 [0268.536] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x2c) returned 0x7787e0 [0268.536] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x54) returned 0x7728f0 [0268.536] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x52) returned 0x7704b8 [0268.536] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x24) returned 0x774048 [0268.536] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x42) returned 0x774078 [0268.536] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x2c) returned 0x778818 [0268.536] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x44) returned 0x779f88 [0268.537] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x24) returned 0x7740c8 [0268.537] HeapFree (in: hHeap=0x770000, dwFlags=0x0, lpMem=0x782a08 | out: hHeap=0x770000) returned 1 [0268.537] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x8, Size=0x800) returned 0x781f70 [0268.537] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0268.537] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0268.538] GetStartupInfoW (in: lpStartupInfo=0x18fe88 | out: lpStartupInfo=0x18fe88*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0268.538] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogHook /fn_args=\"1\"" [0268.538] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogHook /fn_args=\"1\"", pNumArgs=0x18fe74 | out: pNumArgs=0x18fe74) returned 0x782bc0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0268.538] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0268.541] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x0, Size=0x1000) returned 0x7844a8 [0268.541] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x0, Size=0x26) returned 0x7782b8 [0268.541] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_setLogHook", cchWideChar=-1, lpMultiByteStr=0x7782b8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_setLogHook", lpUsedDefaultChar=0x0) returned 19 [0268.541] GetLastError () returned 0x0 [0268.541] SetLastError (dwErrCode=0x0) [0268.541] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setLogHookW") returned 0x0 [0268.541] GetLastError () returned 0x7f [0268.541] SetLastError (dwErrCode=0x7f) [0268.541] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setLogHookA") returned 0x0 [0268.542] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setLogHook") returned 0x647cb075 [0268.542] RtlAllocateHeap (HeapHandle=0x770000, Flags=0x0, Size=0x4) returned 0x773e80 [0268.542] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x773e80, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0268.542] GetActiveWindow () returned 0x0 [0268.543] GetLastError () returned 0x7f [0268.543] SetLastError (dwErrCode=0x7f) Thread: id = 835 os_tid = 0xf6c Process: id = "394" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x15b7000" os_pid = "0xf84" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "393" os_parent_pid = "0xf70" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogHook /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "395" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x484c5000" os_pid = "0xb90" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogLevel /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29059 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29060 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29061 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 29062 start_va = 0x90000 end_va = 0x93fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 29063 start_va = 0xa0000 end_va = 0xa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 29064 start_va = 0xb0000 end_va = 0xb1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 29065 start_va = 0x180000 end_va = 0x181fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 29066 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 29067 start_va = 0x400000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 29068 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 29069 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 29070 start_va = 0x7ec30000 end_va = 0x7ec52fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ec30000" filename = "" Region: id = 29071 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 29072 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 29073 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29074 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 29075 start_va = 0x500000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 29076 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 29077 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 29078 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 29079 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 29080 start_va = 0x630000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 29081 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 29082 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 29083 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 29084 start_va = 0x7eb30000 end_va = 0x7ec2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eb30000" filename = "" Region: id = 29085 start_va = 0xc0000 end_va = 0x17dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 29086 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 29087 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 29088 start_va = 0x180000 end_va = 0x1bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 29089 start_va = 0x500000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 29090 start_va = 0x620000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 29091 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 29092 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 29093 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 29094 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 29095 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 29096 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 29097 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 29098 start_va = 0x1c0000 end_va = 0x1c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 29099 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 29100 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 29101 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 29105 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 29106 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 29107 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 29108 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 29109 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 29110 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 29111 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 29112 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 29113 start_va = 0x7a0000 end_va = 0x927fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 29114 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 29147 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 29148 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 29149 start_va = 0x930000 end_va = 0xab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 29150 start_va = 0xac0000 end_va = 0xbfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 29151 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 29152 start_va = 0xac0000 end_va = 0xb50fff monitored = 0 entry_point = 0xaf8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 29153 start_va = 0xbf0000 end_va = 0xbfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bf0000" filename = "" Region: id = 29154 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 29155 start_va = 0x1e0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 29156 start_va = 0xac0000 end_va = 0xbbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 29157 start_va = 0x1e0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 29158 start_va = 0x600000 end_va = 0x605fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 29159 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29160 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29161 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29162 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29163 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29164 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29165 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29166 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29167 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29168 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29169 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29170 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29171 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29172 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29173 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29174 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29175 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29176 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29177 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29178 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29179 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29180 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29181 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29182 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29183 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29184 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29185 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29186 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29187 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29188 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29189 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29190 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29191 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29192 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29193 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29194 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29195 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29196 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29197 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29198 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29199 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29200 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29201 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29202 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29203 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29204 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29205 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29206 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29207 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29208 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29209 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29210 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29211 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29212 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29213 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29214 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29215 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29216 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29217 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29218 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29219 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29220 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29221 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29222 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29223 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29224 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29225 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29226 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29227 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29228 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29229 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29230 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29231 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29232 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29233 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29234 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29235 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29236 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29237 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29238 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29239 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29240 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29241 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29242 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29243 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29244 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29245 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29246 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29247 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29248 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29249 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29250 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29251 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29252 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29253 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29254 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29257 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29258 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29259 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29260 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29261 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29262 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29263 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29264 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29265 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29266 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29267 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29268 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29269 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29270 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29271 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29272 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29273 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29274 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29275 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29276 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29277 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29278 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29279 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29280 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29281 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29282 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29283 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29284 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29285 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29286 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29287 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29288 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29289 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29290 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29291 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29292 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29293 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29294 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29295 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29296 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29297 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29298 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29299 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29300 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29301 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29302 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29303 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29304 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29305 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29306 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29307 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29308 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29309 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29313 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29314 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29315 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29316 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29317 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29318 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29319 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29320 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29321 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29322 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29323 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29324 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29325 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29326 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29327 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29328 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29329 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29330 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29331 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29332 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29333 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29334 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29335 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29336 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29337 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29338 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29339 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29340 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29341 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29342 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29343 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29344 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29345 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29346 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29347 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29348 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29349 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29350 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29351 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29352 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29353 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29354 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29355 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29356 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29357 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29358 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29359 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29360 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29361 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29362 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29363 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29364 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29365 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29366 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29367 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29368 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29369 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29370 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29371 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29372 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29373 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29374 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29375 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29376 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29377 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29378 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29379 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29380 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29381 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29382 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29383 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29384 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29385 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29386 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29387 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29388 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29389 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29390 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29391 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29392 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29393 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29394 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29395 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29396 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29397 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29398 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29399 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29400 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29401 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29402 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29403 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29404 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29405 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29406 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29407 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29408 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29409 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29410 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29411 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29412 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 29413 start_va = 0x1e0000 end_va = 0x1e5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Thread: id = 836 os_tid = 0x1120 [0268.975] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0268.975] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0268.975] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0268.975] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0268.975] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0268.976] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0268.976] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0268.976] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0268.977] GetProcessHeap () returned 0x6a0000 [0268.977] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0268.977] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0268.977] GetLastError () returned 0x7e [0268.977] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0268.977] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0268.977] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x364) returned 0x6b0a50 [0268.977] SetLastError (dwErrCode=0x7e) [0268.977] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0xe00) returned 0x6b0dc0 [0268.979] GetStartupInfoW (in: lpStartupInfo=0x4ff7c0 | out: lpStartupInfo=0x4ff7c0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0268.979] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0268.979] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0268.979] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0268.979] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogLevel /fn_args=\"1\"" [0268.979] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogLevel /fn_args=\"1\"" [0268.979] GetACP () returned 0x4e4 [0268.979] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x220) returned 0x6b1bc8 [0268.979] IsValidCodePage (CodePage=0x4e4) returned 1 [0268.979] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x4ff7e0 | out: lpCPInfo=0x4ff7e0) returned 1 [0268.979] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x4ff0a8 | out: lpCPInfo=0x4ff0a8) returned 1 [0268.979] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4ff6bc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0268.979] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4ff6bc, cbMultiByte=256, lpWideCharStr=0x4fee48, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0268.979] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x4ff0bc | out: lpCharType=0x4ff0bc) returned 1 [0268.980] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4ff6bc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0268.980] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4ff6bc, cbMultiByte=256, lpWideCharStr=0x4fedf8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0268.980] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0268.980] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0268.980] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0268.980] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x4febe8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0268.980] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x4ff5bc, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿù\x81\x9f8ø÷O", lpUsedDefaultChar=0x0) returned 256 [0268.980] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4ff6bc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0268.980] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4ff6bc, cbMultiByte=256, lpWideCharStr=0x4fee18, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0268.980] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0268.980] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x4fec08, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0268.980] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x4ff4bc, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿù\x81\x9f8ø÷O", lpUsedDefaultChar=0x0) returned 256 [0268.980] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x80) returned 0x6a3858 [0268.980] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0268.980] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x17a) returned 0x6b1df0 [0268.980] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0268.980] GetLastError () returned 0x0 [0268.981] SetLastError (dwErrCode=0x0) [0268.981] GetEnvironmentStringsW () returned 0x6b1f78* [0268.981] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0xa8c) returned 0x6b2a10 [0268.981] FreeEnvironmentStringsW (penv=0x6b1f78) returned 1 [0268.981] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x90) returned 0x6a4548 [0268.981] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x3e) returned 0x6aaac0 [0268.981] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x5c) returned 0x6a8820 [0268.981] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x6e) returned 0x6a4610 [0268.981] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x78) returned 0x6b3ad0 [0268.982] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x62) returned 0x6a49e0 [0268.982] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x28) returned 0x6a3d78 [0268.982] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x48) returned 0x6a3fc8 [0268.982] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x1a) returned 0x6a0570 [0268.982] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x3a) returned 0x6aaef8 [0268.982] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x62) returned 0x6a3bd8 [0268.982] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x2a) returned 0x6a8778 [0268.982] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x2e) returned 0x6a8548 [0268.982] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x1c) returned 0x6a3da8 [0268.982] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x144) returned 0x6a9c98 [0268.982] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x7c) returned 0x6a8080 [0268.982] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x36) returned 0x6ae6e0 [0268.982] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x3a) returned 0x6aaeb0 [0268.982] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x90) returned 0x6a4380 [0268.982] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x24) returned 0x6a38f8 [0268.982] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x30) returned 0x6a8660 [0268.982] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x36) returned 0x6ae0e0 [0268.982] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x48) returned 0x6a28f0 [0268.982] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x52) returned 0x6a04b8 [0268.982] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x3c) returned 0x6aaa30 [0268.982] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0xd6) returned 0x6a9e58 [0268.982] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x2e) returned 0x6a8708 [0268.982] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x1e) returned 0x6a2940 [0268.982] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x2c) returned 0x6a8468 [0268.982] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x54) returned 0x6a3df0 [0268.982] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x52) returned 0x6a4050 [0268.982] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x24) returned 0x6a3e50 [0268.983] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x42) returned 0x6a40b0 [0268.983] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x2c) returned 0x6a85f0 [0268.983] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x44) returned 0x6a9f88 [0268.983] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x24) returned 0x6a3928 [0268.983] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6b2a10 | out: hHeap=0x6a0000) returned 1 [0268.983] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x8, Size=0x800) returned 0x6b1f78 [0268.983] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0268.983] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0268.983] GetStartupInfoW (in: lpStartupInfo=0x4ff824 | out: lpStartupInfo=0x4ff824*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0268.984] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogLevel /fn_args=\"1\"" [0268.984] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setLogLevel /fn_args=\"1\"", pNumArgs=0x4ff810 | out: pNumArgs=0x4ff810) returned 0x6b2bc8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0268.984] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0268.986] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x1000) returned 0x6b44b0 [0268.986] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x28) returned 0x6aa6d0 [0268.986] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_setLogLevel", cchWideChar=-1, lpMultiByteStr=0x6aa6d0, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_setLogLevel", lpUsedDefaultChar=0x0) returned 20 [0268.987] GetLastError () returned 0x0 [0268.987] SetLastError (dwErrCode=0x0) [0268.987] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setLogLevelW") returned 0x0 [0268.987] GetLastError () returned 0x7f [0268.987] SetLastError (dwErrCode=0x7f) [0268.987] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setLogLevelA") returned 0x0 [0268.987] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setLogLevel") returned 0x647cb004 [0268.987] RtlAllocateHeap (HeapHandle=0x6a0000, Flags=0x0, Size=0x4) returned 0x6a3800 [0268.987] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x6a3800, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0268.987] GetActiveWindow () returned 0x0 [0268.988] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6b44b0 | out: hHeap=0x6a0000) returned 1 [0268.988] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6aa6d0 | out: hHeap=0x6a0000) returned 1 [0268.989] HeapFree (in: hHeap=0x6a0000, dwFlags=0x0, lpMem=0x6a3800 | out: hHeap=0x6a0000) returned 1 [0268.989] GetCurrentProcessId () returned 0xb90 [0268.989] GetCurrentThreadId () returned 0x1120 [0268.989] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0268.999] Thread32First (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.000] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.031] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.032] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.033] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.033] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.034] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.034] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.035] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.036] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.036] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.037] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.037] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.038] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.039] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.039] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.040] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.040] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.041] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.041] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.042] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.043] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.043] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.044] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.048] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.048] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.049] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.049] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.050] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.051] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.051] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.052] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.052] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.053] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.054] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.054] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.055] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.055] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.056] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.057] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.057] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.058] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.058] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.059] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.059] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.060] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.061] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.061] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.062] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.062] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.063] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.064] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.064] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.065] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.066] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.066] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.067] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.068] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.068] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.069] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.069] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.070] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.070] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.071] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.072] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.072] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.073] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.073] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.074] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.075] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.076] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.077] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.077] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.078] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.078] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.079] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.080] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.080] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.081] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.081] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.082] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.082] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.083] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.084] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.084] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.085] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.085] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.086] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.087] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.087] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.088] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.088] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.089] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.089] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.090] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.091] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.098] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.098] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.099] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.100] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.100] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.101] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.101] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.102] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.103] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.103] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.104] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.104] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.105] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.105] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.106] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.107] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.108] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.108] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.109] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.109] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.110] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.111] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.111] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.112] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.112] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.113] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.113] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.114] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.115] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.115] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.116] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.116] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.117] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.118] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.118] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.119] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.119] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.120] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.121] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.121] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.122] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.122] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.123] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.123] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.124] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.125] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.125] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.126] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.126] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.127] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.128] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.128] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.129] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.145] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.146] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.146] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.147] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.148] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.148] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.149] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.149] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.150] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.151] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.151] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.152] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.152] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.153] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.154] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.155] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.155] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.156] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.157] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.157] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.158] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.158] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.159] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.159] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.160] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.161] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.161] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.162] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.162] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.163] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.164] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.164] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.165] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.165] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.166] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.166] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.167] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.168] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.168] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.169] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.170] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.171] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.171] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.172] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.173] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.173] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.174] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.174] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.175] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.175] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.176] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.177] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.177] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.178] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.178] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.179] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.179] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.180] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.181] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.181] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.182] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.182] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.183] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.184] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.184] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.200] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.201] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.202] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.202] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.203] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.204] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.205] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.206] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.206] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.207] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.208] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.208] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.209] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.209] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.210] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.210] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.211] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.212] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.212] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.213] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.213] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.214] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.215] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.215] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.216] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.217] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.217] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.218] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.219] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.219] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.220] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.220] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.221] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.221] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.222] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.223] Thread32Next (hSnapshot=0x150, lpte=0x4ff7f4) returned 1 [0269.485] CloseHandle (hObject=0x150) returned 1 [0269.485] OpenThread (dwDesiredAccess=0x100000, bInheritHandle=0, dwThreadId=0x13ac) returned 0x150 [0269.485] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xffffffff) Thread: id = 838 os_tid = 0x13ac Process: id = "396" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x14dd000" os_pid = "0x11e8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setMaxLoginRetries /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29414 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29415 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29416 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 29417 start_va = 0x90000 end_va = 0x93fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 29418 start_va = 0xa0000 end_va = 0xa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 29419 start_va = 0xb0000 end_va = 0xb1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 29420 start_va = 0x180000 end_va = 0x181fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 29421 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 29422 start_va = 0x400000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 29423 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 29424 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 29425 start_va = 0x7f550000 end_va = 0x7f572fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f550000" filename = "" Region: id = 29426 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 29427 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 29428 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29429 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 29430 start_va = 0xc0000 end_va = 0x15ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 29431 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 29432 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 29433 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 29434 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 29435 start_va = 0x500000 end_va = 0x7dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 29436 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 29437 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 29438 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 29439 start_va = 0x7f450000 end_va = 0x7f54ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f450000" filename = "" Region: id = 29440 start_va = 0x500000 end_va = 0x5bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 29441 start_va = 0x6e0000 end_va = 0x7dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 29442 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 29443 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 29444 start_va = 0xc0000 end_va = 0xfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 29445 start_va = 0x150000 end_va = 0x15ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 29446 start_va = 0x5c0000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 29447 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 29448 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 29449 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 29450 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 29451 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 29452 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 29453 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 29454 start_va = 0x180000 end_va = 0x183fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 29455 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 29456 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 29457 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 29458 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 29459 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 29460 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 29461 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 29462 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 29463 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 29464 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 29465 start_va = 0x190000 end_va = 0x1b9fff monitored = 0 entry_point = 0x195680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 29466 start_va = 0x7e0000 end_va = 0x967fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 29467 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 29468 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 29469 start_va = 0x100000 end_va = 0x100fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 29470 start_va = 0x970000 end_va = 0xaf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000970000" filename = "" Region: id = 29471 start_va = 0xb00000 end_va = 0xc6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 29472 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 29473 start_va = 0xb00000 end_va = 0xb90fff monitored = 0 entry_point = 0xb38cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 29474 start_va = 0xc60000 end_va = 0xc6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 29475 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 29476 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 29477 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 29478 start_va = 0x1a0000 end_va = 0x1a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 29481 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 29482 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 29502 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 29503 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 29504 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 29505 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Thread: id = 839 os_tid = 0xc18 [0269.626] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0269.626] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0269.626] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0269.626] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0269.627] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0269.627] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0269.627] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0269.628] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0269.628] GetProcessHeap () returned 0x6e0000 [0269.628] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0269.628] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0269.628] GetLastError () returned 0x7e [0269.628] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0269.629] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0269.629] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x364) returned 0x6f0a60 [0269.629] SetLastError (dwErrCode=0x7e) [0269.629] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0xe00) returned 0x6f0dd0 [0269.631] GetStartupInfoW (in: lpStartupInfo=0x4ffbd4 | out: lpStartupInfo=0x4ffbd4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0269.631] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0269.631] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0269.631] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0269.631] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setMaxLoginRetries /fn_args=\"1\"" [0269.631] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setMaxLoginRetries /fn_args=\"1\"" [0269.631] GetACP () returned 0x4e4 [0269.631] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x0, Size=0x220) returned 0x6f1bd8 [0269.631] IsValidCodePage (CodePage=0x4e4) returned 1 [0269.631] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x4ffbf4 | out: lpCPInfo=0x4ffbf4) returned 1 [0269.631] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x4ff4bc | out: lpCPInfo=0x4ff4bc) returned 1 [0269.631] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4ffad0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0269.632] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4ffad0, cbMultiByte=256, lpWideCharStr=0x4ff258, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0269.632] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x4ff4d0 | out: lpCharType=0x4ff4d0) returned 1 [0269.632] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4ffad0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0269.632] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4ffad0, cbMultiByte=256, lpWideCharStr=0x4ff218, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0269.632] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0269.632] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0269.632] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0269.632] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x4ff008, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0269.632] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x4ff9d0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÁ\x92\r·\x0cüO", lpUsedDefaultChar=0x0) returned 256 [0269.632] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4ffad0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0269.632] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x4ffad0, cbMultiByte=256, lpWideCharStr=0x4ff228, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0269.632] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0269.632] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x4ff018, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0269.632] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x4ff8d0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÁ\x92\r·\x0cüO", lpUsedDefaultChar=0x0) returned 256 [0269.633] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x0, Size=0x80) returned 0x6e3868 [0269.633] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0269.633] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x188) returned 0x6f1e00 [0269.633] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0269.633] GetLastError () returned 0x0 [0269.633] SetLastError (dwErrCode=0x0) [0269.633] GetEnvironmentStringsW () returned 0x6f1f90* [0269.633] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x0, Size=0xa8c) returned 0x6f2a28 [0269.633] FreeEnvironmentStringsW (penv=0x6f1f90) returned 1 [0269.633] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x90) returned 0x6e4558 [0269.633] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x3e) returned 0x6eaa40 [0269.633] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x5c) returned 0x6e8830 [0269.633] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x6e) returned 0x6e4620 [0269.633] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x78) returned 0x6f36e8 [0269.634] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x62) returned 0x6e49f0 [0269.634] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x28) returned 0x6e3d88 [0269.634] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x48) returned 0x6e3fd8 [0269.634] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x1a) returned 0x6e0570 [0269.634] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x3a) returned 0x6eab18 [0269.634] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x62) returned 0x6e3be8 [0269.634] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x2a) returned 0x6e86a8 [0269.634] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x2e) returned 0x6e8440 [0269.634] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x1c) returned 0x6e3db8 [0269.634] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x144) returned 0x6e9ca8 [0269.634] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x7c) returned 0x6e8090 [0269.634] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x36) returned 0x6ee370 [0269.634] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x3a) returned 0x6eab60 [0269.634] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x90) returned 0x6e4390 [0269.634] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x24) returned 0x6e3908 [0269.634] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x30) returned 0x6e8478 [0269.634] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x36) returned 0x6ee6b0 [0269.634] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x48) returned 0x6e2900 [0269.634] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x52) returned 0x6e04b8 [0269.634] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x3c) returned 0x6eaec0 [0269.634] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0xd6) returned 0x6e9e68 [0269.634] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x2e) returned 0x6e84b0 [0269.634] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x1e) returned 0x6e2950 [0269.634] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x2c) returned 0x6e8718 [0269.634] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x54) returned 0x6e3e00 [0269.635] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x52) returned 0x6e4060 [0269.635] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x24) returned 0x6e3e60 [0269.635] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x42) returned 0x6e40c0 [0269.635] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x2c) returned 0x6e85c8 [0269.635] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x44) returned 0x6e9f98 [0269.635] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x24) returned 0x6e3938 [0269.636] HeapFree (in: hHeap=0x6e0000, dwFlags=0x0, lpMem=0x6f2a28 | out: hHeap=0x6e0000) returned 1 [0269.636] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x8, Size=0x800) returned 0x6f1f90 [0269.636] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0269.636] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0269.636] GetStartupInfoW (in: lpStartupInfo=0x4ffc38 | out: lpStartupInfo=0x4ffc38*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0269.636] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setMaxLoginRetries /fn_args=\"1\"" [0269.637] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setMaxLoginRetries /fn_args=\"1\"", pNumArgs=0x4ffc24 | out: pNumArgs=0x4ffc24) returned 0x6f2be0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0269.637] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0269.641] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x0, Size=0x1000) returned 0x6f44c8 [0269.641] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x0, Size=0x36) returned 0x6ee2b0 [0269.641] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_setMaxLoginRetries", cchWideChar=-1, lpMultiByteStr=0x6ee2b0, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_setMaxLoginRetries", lpUsedDefaultChar=0x0) returned 27 [0269.641] GetLastError () returned 0x0 [0269.641] SetLastError (dwErrCode=0x0) [0269.641] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setMaxLoginRetriesW") returned 0x0 [0269.641] GetLastError () returned 0x7f [0269.641] SetLastError (dwErrCode=0x7f) [0269.641] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setMaxLoginRetriesA") returned 0x0 [0269.642] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setMaxLoginRetries") returned 0x647cb31d [0269.642] RtlAllocateHeap (HeapHandle=0x6e0000, Flags=0x0, Size=0x4) returned 0x6e3810 [0269.642] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x6e3810, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0269.642] GetActiveWindow () returned 0x0 [0269.645] GetLastError () returned 0x7f [0269.645] SetLastError (dwErrCode=0x7f) Thread: id = 841 os_tid = 0xb48 Process: id = "397" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x45a54000" os_pid = "0x1114" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "396" os_parent_pid = "0x11e8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setMaxLoginRetries /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "398" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x13f3000" os_pid = "0xc1c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINCachePeriod /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29511 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29512 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29513 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 29514 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 29515 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 29516 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 29517 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 29518 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 29519 start_va = 0xa30000 end_va = 0xa31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 29520 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 29521 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 29522 start_va = 0x7e9c0000 end_va = 0x7e9e2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e9c0000" filename = "" Region: id = 29523 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 29524 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 29525 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29526 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 29527 start_va = 0x400000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 29528 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 29529 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 29530 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 29531 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 29532 start_va = 0xa40000 end_va = 0xb7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 29533 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 29534 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 29535 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 29536 start_va = 0x7e8c0000 end_va = 0x7e9bffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e8c0000" filename = "" Region: id = 29537 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 29538 start_va = 0x560000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 29539 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 29540 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 29541 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 29542 start_va = 0x570000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 29543 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 29544 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 29547 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 29548 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 29549 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 29550 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 29551 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 29552 start_va = 0xa30000 end_va = 0xa33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 29553 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 29554 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 29555 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 29556 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 29557 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 29558 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 29559 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 29560 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 29561 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 29562 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 29563 start_va = 0x670000 end_va = 0x7f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 29564 start_va = 0xa40000 end_va = 0xa69fff monitored = 0 entry_point = 0xa45680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 29565 start_va = 0xa80000 end_va = 0xb7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 29566 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 29567 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 29568 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 29569 start_va = 0x800000 end_va = 0x980fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 29570 start_va = 0xb80000 end_va = 0xbeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 29571 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 29572 start_va = 0xbf0000 end_va = 0xc80fff monitored = 0 entry_point = 0xc28cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 29573 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 29574 start_va = 0xa40000 end_va = 0xa40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 29575 start_va = 0xa50000 end_va = 0xa50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a50000" filename = "" Region: id = 29576 start_va = 0xa50000 end_va = 0xa57fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a50000" filename = "" Region: id = 29577 start_va = 0xa50000 end_va = 0xa50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 29578 start_va = 0xa60000 end_va = 0xa61fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a60000" filename = "" Region: id = 29579 start_va = 0xa50000 end_va = 0xa50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 29580 start_va = 0xa60000 end_va = 0xa60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a60000" filename = "" Region: id = 29581 start_va = 0xa50000 end_va = 0xa50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a50000" filename = "" Region: id = 29582 start_va = 0xa60000 end_va = 0xa60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Thread: id = 843 os_tid = 0xf18 [0270.871] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0270.871] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0270.871] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0270.872] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0270.872] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0270.872] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0270.874] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0270.874] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0270.874] GetProcessHeap () returned 0xa80000 [0270.874] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0270.874] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0270.875] GetLastError () returned 0x7e [0270.875] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0270.875] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0270.875] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x364) returned 0xa90a60 [0270.875] SetLastError (dwErrCode=0x7e) [0270.875] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0xe00) returned 0xa90dd0 [0270.877] GetStartupInfoW (in: lpStartupInfo=0x18f9a8 | out: lpStartupInfo=0x18f9a8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0270.877] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0270.877] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0270.877] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0270.877] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINCachePeriod /fn_args=\"1\"" [0270.877] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINCachePeriod /fn_args=\"1\"" [0270.877] GetACP () returned 0x4e4 [0270.877] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x0, Size=0x220) returned 0xa91bd8 [0270.877] IsValidCodePage (CodePage=0x4e4) returned 1 [0270.877] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f9c8 | out: lpCPInfo=0x18f9c8) returned 1 [0270.877] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f290 | out: lpCPInfo=0x18f290) returned 1 [0270.877] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8a4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0270.877] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8a4, cbMultiByte=256, lpWideCharStr=0x18f038, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0270.877] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f2a4 | out: lpCharType=0x18f2a4) returned 1 [0270.877] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8a4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0270.877] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8a4, cbMultiByte=256, lpWideCharStr=0x18efe8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0270.877] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0270.877] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0270.878] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0270.878] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18edd8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0270.878] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f7a4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ%­\x88<àù\x18", lpUsedDefaultChar=0x0) returned 256 [0270.878] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8a4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0270.878] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8a4, cbMultiByte=256, lpWideCharStr=0x18f008, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0270.878] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0270.878] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18edf8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0270.878] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f6a4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ%­\x88<àù\x18", lpUsedDefaultChar=0x0) returned 256 [0270.878] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x0, Size=0x80) returned 0xa83868 [0270.878] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0270.878] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x186) returned 0xa91e00 [0270.878] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0270.878] GetLastError () returned 0x0 [0270.878] SetLastError (dwErrCode=0x0) [0270.878] GetEnvironmentStringsW () returned 0xa91f90* [0270.878] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x0, Size=0xa8c) returned 0xa92a28 [0270.879] FreeEnvironmentStringsW (penv=0xa91f90) returned 1 [0270.879] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x90) returned 0xa847b8 [0270.879] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x3e) returned 0xa8ade8 [0270.879] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x5c) returned 0xa88a90 [0270.879] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x6e) returned 0xa84880 [0270.879] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x78) returned 0xa94168 [0270.879] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x62) returned 0xa84c50 [0270.879] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x28) returned 0xa83d88 [0270.879] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x48) returned 0xa84238 [0270.879] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x1a) returned 0xa80570 [0270.879] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x3a) returned 0xa8b100 [0270.879] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x62) returned 0xa83be8 [0270.879] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x2a) returned 0xa88940 [0270.879] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x2e) returned 0xa888d0 [0270.879] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x1c) returned 0xa83db8 [0270.879] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x144) returned 0xa89ca8 [0270.879] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x7c) returned 0xa882f0 [0270.879] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x36) returned 0xa8e1f0 [0270.879] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x3a) returned 0xa8af50 [0270.879] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x90) returned 0xa845f0 [0270.879] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x24) returned 0xa83908 [0270.879] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x30) returned 0xa88908 [0270.879] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x36) returned 0xa8e270 [0270.880] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x48) returned 0xa82900 [0270.880] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x52) returned 0xa804b8 [0270.880] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x3c) returned 0xa8ab60 [0270.880] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0xd6) returned 0xa89e68 [0270.880] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x2e) returned 0xa886d8 [0270.880] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x1e) returned 0xa82950 [0270.880] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x2c) returned 0xa88978 [0270.880] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x54) returned 0xa83e00 [0270.880] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x52) returned 0xa842c0 [0270.880] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x24) returned 0xa83e60 [0270.880] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x42) returned 0xa84320 [0270.880] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x2c) returned 0xa889e8 [0270.880] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x44) returned 0xa89f98 [0270.880] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x24) returned 0xa83938 [0270.880] HeapFree (in: hHeap=0xa80000, dwFlags=0x0, lpMem=0xa92a28 | out: hHeap=0xa80000) returned 1 [0270.880] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x8, Size=0x800) returned 0xa91f90 [0270.881] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0270.881] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0270.881] GetStartupInfoW (in: lpStartupInfo=0x18fa0c | out: lpStartupInfo=0x18fa0c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0270.881] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINCachePeriod /fn_args=\"1\"" [0270.881] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINCachePeriod /fn_args=\"1\"", pNumArgs=0x18f9f8 | out: pNumArgs=0x18f9f8) returned 0xa92be0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0270.881] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0270.884] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x0, Size=0x1000) returned 0xa944c8 [0270.884] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x0, Size=0x34) returned 0xa8e330 [0270.884] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_setPINCachePeriod", cchWideChar=-1, lpMultiByteStr=0xa8e330, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_setPINCachePeriod", lpUsedDefaultChar=0x0) returned 26 [0270.884] GetLastError () returned 0x0 [0270.884] SetLastError (dwErrCode=0x0) [0270.884] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setPINCachePeriodW") returned 0x0 [0270.884] GetLastError () returned 0x7f [0270.884] SetLastError (dwErrCode=0x7f) [0270.884] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setPINCachePeriodA") returned 0x0 [0270.885] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setPINCachePeriod") returned 0x647cb2b9 [0270.885] RtlAllocateHeap (HeapHandle=0xa80000, Flags=0x0, Size=0x4) returned 0xa83810 [0270.885] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0xa83810, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0270.885] GetActiveWindow () returned 0x0 [0270.890] GetLastError () returned 0x7f [0270.890] SetLastError (dwErrCode=0x7f) Thread: id = 845 os_tid = 0x123c Process: id = "399" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x1365000" os_pid = "0x1154" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "398" os_parent_pid = "0xc1c" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINCachePeriod /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "400" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x1350b000" os_pid = "0x1318" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINPromptHook /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29585 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29586 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29587 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 29588 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 29589 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 29590 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 29591 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 29592 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 29593 start_va = 0x420000 end_va = 0x421fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 29594 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 29595 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 29596 start_va = 0x7ed40000 end_va = 0x7ed62fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed40000" filename = "" Region: id = 29597 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 29598 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 29599 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29600 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 29601 start_va = 0x430000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 29602 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 29603 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 29604 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 29605 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 29606 start_va = 0x510000 end_va = 0x76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 29607 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 29608 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 29609 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 29610 start_va = 0x7ec40000 end_va = 0x7ed3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ec40000" filename = "" Region: id = 29611 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 29612 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 29613 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 29614 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 29615 start_va = 0x510000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 29616 start_va = 0x670000 end_va = 0x76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 29617 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 29618 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 29619 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 29620 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 29621 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 29622 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 29623 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 29624 start_va = 0x4c0000 end_va = 0x4c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 29625 start_va = 0x500000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 29626 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 29627 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 29628 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 29629 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 29630 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 29631 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 29632 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 29633 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 29634 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 29635 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 29636 start_va = 0x4d0000 end_va = 0x4f9fff monitored = 0 entry_point = 0x4d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 29637 start_va = 0x770000 end_va = 0x8f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 29638 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 29639 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 29640 start_va = 0x4d0000 end_va = 0x4d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 29641 start_va = 0x900000 end_va = 0xa80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000900000" filename = "" Region: id = 29642 start_va = 0xa90000 end_va = 0xb7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a90000" filename = "" Region: id = 29643 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 29644 start_va = 0xa90000 end_va = 0xb20fff monitored = 0 entry_point = 0xac8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 29645 start_va = 0xb70000 end_va = 0xb7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 29646 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 29647 start_va = 0x4e0000 end_va = 0x4e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 29648 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 29649 start_va = 0x4f0000 end_va = 0x4f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 29652 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 29653 start_va = 0x610000 end_va = 0x611fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 29654 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 29655 start_va = 0x610000 end_va = 0x610fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 29658 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 29659 start_va = 0x610000 end_va = 0x610fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Thread: id = 846 os_tid = 0xb4c [0271.478] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0271.478] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0271.478] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0271.478] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0271.478] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0271.479] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0271.479] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0271.479] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0271.480] GetProcessHeap () returned 0x670000 [0271.480] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0271.480] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0271.480] GetLastError () returned 0x7e [0271.480] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0271.480] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0271.480] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x364) returned 0x680a60 [0271.480] SetLastError (dwErrCode=0x7e) [0271.481] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0xe00) returned 0x680dd0 [0271.530] GetStartupInfoW (in: lpStartupInfo=0x18fb34 | out: lpStartupInfo=0x18fb34*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0271.530] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0271.530] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0271.530] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0271.530] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINPromptHook /fn_args=\"1\"" [0271.530] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINPromptHook /fn_args=\"1\"" [0271.530] GetACP () returned 0x4e4 [0271.531] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x220) returned 0x681bd8 [0271.531] IsValidCodePage (CodePage=0x4e4) returned 1 [0271.531] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fb54 | out: lpCPInfo=0x18fb54) returned 1 [0271.531] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f41c | out: lpCPInfo=0x18f41c) returned 1 [0271.531] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa30, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0271.531] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa30, cbMultiByte=256, lpWideCharStr=0x18f1b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0271.531] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f430 | out: lpCharType=0x18f430) returned 1 [0271.531] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa30, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0271.531] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa30, cbMultiByte=256, lpWideCharStr=0x18f178, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0271.531] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0271.531] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0271.531] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0271.531] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ef68, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0271.531] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f930, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿìò*>lû\x18", lpUsedDefaultChar=0x0) returned 256 [0271.531] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa30, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0271.531] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa30, cbMultiByte=256, lpWideCharStr=0x18f188, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0271.531] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0271.531] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ef78, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0271.532] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f830, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿìò*>lû\x18", lpUsedDefaultChar=0x0) returned 256 [0271.532] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x80) returned 0x673868 [0271.532] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0271.532] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x184) returned 0x681e00 [0271.532] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0271.532] GetLastError () returned 0x0 [0271.532] SetLastError (dwErrCode=0x0) [0271.532] GetEnvironmentStringsW () returned 0x681f90* [0271.532] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0xa8c) returned 0x682a28 [0271.532] FreeEnvironmentStringsW (penv=0x681f90) returned 1 [0271.532] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x90) returned 0x6747b8 [0271.532] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x3e) returned 0x67ae78 [0271.532] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x5c) returned 0x678a90 [0271.533] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x6e) returned 0x674880 [0271.533] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x78) returned 0x684068 [0271.533] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x62) returned 0x674c50 [0271.533] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x28) returned 0x673d88 [0271.533] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x48) returned 0x673fd8 [0271.533] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x1a) returned 0x670570 [0271.533] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x3a) returned 0x67ad58 [0271.533] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x62) returned 0x673be8 [0271.533] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x2a) returned 0x6786d8 [0271.533] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x2e) returned 0x6787f0 [0271.533] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x1c) returned 0x673db8 [0271.533] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x144) returned 0x679ca8 [0271.533] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x7c) returned 0x6782f0 [0271.533] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x36) returned 0x67e6f0 [0271.533] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x3a) returned 0x67b028 [0271.533] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x90) returned 0x6745f0 [0271.533] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x24) returned 0x673908 [0271.533] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x30) returned 0x678898 [0271.533] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x36) returned 0x67e6b0 [0271.533] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x48) returned 0x672900 [0271.533] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x52) returned 0x6704b8 [0271.533] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x3c) returned 0x67aec0 [0271.533] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0xd6) returned 0x679e68 [0271.533] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x2e) returned 0x6788d0 [0271.534] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x1e) returned 0x672950 [0271.534] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x2c) returned 0x678710 [0271.534] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x54) returned 0x673e00 [0271.534] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x52) returned 0x674060 [0271.534] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x24) returned 0x673e60 [0271.534] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x42) returned 0x6740c0 [0271.534] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x2c) returned 0x678828 [0271.534] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x44) returned 0x679f98 [0271.534] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x24) returned 0x673938 [0271.535] HeapFree (in: hHeap=0x670000, dwFlags=0x0, lpMem=0x682a28 | out: hHeap=0x670000) returned 1 [0271.535] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x8, Size=0x800) returned 0x681f90 [0271.535] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0271.535] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0271.535] GetStartupInfoW (in: lpStartupInfo=0x18fb98 | out: lpStartupInfo=0x18fb98*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0271.535] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINPromptHook /fn_args=\"1\"" [0271.535] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINPromptHook /fn_args=\"1\"", pNumArgs=0x18fb84 | out: pNumArgs=0x18fb84) returned 0x682be0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0271.536] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0271.539] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x1000) returned 0x6844c8 [0271.539] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x32) returned 0x67e0b0 [0271.539] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_setPINPromptHook", cchWideChar=-1, lpMultiByteStr=0x67e0b0, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_setPINPromptHook", lpUsedDefaultChar=0x0) returned 25 [0271.539] GetLastError () returned 0x0 [0271.539] SetLastError (dwErrCode=0x0) [0271.539] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setPINPromptHookW") returned 0x0 [0271.539] GetLastError () returned 0x7f [0271.539] SetLastError (dwErrCode=0x7f) [0271.539] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setPINPromptHookA") returned 0x0 [0271.539] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setPINPromptHook") returned 0x647cb197 [0271.540] RtlAllocateHeap (HeapHandle=0x670000, Flags=0x0, Size=0x4) returned 0x673810 [0271.540] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x673810, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0271.540] GetActiveWindow () returned 0x0 [0271.541] GetLastError () returned 0x7f [0271.541] SetLastError (dwErrCode=0x7f) Thread: id = 848 os_tid = 0x1074 Process: id = "401" image_name = "werfault.exe" filename = "c:\\windows\\syswow64\\werfault.exe" page_root = "0x69ba2000" os_pid = "0x1300" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "400" os_parent_pid = "0x1318" cmd_line = "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 4888 -s 364" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29666 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29667 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29668 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 29669 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 29670 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 29671 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 29672 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 29673 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 29674 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 29675 start_va = 0x10e0000 end_va = 0x1122fff monitored = 0 entry_point = 0x1100f50 region_type = mapped_file name = "werfault.exe" filename = "\\Windows\\SysWOW64\\WerFault.exe" (normalized: "c:\\windows\\syswow64\\werfault.exe") Region: id = 29676 start_va = 0x1130000 end_va = 0x512ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 29677 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 29678 start_va = 0x7ed60000 end_va = 0x7ed82fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed60000" filename = "" Region: id = 29679 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 29680 start_va = 0x7fff0000 end_va = 0x7dfb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 29681 start_va = 0x7dfb201b0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfb201b0000" filename = "" Region: id = 29682 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29683 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 29684 start_va = 0x100000 end_va = 0x10ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 29685 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 29686 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 29687 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 29688 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 29689 start_va = 0x410000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 29690 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 29691 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 29692 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 29693 start_va = 0x7ec60000 end_va = 0x7ed5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ec60000" filename = "" Region: id = 29694 start_va = 0x110000 end_va = 0x1cdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 29695 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 29696 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 29697 start_va = 0x440000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 29698 start_va = 0x480000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 29699 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 29700 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 29701 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 29702 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 29703 start_va = 0x580000 end_va = 0x583fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 29704 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 29705 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 29706 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 29707 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 29708 start_va = 0x6fb30000 end_va = 0x6fbb6fff monitored = 0 entry_point = 0x6fb9dbc0 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\SysWOW64\\wer.dll" (normalized: "c:\\windows\\syswow64\\wer.dll") Region: id = 29709 start_va = 0x6fbc0000 end_va = 0x6fcfefff monitored = 0 entry_point = 0x6fbed880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 29710 start_va = 0x6fb00000 end_va = 0x6fb21fff monitored = 0 entry_point = 0x6fb091f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 29711 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 29712 start_va = 0x6faa0000 end_va = 0x6faf3fff monitored = 0 entry_point = 0x6fad10d0 region_type = mapped_file name = "faultrep.dll" filename = "\\Windows\\SysWOW64\\Faultrep.dll" (normalized: "c:\\windows\\syswow64\\faultrep.dll") Region: id = 29713 start_va = 0x6fa70000 end_va = 0x6fa90fff monitored = 0 entry_point = 0x6fa8a910 region_type = mapped_file name = "dbgcore.dll" filename = "\\Windows\\SysWOW64\\dbgcore.dll" (normalized: "c:\\windows\\syswow64\\dbgcore.dll") Region: id = 29714 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 29715 start_va = 0x590000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 29716 start_va = 0x5b0000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 29717 start_va = 0x590000 end_va = 0x593fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 29718 start_va = 0x5a0000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 29719 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 29720 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 29721 start_va = 0x5b0000 end_va = 0x5d9fff monitored = 0 entry_point = 0x5b5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 29722 start_va = 0x620000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 29723 start_va = 0x630000 end_va = 0x7b7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 29724 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 29725 start_va = 0x7c0000 end_va = 0x940fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 29726 start_va = 0x5130000 end_va = 0x652ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005130000" filename = "" Region: id = 29727 start_va = 0x5b0000 end_va = 0x5b3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werfault.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\WerFault.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werfault.exe.mui") Region: id = 29744 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 29745 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 29746 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 29747 start_va = 0x950000 end_va = 0xadffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 29793 start_va = 0x5c0000 end_va = 0x5c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 29794 start_va = 0x5d0000 end_va = 0x5d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 29795 start_va = 0x5e0000 end_va = 0x5e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 29796 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 29797 start_va = 0x5e0000 end_va = 0x5e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 29798 start_va = 0x6530000 end_va = 0x6d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006530000" filename = "" Region: id = 29799 start_va = 0x5e0000 end_va = 0x5e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 29800 start_va = 0x5e0000 end_va = 0x5e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 29801 start_va = 0x5e0000 end_va = 0x5e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 29802 start_va = 0x5e0000 end_va = 0x5e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 29803 start_va = 0x5e0000 end_va = 0x5e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 29804 start_va = 0x5e0000 end_va = 0x5e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 29805 start_va = 0x5e0000 end_va = 0x5e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 29806 start_va = 0x5e0000 end_va = 0x5e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 29807 start_va = 0x5e0000 end_va = 0x5e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 29808 start_va = 0x5e0000 end_va = 0x5e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 29809 start_va = 0x5e0000 end_va = 0x5e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 29810 start_va = 0x5e0000 end_va = 0x5e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 29811 start_va = 0x5e0000 end_va = 0x5e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 29812 start_va = 0x5e0000 end_va = 0x5e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 29813 start_va = 0x5e0000 end_va = 0x5e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 29814 start_va = 0x5e0000 end_va = 0x5e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 29815 start_va = 0x5e0000 end_va = 0x5e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 29816 start_va = 0x5e0000 end_va = 0x5e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 29817 start_va = 0x5e0000 end_va = 0x5e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 29818 start_va = 0x5e0000 end_va = 0x5e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 29819 start_va = 0x5e0000 end_va = 0x5e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 29820 start_va = 0x5e0000 end_va = 0x5e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 29821 start_va = 0x5e0000 end_va = 0x5e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 29822 start_va = 0x5e0000 end_va = 0x5e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 29823 start_va = 0x5e0000 end_va = 0x5e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 29824 start_va = 0x5e0000 end_va = 0x5e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 29825 start_va = 0x5e0000 end_va = 0x5e6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 29834 start_va = 0x5e0000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 29835 start_va = 0x950000 end_va = 0x98ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 29836 start_va = 0xad0000 end_va = 0xadffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 29837 start_va = 0x990000 end_va = 0xa0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 29841 start_va = 0x5e0000 end_va = 0x5e1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "faultrep.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\faultrep.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\faultrep.dll.mui") Region: id = 29842 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 29843 start_va = 0x6ee90000 end_va = 0x6f2adfff monitored = 0 entry_point = 0x6ef8ee80 region_type = mapped_file name = "dbgeng.dll" filename = "\\Windows\\SysWOW64\\dbgeng.dll" (normalized: "c:\\windows\\syswow64\\dbgeng.dll") Region: id = 29844 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 29845 start_va = 0x6f800000 end_va = 0x6f86ffff monitored = 0 entry_point = 0x6f854b90 region_type = mapped_file name = "dbgmodel.dll" filename = "\\Windows\\SysWOW64\\DbgModel.dll" (normalized: "c:\\windows\\syswow64\\dbgmodel.dll") Region: id = 29846 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 29847 start_va = 0xae0000 end_va = 0xbc9fff monitored = 0 entry_point = 0xb1d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 29872 start_va = 0x70050000 end_va = 0x70059fff monitored = 0 entry_point = 0x70053200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 29873 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 29874 start_va = 0x6f5d0000 end_va = 0x6f5d7fff monitored = 0 entry_point = 0x6f5d17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 29875 start_va = 0xae0000 end_va = 0xbdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 29876 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 29877 start_va = 0xbe0000 end_va = 0xf16fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 29885 start_va = 0x5f0000 end_va = 0x5f1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 29886 start_va = 0x5f0000 end_va = 0x5f3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 29887 start_va = 0x5f0000 end_va = 0x5f5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 29888 start_va = 0x5f0000 end_va = 0x5f7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 29889 start_va = 0xf20000 end_va = 0x101ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f20000" filename = "" Region: id = 29890 start_va = 0x5f0000 end_va = 0x5f9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 29891 start_va = 0x5f0000 end_va = 0x5fbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 29892 start_va = 0x5f0000 end_va = 0x5fdfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 29893 start_va = 0x5f0000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 29894 start_va = 0x5f0000 end_va = 0x601fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 29895 start_va = 0x5f0000 end_va = 0x603fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 29896 start_va = 0x5f0000 end_va = 0x605fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 29897 start_va = 0x5f0000 end_va = 0x607fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 29898 start_va = 0x5f0000 end_va = 0x609fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 29899 start_va = 0x5f0000 end_va = 0x60bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 29900 start_va = 0x5f0000 end_va = 0x60dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 29901 start_va = 0x5f0000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 29932 start_va = 0x6530000 end_va = 0x660ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 29968 start_va = 0x6610000 end_va = 0x66d5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006610000" filename = "" Region: id = 29969 start_va = 0xa10000 end_va = 0xac3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 29978 start_va = 0x1020000 end_va = 0x10c4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 30053 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 30054 start_va = 0x600000 end_va = 0x602fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wer.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wer.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wer.dll.mui") Region: id = 30055 start_va = 0x610000 end_va = 0x613fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 30056 start_va = 0x6610000 end_va = 0x6e0ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006610000" filename = "" Region: id = 30057 start_va = 0x950000 end_va = 0x956fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 30058 start_va = 0x950000 end_va = 0x956fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 30059 start_va = 0x950000 end_va = 0x956fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 30060 start_va = 0x950000 end_va = 0x956fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 30061 start_va = 0x950000 end_va = 0x956fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 30062 start_va = 0x950000 end_va = 0x956fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 30063 start_va = 0x950000 end_va = 0x956fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 30064 start_va = 0x950000 end_va = 0x956fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 30065 start_va = 0x950000 end_va = 0x956fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 30070 start_va = 0x950000 end_va = 0x956fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 30071 start_va = 0x950000 end_va = 0x956fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 30072 start_va = 0x950000 end_va = 0x956fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 30073 start_va = 0x950000 end_va = 0x956fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 30074 start_va = 0x950000 end_va = 0x956fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 30075 start_va = 0x950000 end_va = 0x956fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 30076 start_va = 0x950000 end_va = 0x956fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 30077 start_va = 0x950000 end_va = 0x956fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 30078 start_va = 0x950000 end_va = 0x956fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 30079 start_va = 0x950000 end_va = 0x956fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 30080 start_va = 0x950000 end_va = 0x956fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 30081 start_va = 0x950000 end_va = 0x956fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 30082 start_va = 0x950000 end_va = 0x956fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 30083 start_va = 0x6610000 end_va = 0x670ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006610000" filename = "" Region: id = 30084 start_va = 0x950000 end_va = 0x956fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 30087 start_va = 0x950000 end_va = 0x956fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 30088 start_va = 0x950000 end_va = 0x956fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 30089 start_va = 0x950000 end_va = 0x956fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 30090 start_va = 0x950000 end_va = 0x956fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 30091 start_va = 0x6fa00000 end_va = 0x6fa63fff monitored = 0 entry_point = 0x6fa3e270 region_type = mapped_file name = "werui.dll" filename = "\\Windows\\SysWOW64\\werui.dll" (normalized: "c:\\windows\\syswow64\\werui.dll") Region: id = 30092 start_va = 0x1e0000 end_va = 0x1e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 30093 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 30094 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 30095 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 30096 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 30097 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 30100 start_va = 0x731b0000 end_va = 0x733befff monitored = 0 entry_point = 0x7325b0a0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 30101 start_va = 0x6f460000 end_va = 0x6f5c6fff monitored = 0 entry_point = 0x6f4db9d0 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\SysWOW64\\dui70.dll" (normalized: "c:\\windows\\syswow64\\dui70.dll") Region: id = 30102 start_va = 0x1f0000 end_va = 0x1f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 30103 start_va = 0x6f430000 end_va = 0x6f457fff monitored = 0 entry_point = 0x6f437820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 30104 start_va = 0x950000 end_va = 0x950fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 30105 start_va = 0x960000 end_va = 0x961fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000960000" filename = "" Region: id = 30121 start_va = 0x950000 end_va = 0x950fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 30122 start_va = 0x759b0000 end_va = 0x75a33fff monitored = 0 entry_point = 0x759d6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 30123 start_va = 0x970000 end_va = 0x970fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000970000" filename = "" Region: id = 30124 start_va = 0x6f880000 end_va = 0x6f8b3fff monitored = 0 entry_point = 0x6f898280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 30946 start_va = 0xa10000 end_va = 0xa4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 30947 start_va = 0xa50000 end_va = 0xa8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 30948 start_va = 0xa90000 end_va = 0xacffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a90000" filename = "" Region: id = 30949 start_va = 0x1020000 end_va = 0x105ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 30950 start_va = 0x1060000 end_va = 0x109ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001060000" filename = "" Region: id = 30951 start_va = 0x10a0000 end_va = 0x10dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010a0000" filename = "" Region: id = 30952 start_va = 0x6f800000 end_va = 0x6f808fff monitored = 0 entry_point = 0x6f803830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 31192 start_va = 0x950000 end_va = 0x950fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 31193 start_va = 0x6f880000 end_va = 0x6f8b3fff monitored = 0 entry_point = 0x6f898280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 31363 start_va = 0x6f870000 end_va = 0x6f878fff monitored = 0 entry_point = 0x6f873830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 31518 start_va = 0x950000 end_va = 0x954fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werui.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\werui.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werui.dll.mui") Region: id = 31519 start_va = 0x980000 end_va = 0x980fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000980000" filename = "" Region: id = 31520 start_va = 0x6f880000 end_va = 0x6f8b3fff monitored = 0 entry_point = 0x6f898280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 31646 start_va = 0x6f870000 end_va = 0x6f878fff monitored = 0 entry_point = 0x6f873830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 31795 start_va = 0x6710000 end_va = 0x674ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006710000" filename = "" Region: id = 31796 start_va = 0x6750000 end_va = 0x678ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006750000" filename = "" Region: id = 31800 start_va = 0x980000 end_va = 0x980fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000980000" filename = "" Region: id = 31801 start_va = 0x6f880000 end_va = 0x6f8b3fff monitored = 0 entry_point = 0x6f898280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 31952 start_va = 0x6f870000 end_va = 0x6f878fff monitored = 0 entry_point = 0x6f873830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 32092 start_va = 0x980000 end_va = 0x981fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000980000" filename = "" Region: id = 32093 start_va = 0x6f6c0000 end_va = 0x6f73afff monitored = 0 entry_point = 0x6f6e4d80 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\SysWOW64\\duser.dll" (normalized: "c:\\windows\\syswow64\\duser.dll") Region: id = 32095 start_va = 0x6790000 end_va = 0x67cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006790000" filename = "" Region: id = 32096 start_va = 0x67d0000 end_va = 0x680ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000067d0000" filename = "" Region: id = 32097 start_va = 0x6f630000 end_va = 0x6f6b0fff monitored = 0 entry_point = 0x6f636310 region_type = mapped_file name = "riched20.dll" filename = "\\Windows\\SysWOW64\\riched20.dll" (normalized: "c:\\windows\\syswow64\\riched20.dll") Region: id = 32098 start_va = 0x6f790000 end_va = 0x6f7a5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 32099 start_va = 0x6f750000 end_va = 0x6f780fff monitored = 0 entry_point = 0x6f7622d0 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\SysWOW64\\msls31.dll" (normalized: "c:\\windows\\syswow64\\msls31.dll") Region: id = 32101 start_va = 0x6810000 end_va = 0x6810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006810000" filename = "" Region: id = 32102 start_va = 0x6810000 end_va = 0x68cbfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006810000" filename = "" Region: id = 32103 start_va = 0x68d0000 end_va = 0x68d3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000068d0000" filename = "" Region: id = 32104 start_va = 0x74230000 end_va = 0x7424cfff monitored = 0 entry_point = 0x74233b10 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 32105 start_va = 0x68e0000 end_va = 0x68e3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000068e0000" filename = "" Region: id = 32106 start_va = 0x68f0000 end_va = 0x68f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000068f0000" filename = "" Region: id = 32107 start_va = 0x6900000 end_va = 0x6900fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006900000" filename = "" Region: id = 32108 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 32109 start_va = 0x6910000 end_va = 0x6910fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "duser.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\duser.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\duser.dll.mui") Region: id = 32110 start_va = 0x6f9f0000 end_va = 0x6f9fcfff monitored = 0 entry_point = 0x6f9f7d80 region_type = mapped_file name = "atlthunk.dll" filename = "\\Windows\\SysWOW64\\atlthunk.dll" (normalized: "c:\\windows\\syswow64\\atlthunk.dll") Region: id = 32111 start_va = 0x6920000 end_va = 0x6922fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui") Region: id = 32112 start_va = 0x6940000 end_va = 0x6942fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006940000" filename = "" Region: id = 32113 start_va = 0x6950000 end_va = 0x6e41fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006950000" filename = "" Region: id = 32133 start_va = 0x6e50000 end_va = 0x7e8ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 32134 start_va = 0x7e90000 end_va = 0x7ed1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007e90000" filename = "" Region: id = 32252 start_va = 0x6930000 end_va = 0x6930fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006930000" filename = "" Region: id = 32253 start_va = 0x77500000 end_va = 0x7761efff monitored = 0 entry_point = 0x77545980 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Thread: id = 851 os_tid = 0x10d4 Thread: id = 852 os_tid = 0x10b8 Thread: id = 856 os_tid = 0xd94 Thread: id = 882 os_tid = 0xe64 Thread: id = 883 os_tid = 0x9f8 Thread: id = 885 os_tid = 0xcc0 Thread: id = 918 os_tid = 0x1008 Thread: id = 928 os_tid = 0x1394 Process: id = "402" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0xc22000" os_pid = "0x10c0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setProtectedAuthentication /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29728 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29729 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29730 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 29731 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 29732 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 29733 start_va = 0x8d0000 end_va = 0x8d1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008d0000" filename = "" Region: id = 29734 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 29735 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 29736 start_va = 0x7f910000 end_va = 0x7f932fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f910000" filename = "" Region: id = 29737 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 29738 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 29739 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29740 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 29741 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 29742 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 29743 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 29748 start_va = 0x400000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 29749 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 29750 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 29751 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 29752 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 29753 start_va = 0x8e0000 end_va = 0xa2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008e0000" filename = "" Region: id = 29754 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 29755 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 29756 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 29757 start_va = 0x7f810000 end_va = 0x7f90ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f810000" filename = "" Region: id = 29758 start_va = 0x4a0000 end_va = 0x55dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 29759 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 29760 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 29761 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 29762 start_va = 0x560000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 29763 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 29764 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 29765 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 29766 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 29767 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 29768 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 29769 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 29770 start_va = 0x8d0000 end_va = 0x8d3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008d0000" filename = "" Region: id = 29771 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 29772 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 29773 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 29774 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 29775 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 29776 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 29777 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 29778 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 29779 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 29780 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 29781 start_va = 0x660000 end_va = 0x7e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 29782 start_va = 0x8e0000 end_va = 0x909fff monitored = 0 entry_point = 0x8e5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 29783 start_va = 0x930000 end_va = 0xa2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 29784 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 29785 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 29786 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 29787 start_va = 0x490000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 29788 start_va = 0xa30000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 29789 start_va = 0xbc0000 end_va = 0xd7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bc0000" filename = "" Region: id = 29790 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 29791 start_va = 0xbc0000 end_va = 0xc50fff monitored = 0 entry_point = 0xbf8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 29792 start_va = 0xd70000 end_va = 0xd7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d70000" filename = "" Region: id = 29826 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 29827 start_va = 0x8e0000 end_va = 0x8e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008e0000" filename = "" Region: id = 29828 start_va = 0x8f0000 end_va = 0x8f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 29829 start_va = 0x8f0000 end_va = 0x8f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 29830 start_va = 0x8f0000 end_va = 0x8f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 29831 start_va = 0x900000 end_va = 0x901fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000900000" filename = "" Region: id = 29832 start_va = 0x8f0000 end_va = 0x8f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 29833 start_va = 0x900000 end_va = 0x900fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000900000" filename = "" Region: id = 29838 start_va = 0x8f0000 end_va = 0x8f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 29839 start_va = 0x900000 end_va = 0x900fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Thread: id = 853 os_tid = 0x768 [0272.163] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0272.163] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0272.163] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0272.163] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0272.163] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0272.163] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0272.164] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0272.164] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0272.164] GetProcessHeap () returned 0x930000 [0272.164] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0272.165] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0272.165] GetLastError () returned 0x7e [0272.165] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0272.165] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0272.165] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x364) returned 0x9409b0 [0272.165] SetLastError (dwErrCode=0x7e) [0272.165] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0xe00) returned 0x940d20 [0272.167] GetStartupInfoW (in: lpStartupInfo=0x18fde0 | out: lpStartupInfo=0x18fde0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0272.167] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0272.167] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0272.167] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0272.167] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setProtectedAuthentication /fn_args=\"1\"" [0272.167] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setProtectedAuthentication /fn_args=\"1\"" [0272.167] GetACP () returned 0x4e4 [0272.167] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x0, Size=0x220) returned 0x941b28 [0272.167] IsValidCodePage (CodePage=0x4e4) returned 1 [0272.167] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fe00 | out: lpCPInfo=0x18fe00) returned 1 [0272.167] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f6c8 | out: lpCPInfo=0x18f6c8) returned 1 [0272.167] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcdc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0272.167] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcdc, cbMultiByte=256, lpWideCharStr=0x18f468, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0272.167] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f6dc | out: lpCharType=0x18f6dc) returned 1 [0272.167] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcdc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0272.167] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcdc, cbMultiByte=256, lpWideCharStr=0x18f418, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0272.168] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0272.168] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0272.168] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0272.168] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f208, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0272.168] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fbdc, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÜ\x16Ò\x9b\x18þ\x18", lpUsedDefaultChar=0x0) returned 256 [0272.168] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcdc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0272.168] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fcdc, cbMultiByte=256, lpWideCharStr=0x18f438, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0272.168] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0272.168] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f228, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0272.168] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fadc, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÜ\x16Ò\x9b\x18þ\x18", lpUsedDefaultChar=0x0) returned 256 [0272.168] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x0, Size=0x80) returned 0x933880 [0272.168] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0272.168] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x198) returned 0x941d50 [0272.168] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0272.168] GetLastError () returned 0x0 [0272.168] SetLastError (dwErrCode=0x0) [0272.168] GetEnvironmentStringsW () returned 0x941ef0* [0272.169] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x0, Size=0xa8c) returned 0x942988 [0272.169] FreeEnvironmentStringsW (penv=0x941ef0) returned 1 [0272.169] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x90) returned 0x934570 [0272.169] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x3e) returned 0x93a9d0 [0272.169] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x5c) returned 0x938ab0 [0272.221] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x6e) returned 0x934868 [0272.221] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x78) returned 0x943448 [0272.221] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x62) returned 0x934a08 [0272.221] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x28) returned 0x933da0 [0272.222] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x48) returned 0x933ff0 [0272.222] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x1a) returned 0x933dd0 [0272.222] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x3a) returned 0x93ab80 [0272.222] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x62) returned 0x934638 [0272.222] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x2a) returned 0x938960 [0272.222] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x2e) returned 0x938810 [0272.222] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x1c) returned 0x9347d8 [0272.222] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x144) returned 0x939cc8 [0272.222] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x7c) returned 0x9343a8 [0272.222] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x36) returned 0x93e040 [0272.222] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x3a) returned 0x93ad78 [0272.222] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x90) returned 0x933e18 [0272.222] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x24) returned 0x934800 [0272.222] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x30) returned 0x9388b8 [0272.222] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x36) returned 0x93e1c0 [0272.222] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x48) returned 0x933c00 [0272.222] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x52) returned 0x933920 [0272.222] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x3c) returned 0x93aca0 [0272.222] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0xd6) returned 0x939e88 [0272.222] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x2e) returned 0x9389d0 [0272.222] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x1e) returned 0x933c50 [0272.222] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x2c) returned 0x938a08 [0272.222] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x54) returned 0x932910 [0272.222] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x52) returned 0x9304b8 [0272.222] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x24) returned 0x934078 [0272.222] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x42) returned 0x9340a8 [0272.222] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x2c) returned 0x9386c0 [0272.222] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x44) returned 0x939fb8 [0272.222] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x24) returned 0x9340f8 [0272.223] HeapFree (in: hHeap=0x930000, dwFlags=0x0, lpMem=0x942988 | out: hHeap=0x930000) returned 1 [0272.223] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x8, Size=0x800) returned 0x941ef0 [0272.223] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0272.223] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0272.223] GetStartupInfoW (in: lpStartupInfo=0x18fe44 | out: lpStartupInfo=0x18fe44*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0272.223] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setProtectedAuthentication /fn_args=\"1\"" [0272.223] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setProtectedAuthentication /fn_args=\"1\"", pNumArgs=0x18fe30 | out: pNumArgs=0x18fe30) returned 0x942b40*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0272.224] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0272.227] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x0, Size=0x1000) returned 0x944428 [0272.227] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x0, Size=0x46) returned 0x9382e8 [0272.227] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_setProtectedAuthentication", cchWideChar=-1, lpMultiByteStr=0x9382e8, cbMultiByte=70, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_setProtectedAuthentication", lpUsedDefaultChar=0x0) returned 35 [0272.227] GetLastError () returned 0x0 [0272.227] SetLastError (dwErrCode=0x0) [0272.227] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setProtectedAuthenticationW") returned 0x0 [0272.227] GetLastError () returned 0x7f [0272.227] SetLastError (dwErrCode=0x7f) [0272.228] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setProtectedAuthenticationA") returned 0x0 [0272.228] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setProtectedAuthentication") returned 0x647cb381 [0272.228] RtlAllocateHeap (HeapHandle=0x930000, Flags=0x0, Size=0x4) returned 0x933eb0 [0272.228] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x933eb0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0272.228] GetActiveWindow () returned 0x0 [0272.229] GetLastError () returned 0x7f [0272.230] SetLastError (dwErrCode=0x7f) Thread: id = 855 os_tid = 0xc64 Process: id = "403" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x5a6df000" os_pid = "0x10fc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "400" os_parent_pid = "0x1318" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setPINPromptHook /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "404" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0xdaf000" os_pid = "0xb64" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "402" os_parent_pid = "0x10c0" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setProtectedAuthentication /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "405" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0xc4a000" os_pid = "0xc4c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setSlotEventHook /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29856 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29857 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29858 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 29859 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 29860 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 29861 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 29862 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 29863 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 29864 start_va = 0x570000 end_va = 0x571fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 29865 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 29866 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 29867 start_va = 0x7ebc0000 end_va = 0x7ebe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ebc0000" filename = "" Region: id = 29868 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 29869 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 29870 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29871 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 29878 start_va = 0x580000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 29879 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 29880 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 29881 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 29882 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 29883 start_va = 0x700000 end_va = 0x8bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 29884 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 29902 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 29903 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 29904 start_va = 0x7eac0000 end_va = 0x7ebbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eac0000" filename = "" Region: id = 29905 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 29906 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 29907 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 29908 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 29909 start_va = 0x4c0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 29910 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 29911 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 29912 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 29913 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 29914 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 29915 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 29916 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 29917 start_va = 0x5c0000 end_va = 0x5c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 29918 start_va = 0x6f0000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 29919 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 29920 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 29921 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 29922 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 29923 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 29924 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 29925 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 29926 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 29927 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 29928 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 29929 start_va = 0x5d0000 end_va = 0x5f9fff monitored = 0 entry_point = 0x5d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 29930 start_va = 0x8c0000 end_va = 0xa47fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 29931 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 29933 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 29934 start_va = 0x5d0000 end_va = 0x5d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 29935 start_va = 0x5e0000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 29936 start_va = 0xa50000 end_va = 0xbd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a50000" filename = "" Region: id = 29937 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 29938 start_va = 0x5e0000 end_va = 0x670fff monitored = 0 entry_point = 0x618cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 29939 start_va = 0x680000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 29942 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 29943 start_va = 0x5e0000 end_va = 0x5e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 29944 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 29945 start_va = 0x5f0000 end_va = 0x5f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 29946 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 29947 start_va = 0x600000 end_va = 0x601fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 29948 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 29949 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 29950 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 29951 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Thread: id = 858 os_tid = 0xf54 [0272.949] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0272.949] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0272.950] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0272.950] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0272.950] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0272.950] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0272.951] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0272.952] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0272.952] GetProcessHeap () returned 0x7c0000 [0272.952] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0272.952] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0272.952] GetLastError () returned 0x7e [0272.952] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0272.953] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0272.953] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x364) returned 0x7d0a60 [0272.953] SetLastError (dwErrCode=0x7e) [0272.953] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xe00) returned 0x7d0dd0 [0272.955] GetStartupInfoW (in: lpStartupInfo=0x18f898 | out: lpStartupInfo=0x18f898*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0272.955] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0272.955] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0272.955] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0272.955] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setSlotEventHook /fn_args=\"1\"" [0272.955] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setSlotEventHook /fn_args=\"1\"" [0272.955] GetACP () returned 0x4e4 [0272.955] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x220) returned 0x7d1bd8 [0272.955] IsValidCodePage (CodePage=0x4e4) returned 1 [0272.955] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f8b8 | out: lpCPInfo=0x18f8b8) returned 1 [0272.955] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f180 | out: lpCPInfo=0x18f180) returned 1 [0272.955] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f794, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0272.955] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f794, cbMultiByte=256, lpWideCharStr=0x18ef28, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0272.955] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f194 | out: lpCharType=0x18f194) returned 1 [0272.955] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f794, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0272.956] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f794, cbMultiByte=256, lpWideCharStr=0x18eed8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0272.956] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0272.956] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0272.956] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0272.956] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ecc8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0272.956] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f694, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿìó<ÀÐø\x18", lpUsedDefaultChar=0x0) returned 256 [0272.956] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f794, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0272.956] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f794, cbMultiByte=256, lpWideCharStr=0x18eef8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0272.956] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0272.956] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ece8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0272.956] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f594, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿìó<ÀÐø\x18", lpUsedDefaultChar=0x0) returned 256 [0272.956] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x80) returned 0x7c3868 [0272.956] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0272.956] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x184) returned 0x7d1e00 [0272.956] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0272.956] GetLastError () returned 0x0 [0272.957] SetLastError (dwErrCode=0x0) [0272.957] GetEnvironmentStringsW () returned 0x7d1f90* [0272.957] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0xa8c) returned 0x7d2a28 [0272.957] FreeEnvironmentStringsW (penv=0x7d1f90) returned 1 [0272.957] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x90) returned 0x7c4558 [0272.957] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x3e) returned 0x7cad58 [0272.957] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x5c) returned 0x7c8830 [0272.957] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x6e) returned 0x7c4620 [0272.957] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x78) returned 0x7d3fe8 [0272.958] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x62) returned 0x7c49f0 [0272.958] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x28) returned 0x7c3d88 [0272.958] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x48) returned 0x7c3fd8 [0272.958] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x1a) returned 0x7c0570 [0272.958] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x3a) returned 0x7cacc8 [0272.958] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x62) returned 0x7c3be8 [0272.958] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x2a) returned 0x7c8638 [0272.958] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x2e) returned 0x7c8440 [0272.958] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x1c) returned 0x7c3db8 [0272.958] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x144) returned 0x7c9ca8 [0272.958] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x7c) returned 0x7c8090 [0272.958] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x36) returned 0x7ce0f0 [0272.958] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x3a) returned 0x7cade8 [0272.958] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x90) returned 0x7c4390 [0272.958] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x24) returned 0x7c3908 [0272.958] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x30) returned 0x7c8670 [0272.958] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x36) returned 0x7ce5f0 [0272.958] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x48) returned 0x7c2900 [0272.958] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x52) returned 0x7c04b8 [0272.958] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x3c) returned 0x7cad10 [0272.958] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0xd6) returned 0x7c9e68 [0272.958] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x2e) returned 0x7c8590 [0272.958] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x1e) returned 0x7c2950 [0272.958] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x2c) returned 0x7c85c8 [0272.958] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x54) returned 0x7c3e00 [0272.958] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x52) returned 0x7c4060 [0272.958] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x24) returned 0x7c3e60 [0272.958] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x42) returned 0x7c40c0 [0272.958] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x2c) returned 0x7c86a8 [0272.959] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x44) returned 0x7c9f98 [0272.959] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x24) returned 0x7c3938 [0272.959] HeapFree (in: hHeap=0x7c0000, dwFlags=0x0, lpMem=0x7d2a28 | out: hHeap=0x7c0000) returned 1 [0272.959] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x8, Size=0x800) returned 0x7d1f90 [0272.959] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0272.959] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0272.959] GetStartupInfoW (in: lpStartupInfo=0x18f8fc | out: lpStartupInfo=0x18f8fc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0272.960] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setSlotEventHook /fn_args=\"1\"" [0272.960] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setSlotEventHook /fn_args=\"1\"", pNumArgs=0x18f8e8 | out: pNumArgs=0x18f8e8) returned 0x7d2be0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0272.960] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0272.963] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x1000) returned 0x7d44c8 [0272.963] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x32) returned 0x7ce570 [0272.963] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_setSlotEventHook", cchWideChar=-1, lpMultiByteStr=0x7ce570, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_setSlotEventHook", lpUsedDefaultChar=0x0) returned 25 [0272.963] GetLastError () returned 0x0 [0272.963] SetLastError (dwErrCode=0x0) [0272.963] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setSlotEventHookW") returned 0x0 [0272.964] GetLastError () returned 0x7f [0272.964] SetLastError (dwErrCode=0x7f) [0272.964] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setSlotEventHookA") returned 0x0 [0272.964] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setSlotEventHook") returned 0x647cb106 [0272.964] RtlAllocateHeap (HeapHandle=0x7c0000, Flags=0x0, Size=0x4) returned 0x7c3810 [0272.964] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x7c3810, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0272.964] GetActiveWindow () returned 0x0 [0272.965] GetLastError () returned 0x7f [0272.965] SetLastError (dwErrCode=0x7f) Thread: id = 860 os_tid = 0x10bc Process: id = "406" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0xb52000" os_pid = "0x13b4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setTokenPromptHook /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 29952 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 29953 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 29954 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 29955 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 29956 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 29957 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 29958 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 29959 start_va = 0x1e0000 end_va = 0x1e1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 29960 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 29961 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 29962 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 29963 start_va = 0x7ee30000 end_va = 0x7ee52fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ee30000" filename = "" Region: id = 29964 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 29965 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 29966 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 29967 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 29970 start_va = 0x400000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 29971 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 29972 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 29973 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 29974 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 29975 start_va = 0x4c0000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 29976 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 29977 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 29979 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 29980 start_va = 0x7ed30000 end_va = 0x7ee2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed30000" filename = "" Region: id = 29981 start_va = 0x620000 end_va = 0x6ddfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 29982 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 29983 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 29984 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 29985 start_va = 0x6e0000 end_va = 0x7dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 29986 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 29987 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 29988 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 29989 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 29990 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 29991 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 29992 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 29993 start_va = 0x400000 end_va = 0x403fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 29994 start_va = 0x4b0000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 29995 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 29996 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 29997 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 29998 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 29999 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 30000 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 30001 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 30002 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 30003 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 30004 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 30005 start_va = 0x410000 end_va = 0x439fff monitored = 0 entry_point = 0x415680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 30006 start_va = 0x7e0000 end_va = 0x967fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 30007 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 30008 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 30009 start_va = 0x410000 end_va = 0x410fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 30010 start_va = 0x970000 end_va = 0xaf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000970000" filename = "" Region: id = 30011 start_va = 0xb00000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 30012 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 30013 start_va = 0xb00000 end_va = 0xb90fff monitored = 0 entry_point = 0xb38cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 30014 start_va = 0xce0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 30015 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 30016 start_va = 0x420000 end_va = 0x420fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 30017 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 30018 start_va = 0x430000 end_va = 0x437fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 30066 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 30067 start_va = 0x440000 end_va = 0x441fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 30068 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 30069 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 30085 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 30086 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Thread: id = 861 os_tid = 0xdcc [0273.597] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0273.597] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0273.597] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0273.597] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0273.597] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0273.597] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0273.598] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0273.598] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0273.599] GetProcessHeap () returned 0x520000 [0273.599] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0273.599] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0273.599] GetLastError () returned 0x7e [0273.599] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0273.599] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0273.599] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x364) returned 0x530a60 [0273.599] SetLastError (dwErrCode=0x7e) [0273.599] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0xe00) returned 0x530dd0 [0273.601] GetStartupInfoW (in: lpStartupInfo=0x18fc04 | out: lpStartupInfo=0x18fc04*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0273.601] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0273.601] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0273.601] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0273.601] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setTokenPromptHook /fn_args=\"1\"" [0273.601] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setTokenPromptHook /fn_args=\"1\"" [0273.601] GetACP () returned 0x4e4 [0273.601] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x220) returned 0x531bd8 [0273.601] IsValidCodePage (CodePage=0x4e4) returned 1 [0273.601] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fc24 | out: lpCPInfo=0x18fc24) returned 1 [0273.601] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f4ec | out: lpCPInfo=0x18f4ec) returned 1 [0273.601] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb00, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0273.601] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb00, cbMultiByte=256, lpWideCharStr=0x18f288, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0273.601] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f500 | out: lpCharType=0x18f500) returned 1 [0273.602] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb00, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0273.602] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb00, cbMultiByte=256, lpWideCharStr=0x18f248, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0273.602] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0273.602] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0273.602] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0273.602] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f038, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0273.602] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fa00, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x8e\x89kÇ<ü\x18", lpUsedDefaultChar=0x0) returned 256 [0273.602] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb00, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0273.602] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb00, cbMultiByte=256, lpWideCharStr=0x18f258, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0273.602] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0273.602] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f048, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0273.602] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f900, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x8e\x89kÇ<ü\x18", lpUsedDefaultChar=0x0) returned 256 [0273.602] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x80) returned 0x523868 [0273.602] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0273.602] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x188) returned 0x531e00 [0273.602] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0273.602] GetLastError () returned 0x0 [0273.602] SetLastError (dwErrCode=0x0) [0273.602] GetEnvironmentStringsW () returned 0x531f90* [0273.603] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0xa8c) returned 0x532a28 [0273.603] FreeEnvironmentStringsW (penv=0x531f90) returned 1 [0273.603] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x90) returned 0x524558 [0273.603] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x3e) returned 0x52ade8 [0273.603] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x5c) returned 0x528830 [0273.603] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x6e) returned 0x524620 [0273.603] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x78) returned 0x533c68 [0273.603] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x62) returned 0x5249f0 [0273.603] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x28) returned 0x523d88 [0273.603] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x48) returned 0x523fd8 [0273.603] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x1a) returned 0x520570 [0273.603] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x3a) returned 0x52ae30 [0273.603] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x62) returned 0x523be8 [0273.603] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x2a) returned 0x528558 [0273.604] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x2e) returned 0x528440 [0273.604] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x1c) returned 0x523db8 [0273.604] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x144) returned 0x529a48 [0273.604] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x7c) returned 0x528090 [0273.604] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x36) returned 0x52e1f0 [0273.604] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x3a) returned 0x52b148 [0273.604] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x90) returned 0x524390 [0273.604] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x24) returned 0x523908 [0273.604] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x30) returned 0x528590 [0273.604] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x36) returned 0x52e0f0 [0273.604] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x48) returned 0x522900 [0273.604] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x52) returned 0x5204b8 [0273.604] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x3c) returned 0x52a9b0 [0273.604] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0xd6) returned 0x529c08 [0273.604] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x2e) returned 0x528788 [0273.604] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x1e) returned 0x522950 [0273.604] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x2c) returned 0x5286a8 [0273.604] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x54) returned 0x523e00 [0273.604] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x52) returned 0x524060 [0273.604] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x24) returned 0x523e60 [0273.604] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x42) returned 0x5240c0 [0273.604] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x2c) returned 0x528670 [0273.604] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x44) returned 0x529f98 [0273.604] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x24) returned 0x523938 [0273.605] HeapFree (in: hHeap=0x520000, dwFlags=0x0, lpMem=0x532a28 | out: hHeap=0x520000) returned 1 [0273.605] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x8, Size=0x800) returned 0x531f90 [0273.605] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0273.605] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0273.605] GetStartupInfoW (in: lpStartupInfo=0x18fc68 | out: lpStartupInfo=0x18fc68*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0273.605] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setTokenPromptHook /fn_args=\"1\"" [0273.605] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setTokenPromptHook /fn_args=\"1\"", pNumArgs=0x18fc54 | out: pNumArgs=0x18fc54) returned 0x532be0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0273.606] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0273.608] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x1000) returned 0x5344c8 [0273.608] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x36) returned 0x52e670 [0273.608] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_setTokenPromptHook", cchWideChar=-1, lpMultiByteStr=0x52e670, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_setTokenPromptHook", lpUsedDefaultChar=0x0) returned 27 [0273.609] GetLastError () returned 0x0 [0273.609] SetLastError (dwErrCode=0x0) [0273.609] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setTokenPromptHookW") returned 0x0 [0273.609] GetLastError () returned 0x7f [0273.609] SetLastError (dwErrCode=0x7f) [0273.609] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setTokenPromptHookA") returned 0x0 [0273.609] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_setTokenPromptHook") returned 0x647cb228 [0273.609] RtlAllocateHeap (HeapHandle=0x520000, Flags=0x0, Size=0x4) returned 0x523810 [0273.609] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x523810, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0273.609] GetActiveWindow () returned 0x0 [0273.610] GetLastError () returned 0x7f [0273.610] SetLastError (dwErrCode=0x7f) Thread: id = 863 os_tid = 0x1004 Process: id = "407" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0xd5f000" os_pid = "0xdc8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "405" os_parent_pid = "0xc4c" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setSlotEventHook /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "408" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0xb09000" os_pid = "0xc80" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "406" os_parent_pid = "0x13b4" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_setTokenPromptHook /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "409" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x57368000" os_pid = "0x10d8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_terminate /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 30143 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 30144 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 30145 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 30146 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 30147 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 30148 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 30149 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 30150 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 30151 start_va = 0xe60000 end_va = 0xe61fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e60000" filename = "" Region: id = 30152 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 30153 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 30154 start_va = 0x7f8f0000 end_va = 0x7f912fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f8f0000" filename = "" Region: id = 30155 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 30156 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 30157 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 30158 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 30169 start_va = 0x1c0000 end_va = 0x1dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 30170 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 30171 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 30172 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 30173 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 30177 start_va = 0xe70000 end_va = 0x10affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 30178 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 30179 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 30180 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30181 start_va = 0x7f7f0000 end_va = 0x7f8effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f7f0000" filename = "" Region: id = 30182 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30183 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 30184 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 30185 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 30186 start_va = 0x500000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 30187 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 30188 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 30189 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 30190 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 30191 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 30192 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 30193 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 30194 start_va = 0xe60000 end_va = 0xe63fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e60000" filename = "" Region: id = 30195 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 30196 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 30197 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 30198 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 30199 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 30200 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 30201 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 30202 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 30203 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 30204 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 30205 start_va = 0x600000 end_va = 0x787fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 30206 start_va = 0xe70000 end_va = 0xe99fff monitored = 0 entry_point = 0xe75680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 30207 start_va = 0xfb0000 end_va = 0x10affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 30208 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 30211 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 30212 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 30213 start_va = 0x1d0000 end_va = 0x1dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 30214 start_va = 0x790000 end_va = 0x910fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 30215 start_va = 0x10b0000 end_va = 0x125ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010b0000" filename = "" Region: id = 30216 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 30217 start_va = 0xe70000 end_va = 0xf00fff monitored = 0 entry_point = 0xea8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 30218 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 30219 start_va = 0xe70000 end_va = 0xe7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 30220 start_va = 0x920000 end_va = 0xa1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000920000" filename = "" Region: id = 30221 start_va = 0xe70000 end_va = 0xe8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 30222 start_va = 0xe90000 end_va = 0xe95fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 30223 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30224 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30225 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30228 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30229 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30230 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30231 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30232 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30233 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30234 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30235 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30236 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30237 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30238 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30239 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30240 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30241 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30242 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30243 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30244 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30245 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30246 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30247 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30248 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30249 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30250 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30251 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30252 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30253 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30254 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30255 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30256 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30257 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30258 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30259 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30260 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30261 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30262 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30263 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30264 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30265 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30266 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30267 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30268 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30269 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30270 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30271 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30272 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30273 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30274 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30275 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30276 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30277 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30278 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30279 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30280 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30281 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30282 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30283 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30284 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30285 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30286 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30287 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30288 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30289 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30290 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30291 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30292 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30293 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30294 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30295 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30296 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30297 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30298 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30299 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30300 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30301 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30302 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30303 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30304 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30305 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30306 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30307 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30308 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30309 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30310 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30311 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30312 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30313 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30314 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30315 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30316 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30317 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30318 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30319 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30320 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30321 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30322 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30323 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30324 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30325 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30326 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30327 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30328 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30329 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30330 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30331 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30332 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30333 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30334 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30335 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30336 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30337 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30338 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30339 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30340 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30341 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30342 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30343 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30344 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30345 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30346 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30347 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30348 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30349 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30350 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30351 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30352 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30353 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30354 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30355 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30356 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30357 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30358 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30359 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30360 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30361 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30362 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30363 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30364 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30365 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30366 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30367 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30368 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30369 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30370 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30371 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30372 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30373 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30374 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30375 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30376 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30377 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30378 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30379 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30380 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30381 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30382 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30383 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30384 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30385 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30386 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30387 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30388 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30389 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30390 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30391 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30392 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30393 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30394 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30395 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30396 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30397 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30398 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30399 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30400 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30401 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30402 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30403 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30404 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30405 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30406 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30407 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30408 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30409 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30410 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30411 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30412 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30413 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30414 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30415 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30416 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30417 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30418 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30419 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30420 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30421 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30422 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30423 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30424 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30425 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30426 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30427 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30428 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30429 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30430 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30431 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30432 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30433 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30434 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30435 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30436 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30437 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30438 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30439 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30440 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30441 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30442 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30443 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30444 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30445 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30446 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30447 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30448 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30449 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30450 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30451 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30452 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30453 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30454 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30455 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30456 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30457 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30458 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30459 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30460 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30461 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30462 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30463 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30464 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30465 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30466 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30467 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30468 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30469 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30470 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30471 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30472 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30473 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 30474 start_va = 0xe70000 end_va = 0xe75fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Thread: id = 866 os_tid = 0xc0c [0275.221] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0275.221] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0275.222] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0275.222] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0275.222] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0275.222] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0275.223] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0275.223] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0275.223] GetProcessHeap () returned 0xfb0000 [0275.223] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0275.223] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0275.223] GetLastError () returned 0x7e [0275.223] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0275.223] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0275.224] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x364) returned 0xfc0a48 [0275.224] SetLastError (dwErrCode=0x7e) [0275.224] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0xe00) returned 0xfc0db8 [0275.225] GetStartupInfoW (in: lpStartupInfo=0x18fc60 | out: lpStartupInfo=0x18fc60*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0275.225] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0275.225] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0275.225] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0275.225] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_terminate /fn_args=\"1\"" [0275.226] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_terminate /fn_args=\"1\"" [0275.226] GetACP () returned 0x4e4 [0275.226] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x0, Size=0x220) returned 0xfc1bc0 [0275.226] IsValidCodePage (CodePage=0x4e4) returned 1 [0275.226] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fc80 | out: lpCPInfo=0x18fc80) returned 1 [0275.226] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f548 | out: lpCPInfo=0x18f548) returned 1 [0275.226] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb5c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0275.226] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb5c, cbMultiByte=256, lpWideCharStr=0x18f2e8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0275.226] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f55c | out: lpCharType=0x18f55c) returned 1 [0275.226] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb5c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0275.226] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb5c, cbMultiByte=256, lpWideCharStr=0x18f298, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0275.226] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0275.226] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0275.226] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0275.226] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f088, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0275.226] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fa5c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿíÛ¿D\x98ü\x18", lpUsedDefaultChar=0x0) returned 256 [0275.226] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb5c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0275.226] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb5c, cbMultiByte=256, lpWideCharStr=0x18f2b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0275.226] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0275.226] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f0a8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0275.227] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f95c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿíÛ¿D\x98ü\x18", lpUsedDefaultChar=0x0) returned 256 [0275.227] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x0, Size=0x80) returned 0xfb3850 [0275.227] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0275.227] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x176) returned 0xfc1de8 [0275.227] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0275.227] GetLastError () returned 0x0 [0275.227] SetLastError (dwErrCode=0x0) [0275.227] GetEnvironmentStringsW () returned 0xfc1f68* [0275.227] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x0, Size=0xa8c) returned 0xfc2a00 [0275.227] FreeEnvironmentStringsW (penv=0xfc1f68) returned 1 [0275.227] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x90) returned 0xfb47a0 [0275.227] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x3e) returned 0xfbaea8 [0275.227] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x5c) returned 0xfb8a78 [0275.227] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x6e) returned 0xfb4868 [0275.228] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x78) returned 0xfc3740 [0275.228] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x62) returned 0xfb4c38 [0275.228] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x28) returned 0xfb3d70 [0275.228] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x48) returned 0xfb3fc0 [0275.228] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x1a) returned 0xfb0570 [0275.228] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x3a) returned 0xfbaab8 [0275.228] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x62) returned 0xfb3bd0 [0275.228] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x2a) returned 0xfb8768 [0275.228] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x2e) returned 0xfb8998 [0275.228] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x1c) returned 0xfb3da0 [0275.228] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x144) returned 0xfb9c90 [0275.228] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x7c) returned 0xfb82d8 [0275.228] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x36) returned 0xfbe118 [0275.228] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x3a) returned 0xfbac68 [0275.228] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x90) returned 0xfb45d8 [0275.228] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x24) returned 0xfb38f0 [0275.228] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x30) returned 0xfb89d0 [0275.228] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x36) returned 0xfbdf58 [0275.228] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x48) returned 0xfb28f0 [0275.228] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x52) returned 0xfb04b8 [0275.228] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x3c) returned 0xfbb010 [0275.228] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0xd6) returned 0xfb9e50 [0275.228] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x2e) returned 0xfb8688 [0275.228] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x1e) returned 0xfb2940 [0275.228] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x2c) returned 0xfb8848 [0275.228] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x54) returned 0xfb3de8 [0275.229] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x52) returned 0xfb4048 [0275.229] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x24) returned 0xfb3e48 [0275.229] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x42) returned 0xfb40a8 [0275.229] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x2c) returned 0xfb8650 [0275.229] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x44) returned 0xfb9f80 [0275.229] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x24) returned 0xfb3920 [0275.229] HeapFree (in: hHeap=0xfb0000, dwFlags=0x0, lpMem=0xfc2a00 | out: hHeap=0xfb0000) returned 1 [0275.229] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x8, Size=0x800) returned 0xfc1f68 [0275.229] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0275.229] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0275.230] GetStartupInfoW (in: lpStartupInfo=0x18fcc4 | out: lpStartupInfo=0x18fcc4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0275.230] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_terminate /fn_args=\"1\"" [0275.230] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_terminate /fn_args=\"1\"", pNumArgs=0x18fcb0 | out: pNumArgs=0x18fcb0) returned 0xfc2bb8*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0275.230] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0275.239] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x0, Size=0x1000) returned 0xfc44a0 [0275.239] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x0, Size=0x24) returned 0xfba6c8 [0275.239] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_terminate", cchWideChar=-1, lpMultiByteStr=0xfba6c8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_terminate", lpUsedDefaultChar=0x0) returned 18 [0275.239] GetLastError () returned 0x0 [0275.239] SetLastError (dwErrCode=0x0) [0275.240] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_terminateW") returned 0x0 [0275.240] GetLastError () returned 0x7f [0275.240] SetLastError (dwErrCode=0x7f) [0275.240] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_terminateA") returned 0x0 [0275.240] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_terminate") returned 0x647cad58 [0275.240] RtlAllocateHeap (HeapHandle=0xfb0000, Flags=0x0, Size=0x4) returned 0xfb37f8 [0275.240] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0xfb37f8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0275.240] GetActiveWindow () returned 0x0 [0275.241] HeapFree (in: hHeap=0xfb0000, dwFlags=0x0, lpMem=0xfc44a0 | out: hHeap=0xfb0000) returned 1 [0275.241] HeapFree (in: hHeap=0xfb0000, dwFlags=0x0, lpMem=0xfba6c8 | out: hHeap=0xfb0000) returned 1 [0275.241] HeapFree (in: hHeap=0xfb0000, dwFlags=0x0, lpMem=0xfb37f8 | out: hHeap=0xfb0000) returned 1 [0275.241] GetCurrentProcessId () returned 0x10d8 [0275.241] GetCurrentThreadId () returned 0xc0c [0275.241] CreateToolhelp32Snapshot (dwFlags=0x4, th32ProcessID=0x0) returned 0x150 [0275.262] Thread32First (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.263] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.264] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.409] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.410] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.410] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.411] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.412] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.412] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.413] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.413] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.414] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.414] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.415] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.416] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.416] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.417] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.417] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.418] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.419] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.420] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.421] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.422] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.422] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.423] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.423] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.424] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.424] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.425] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.426] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.426] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.427] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.427] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.428] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.429] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.429] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.430] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.430] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.431] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.431] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.432] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.433] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.433] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.434] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.434] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.476] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.477] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.478] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.478] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.479] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.480] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.480] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.481] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.482] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.483] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.483] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.484] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.484] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.485] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.486] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.487] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.487] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.488] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.489] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.489] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.490] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.490] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.491] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.492] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.492] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.493] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.493] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.494] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.495] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.495] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.496] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.496] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.497] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.498] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.499] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.499] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.500] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.500] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.501] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.502] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.502] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.503] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.503] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.504] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.504] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.505] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.506] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.506] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.507] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.507] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.508] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.509] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.510] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.510] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.511] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.511] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.512] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.513] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.553] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.554] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.555] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.555] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.556] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.556] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.557] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.558] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.558] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.559] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.559] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.563] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.564] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.564] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.565] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.566] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.566] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.567] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.567] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.568] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.569] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.569] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.570] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.570] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.571] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.571] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.572] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.573] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.573] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.574] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.574] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.575] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.576] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.576] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.577] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.577] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.578] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.579] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.579] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.580] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.580] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.581] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.581] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.582] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.583] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.583] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.584] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.584] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.585] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.586] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.586] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.587] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.587] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.588] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.589] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.589] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.590] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.590] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.615] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.616] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.616] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.617] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.618] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.618] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.619] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.619] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.620] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.621] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.621] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.622] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.624] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.624] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.625] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.625] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.626] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.627] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.627] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.628] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.628] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.629] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.630] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.630] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.631] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.631] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.632] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.633] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.633] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.634] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.634] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.635] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.635] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.636] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.637] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.637] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.639] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.640] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.640] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.641] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.641] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.642] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.643] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.643] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.644] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.644] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.645] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.646] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.646] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.647] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.647] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.648] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.649] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.649] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.650] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.650] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.651] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.651] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.652] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.653] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.697] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.698] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.699] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.700] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.701] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.702] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.702] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.703] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.704] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.705] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.706] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.706] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.707] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.708] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.709] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.709] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.710] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.711] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.712] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.713] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.713] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.714] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.715] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.716] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.717] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.718] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.718] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.719] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0275.720] Thread32Next (hSnapshot=0x150, lpte=0x18fc94) returned 1 [0276.344] CloseHandle (hObject=0x150) returned 1 [0276.344] OpenThread (dwDesiredAccess=0x100000, bInheritHandle=0, dwThreadId=0x1130) returned 0x150 [0276.344] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xffffffff) Thread: id = 868 os_tid = 0x1130 Process: id = "410" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0xb80000" os_pid = "0x108c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_deserializeTokenId /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 30475 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 30476 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 30477 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 30478 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 30479 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 30480 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 30481 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 30482 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 30483 start_va = 0xdc0000 end_va = 0xdc1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dc0000" filename = "" Region: id = 30484 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 30485 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 30486 start_va = 0x7e4c0000 end_va = 0x7e4e2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e4c0000" filename = "" Region: id = 30487 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 30488 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 30489 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 30490 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 30491 start_va = 0x400000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 30492 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 30493 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 30494 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 30495 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 30496 start_va = 0xdd0000 end_va = 0x100ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 30497 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 30498 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 30499 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30500 start_va = 0x7e3c0000 end_va = 0x7e4bffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e3c0000" filename = "" Region: id = 30501 start_va = 0x4c0000 end_va = 0x57dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30502 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 30503 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 30504 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 30505 start_va = 0x580000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 30506 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 30507 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 30508 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 30509 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 30510 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 30511 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 30512 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 30513 start_va = 0xdc0000 end_va = 0xdc3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dc0000" filename = "" Region: id = 30514 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 30515 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 30516 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 30517 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 30518 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 30519 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 30520 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 30521 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 30522 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 30523 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 30524 start_va = 0x680000 end_va = 0x807fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 30525 start_va = 0xdd0000 end_va = 0xdf9fff monitored = 0 entry_point = 0xdd5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 30526 start_va = 0xf10000 end_va = 0x100ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f10000" filename = "" Region: id = 30527 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 30530 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 30531 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 30532 start_va = 0x4b0000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 30533 start_va = 0x810000 end_va = 0x990fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 30534 start_va = 0x1010000 end_va = 0x119ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001010000" filename = "" Region: id = 30535 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 30536 start_va = 0xdd0000 end_va = 0xe60fff monitored = 0 entry_point = 0xe08cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 30537 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 30538 start_va = 0xdd0000 end_va = 0xdd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 30539 start_va = 0xde0000 end_va = 0xde0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000de0000" filename = "" Region: id = 30540 start_va = 0xde0000 end_va = 0xde7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000de0000" filename = "" Region: id = 30541 start_va = 0xde0000 end_va = 0xde0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 30542 start_va = 0xdf0000 end_va = 0xdf1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000df0000" filename = "" Region: id = 30543 start_va = 0xde0000 end_va = 0xde0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 30544 start_va = 0xdf0000 end_va = 0xdf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000df0000" filename = "" Region: id = 30545 start_va = 0xde0000 end_va = 0xde0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000de0000" filename = "" Region: id = 30546 start_va = 0xdf0000 end_va = 0xdf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000df0000" filename = "" Thread: id = 869 os_tid = 0xfb0 [0276.372] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0276.372] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0276.373] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0276.373] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0276.373] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0276.373] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0276.374] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0276.374] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0276.374] GetProcessHeap () returned 0xf10000 [0276.374] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0276.375] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0276.375] GetLastError () returned 0x7e [0276.375] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0276.375] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0276.375] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x364) returned 0xf209a8 [0276.375] SetLastError (dwErrCode=0x7e) [0276.375] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0xe00) returned 0xf20d18 [0276.377] GetStartupInfoW (in: lpStartupInfo=0x18f7b8 | out: lpStartupInfo=0x18f7b8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0276.377] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0276.377] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0276.377] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0276.377] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_deserializeTokenId /fn_args=\"1\"" [0276.377] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_deserializeTokenId /fn_args=\"1\"" [0276.377] GetACP () returned 0x4e4 [0276.377] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x0, Size=0x220) returned 0xf21b20 [0276.377] IsValidCodePage (CodePage=0x4e4) returned 1 [0276.377] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f7d8 | out: lpCPInfo=0x18f7d8) returned 1 [0276.377] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f0a0 | out: lpCPInfo=0x18f0a0) returned 1 [0276.377] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6b4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0276.377] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6b4, cbMultiByte=256, lpWideCharStr=0x18ee48, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0276.377] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f0b4 | out: lpCharType=0x18f0b4) returned 1 [0276.377] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6b4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0276.377] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6b4, cbMultiByte=256, lpWideCharStr=0x18edf8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0276.378] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0276.378] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0276.378] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0276.378] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ebe8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0276.378] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f5b4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿMùi6ð÷\x18", lpUsedDefaultChar=0x0) returned 256 [0276.378] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6b4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0276.378] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f6b4, cbMultiByte=256, lpWideCharStr=0x18ee18, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0276.378] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0276.378] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ec08, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0276.378] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f4b4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿMùi6ð÷\x18", lpUsedDefaultChar=0x0) returned 256 [0276.378] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x0, Size=0x80) returned 0xf13880 [0276.378] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0276.378] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x194) returned 0xf21d48 [0276.378] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0276.378] GetLastError () returned 0x0 [0276.378] SetLastError (dwErrCode=0x0) [0276.378] GetEnvironmentStringsW () returned 0xf21ee8* [0276.379] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x0, Size=0xa8c) returned 0xf22980 [0276.379] FreeEnvironmentStringsW (penv=0xf21ee8) returned 1 [0276.379] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x90) returned 0xf14570 [0276.379] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x3e) returned 0xf1aed8 [0276.379] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x5c) returned 0xf18aa8 [0276.379] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x6e) returned 0xf14638 [0276.379] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x78) returned 0xf23640 [0276.379] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x62) returned 0xf14c68 [0276.379] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x28) returned 0xf13da0 [0276.379] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x48) returned 0xf13ff0 [0276.379] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x1a) returned 0xf10570 [0276.380] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x3a) returned 0xf1ab30 [0276.380] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x62) returned 0xf13c00 [0276.380] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x2a) returned 0xf18920 [0276.380] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x2e) returned 0xf18958 [0276.380] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x1c) returned 0xf13dd0 [0276.380] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x144) returned 0xf19cc0 [0276.380] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x7c) returned 0xf18308 [0276.380] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x36) returned 0xf1e2f8 [0276.380] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x3a) returned 0xf1ad70 [0276.380] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x90) returned 0xf143a8 [0276.380] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x24) returned 0xf13920 [0276.380] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x30) returned 0xf189c8 [0276.380] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x36) returned 0xf1e238 [0276.380] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x48) returned 0xf12910 [0276.380] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x52) returned 0xf104b8 [0276.380] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x3c) returned 0xf1aff8 [0276.380] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0xd6) returned 0xf19e80 [0276.380] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x2e) returned 0xf18990 [0276.380] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x1e) returned 0xf12960 [0276.380] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x2c) returned 0xf18680 [0276.380] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x54) returned 0xf13e18 [0276.380] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x52) returned 0xf14078 [0276.380] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x24) returned 0xf13e78 [0276.380] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x42) returned 0xf140d8 [0276.380] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x2c) returned 0xf186f0 [0276.380] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x44) returned 0xf19fb0 [0276.380] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x24) returned 0xf13950 [0276.381] HeapFree (in: hHeap=0xf10000, dwFlags=0x0, lpMem=0xf22980 | out: hHeap=0xf10000) returned 1 [0276.381] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x8, Size=0x800) returned 0xf21ee8 [0276.381] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0276.381] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0276.381] GetStartupInfoW (in: lpStartupInfo=0x18f81c | out: lpStartupInfo=0x18f81c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0276.381] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_deserializeTokenId /fn_args=\"1\"" [0276.381] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_deserializeTokenId /fn_args=\"1\"", pNumArgs=0x18f808 | out: pNumArgs=0x18f808) returned 0xf22b38*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0276.382] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0276.387] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x0, Size=0x1000) returned 0xf24420 [0276.387] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x0, Size=0x42) returned 0xf1a6f8 [0276.387] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_token_deserializeTokenId", cchWideChar=-1, lpMultiByteStr=0xf1a6f8, cbMultiByte=66, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_token_deserializeTokenId", lpUsedDefaultChar=0x0) returned 33 [0276.387] GetLastError () returned 0x0 [0276.387] SetLastError (dwErrCode=0x0) [0276.388] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_deserializeTokenIdW") returned 0x0 [0276.388] GetLastError () returned 0x7f [0276.388] SetLastError (dwErrCode=0x7f) [0276.388] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_deserializeTokenIdA") returned 0x0 [0276.388] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_deserializeTokenId") returned 0x647cd9f5 [0276.388] RtlAllocateHeap (HeapHandle=0xf10000, Flags=0x0, Size=0x4) returned 0xf13828 [0276.388] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0xf13828, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0276.388] GetActiveWindow () returned 0x0 [0276.389] GetLastError () returned 0x7f [0276.389] SetLastError (dwErrCode=0x7f) Thread: id = 871 os_tid = 0xbfc Process: id = "411" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x76098000" os_pid = "0x103c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_duplicateTokenId /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 30547 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 30548 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 30549 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 30550 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 30551 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 30552 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 30553 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 30554 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 30555 start_va = 0x7c0000 end_va = 0x7c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 30556 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 30557 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 30558 start_va = 0x7fa80000 end_va = 0x7faa2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fa80000" filename = "" Region: id = 30559 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 30560 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 30561 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 30562 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 30563 start_va = 0x400000 end_va = 0x45ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 30564 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 30565 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 30566 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 30567 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 30568 start_va = 0x7d0000 end_va = 0xa9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 30569 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 30570 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 30593 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30594 start_va = 0x7f980000 end_va = 0x7fa7ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f980000" filename = "" Region: id = 30595 start_va = 0x460000 end_va = 0x51dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30596 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 30597 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 30598 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 30599 start_va = 0x520000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 30600 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 30601 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 30602 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 30603 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 30604 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 30605 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 30606 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 30607 start_va = 0x7c0000 end_va = 0x7c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 30608 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 30609 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 30610 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 30611 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 30619 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 30620 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 30621 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 30622 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 30623 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 30624 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 30625 start_va = 0x620000 end_va = 0x7a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 30626 start_va = 0x7d0000 end_va = 0x7f9fff monitored = 0 entry_point = 0x7d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 30627 start_va = 0x9a0000 end_va = 0xa9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 30628 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 30649 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 30650 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 30651 start_va = 0x450000 end_va = 0x45ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 30652 start_va = 0x7d0000 end_va = 0x950fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 30653 start_va = 0xaa0000 end_va = 0xb4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000aa0000" filename = "" Region: id = 30654 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 30655 start_va = 0xaa0000 end_va = 0xb30fff monitored = 0 entry_point = 0xad8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 30656 start_va = 0xb40000 end_va = 0xb4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b40000" filename = "" Region: id = 30668 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 30669 start_va = 0x960000 end_va = 0x960fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Region: id = 30670 start_va = 0x970000 end_va = 0x970fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000970000" filename = "" Region: id = 30671 start_va = 0x970000 end_va = 0x977fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000970000" filename = "" Region: id = 30677 start_va = 0x970000 end_va = 0x970fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Region: id = 30678 start_va = 0x980000 end_va = 0x981fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000980000" filename = "" Region: id = 30679 start_va = 0x970000 end_va = 0x970fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Region: id = 30680 start_va = 0x980000 end_va = 0x980fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000980000" filename = "" Region: id = 30681 start_va = 0x970000 end_va = 0x970fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000970000" filename = "" Region: id = 30682 start_va = 0x980000 end_va = 0x980fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Thread: id = 872 os_tid = 0x1064 [0276.789] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0276.789] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0276.789] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0276.789] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0276.789] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0276.789] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0276.790] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0276.790] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0276.790] GetProcessHeap () returned 0x9a0000 [0276.790] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0276.791] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0276.791] GetLastError () returned 0x7e [0276.791] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0276.791] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0276.791] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x364) returned 0x9b09a0 [0276.791] SetLastError (dwErrCode=0x7e) [0276.791] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0xe00) returned 0x9b0d10 [0276.793] GetStartupInfoW (in: lpStartupInfo=0x18fe1c | out: lpStartupInfo=0x18fe1c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0276.793] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0276.793] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0276.793] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0276.793] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_duplicateTokenId /fn_args=\"1\"" [0276.793] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_duplicateTokenId /fn_args=\"1\"" [0276.793] GetACP () returned 0x4e4 [0276.793] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x220) returned 0x9b1b18 [0276.793] IsValidCodePage (CodePage=0x4e4) returned 1 [0276.793] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fe3c | out: lpCPInfo=0x18fe3c) returned 1 [0276.793] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f704 | out: lpCPInfo=0x18f704) returned 1 [0276.793] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd18, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0276.793] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd18, cbMultiByte=256, lpWideCharStr=0x18f4a8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0276.793] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f718 | out: lpCharType=0x18f718) returned 1 [0276.793] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd18, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0276.793] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd18, cbMultiByte=256, lpWideCharStr=0x18f458, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0276.794] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0276.794] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0276.794] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0276.794] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f248, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0276.794] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fc18, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿO+º£Tþ\x18", lpUsedDefaultChar=0x0) returned 256 [0276.794] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd18, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0276.794] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd18, cbMultiByte=256, lpWideCharStr=0x18f478, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0276.794] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0276.794] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f268, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0276.794] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fb18, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿO+º£Tþ\x18", lpUsedDefaultChar=0x0) returned 256 [0276.794] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x80) returned 0x9a3878 [0276.794] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0276.794] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x190) returned 0x9b1d40 [0276.795] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0276.795] GetLastError () returned 0x0 [0276.795] SetLastError (dwErrCode=0x0) [0276.795] GetEnvironmentStringsW () returned 0x9b1ed8* [0276.795] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0xa8c) returned 0x9b2970 [0276.795] FreeEnvironmentStringsW (penv=0x9b1ed8) returned 1 [0276.795] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x90) returned 0x9a4568 [0276.795] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x3e) returned 0x9aafa8 [0276.795] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x5c) returned 0x9a8840 [0276.795] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x6e) returned 0x9a4630 [0276.795] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x78) returned 0x9b3c30 [0276.796] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x62) returned 0x9a4a00 [0276.796] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x28) returned 0x9a3d98 [0276.796] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x48) returned 0x9a3fe8 [0276.796] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x1a) returned 0x9a0570 [0276.796] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x3a) returned 0x9aae40 [0276.796] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x62) returned 0x9a3bf8 [0276.796] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x2a) returned 0x9a8568 [0276.796] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x2e) returned 0x9a8530 [0276.796] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x1c) returned 0x9a3dc8 [0276.796] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x144) returned 0x9a9cb8 [0276.796] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x7c) returned 0x9a80a0 [0276.796] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x36) returned 0x9ae2f0 [0276.796] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x3a) returned 0x9aadb0 [0276.796] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x90) returned 0x9a43a0 [0276.796] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x24) returned 0x9a3918 [0276.796] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x30) returned 0x9a85a0 [0276.796] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x36) returned 0x9ae330 [0276.796] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x48) returned 0x9a2908 [0276.796] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x52) returned 0x9a04b8 [0276.796] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x3c) returned 0x9ab080 [0276.796] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0xd6) returned 0x9a9e78 [0276.796] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x2e) returned 0x9a86f0 [0276.796] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x1e) returned 0x9a2958 [0276.796] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x2c) returned 0x9a8610 [0276.796] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x54) returned 0x9a3e10 [0276.796] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x52) returned 0x9a4070 [0276.796] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x24) returned 0x9a3e70 [0276.796] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x42) returned 0x9a40d0 [0276.796] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x2c) returned 0x9a8648 [0276.796] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x44) returned 0x9a9fa8 [0276.796] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x24) returned 0x9a3948 [0276.797] HeapFree (in: hHeap=0x9a0000, dwFlags=0x0, lpMem=0x9b2970 | out: hHeap=0x9a0000) returned 1 [0276.797] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x8, Size=0x800) returned 0x9b1ed8 [0276.797] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0276.797] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0276.797] GetStartupInfoW (in: lpStartupInfo=0x18fe80 | out: lpStartupInfo=0x18fe80*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0276.797] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_duplicateTokenId /fn_args=\"1\"" [0276.797] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_duplicateTokenId /fn_args=\"1\"", pNumArgs=0x18fe6c | out: pNumArgs=0x18fe6c) returned 0x9b2b28*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0276.798] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0276.851] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x1000) returned 0x9b4410 [0276.851] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x3e) returned 0x9aac00 [0276.851] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_token_duplicateTokenId", cchWideChar=-1, lpMultiByteStr=0x9aac00, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_token_duplicateTokenId", lpUsedDefaultChar=0x0) returned 31 [0276.851] GetLastError () returned 0x0 [0276.851] SetLastError (dwErrCode=0x0) [0276.852] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_duplicateTokenIdW") returned 0x0 [0276.852] GetLastError () returned 0x7f [0276.852] SetLastError (dwErrCode=0x7f) [0276.852] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_duplicateTokenIdA") returned 0x0 [0276.852] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_duplicateTokenId") returned 0x647c4602 [0276.852] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x4) returned 0x9a3820 [0276.852] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x9a3820, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0276.852] GetActiveWindow () returned 0x0 [0276.853] GetLastError () returned 0x7f [0276.853] SetLastError (dwErrCode=0x7f) Thread: id = 875 os_tid = 0xc70 Process: id = "412" image_name = "werfault.exe" filename = "c:\\windows\\syswow64\\werfault.exe" page_root = "0x15fac000" os_pid = "0x1390" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "410" os_parent_pid = "0x108c" cmd_line = "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 4236 -s 364" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 30571 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 30572 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 30573 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 30574 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 30575 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 30576 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 30577 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 30578 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 30579 start_va = 0x800000 end_va = 0x800fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 30580 start_va = 0x10e0000 end_va = 0x1122fff monitored = 0 entry_point = 0x1100f50 region_type = mapped_file name = "werfault.exe" filename = "\\Windows\\SysWOW64\\WerFault.exe" (normalized: "c:\\windows\\syswow64\\werfault.exe") Region: id = 30581 start_va = 0x1130000 end_va = 0x512ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 30582 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 30583 start_va = 0x7f240000 end_va = 0x7f262fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f240000" filename = "" Region: id = 30584 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 30585 start_va = 0x7fff0000 end_va = 0x7dfb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 30586 start_va = 0x7dfb201b0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfb201b0000" filename = "" Region: id = 30587 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 30588 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 30589 start_va = 0x400000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 30590 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 30591 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 30592 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 30612 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 30613 start_va = 0x810000 end_va = 0x9affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 30614 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 30615 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 30616 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30617 start_va = 0x7f140000 end_va = 0x7f23ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f140000" filename = "" Region: id = 30618 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30629 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 30630 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 30631 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 30632 start_va = 0x520000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 30633 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 30634 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 30635 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 30636 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 30637 start_va = 0x800000 end_va = 0x803fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 30638 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 30639 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 30640 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 30641 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 30642 start_va = 0x6fb30000 end_va = 0x6fbb6fff monitored = 0 entry_point = 0x6fb9dbc0 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\SysWOW64\\wer.dll" (normalized: "c:\\windows\\syswow64\\wer.dll") Region: id = 30643 start_va = 0x6fbc0000 end_va = 0x6fcfefff monitored = 0 entry_point = 0x6fbed880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 30644 start_va = 0x6fb00000 end_va = 0x6fb21fff monitored = 0 entry_point = 0x6fb091f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 30645 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 30646 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 30647 start_va = 0x6faa0000 end_va = 0x6faf3fff monitored = 0 entry_point = 0x6fad10d0 region_type = mapped_file name = "faultrep.dll" filename = "\\Windows\\SysWOW64\\Faultrep.dll" (normalized: "c:\\windows\\syswow64\\faultrep.dll") Region: id = 30648 start_va = 0x6fa70000 end_va = 0x6fa90fff monitored = 0 entry_point = 0x6fa8a910 region_type = mapped_file name = "dbgcore.dll" filename = "\\Windows\\SysWOW64\\dbgcore.dll" (normalized: "c:\\windows\\syswow64\\dbgcore.dll") Region: id = 30657 start_va = 0x810000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 30658 start_va = 0x8b0000 end_va = 0x9affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 30659 start_va = 0x9b0000 end_va = 0xacffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 30660 start_va = 0x820000 end_va = 0x823fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 30661 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 30662 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 30663 start_va = 0x530000 end_va = 0x6b7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 30664 start_va = 0x830000 end_va = 0x859fff monitored = 0 entry_point = 0x835680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 30665 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 30666 start_va = 0xad0000 end_va = 0xc50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ad0000" filename = "" Region: id = 30667 start_va = 0x5130000 end_va = 0x652ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005130000" filename = "" Region: id = 30672 start_va = 0x830000 end_va = 0x833fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werfault.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\WerFault.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werfault.exe.mui") Region: id = 30673 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 30674 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 30675 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 30676 start_va = 0x840000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 30683 start_va = 0x840000 end_va = 0x840fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 30684 start_va = 0x850000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 30685 start_va = 0x860000 end_va = 0x860fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 30686 start_va = 0x870000 end_va = 0x870fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 30687 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 30688 start_va = 0x870000 end_va = 0x870fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 30689 start_va = 0x6530000 end_va = 0x6d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006530000" filename = "" Region: id = 30690 start_va = 0x870000 end_va = 0x876fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 30691 start_va = 0x870000 end_va = 0x876fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 30692 start_va = 0x870000 end_va = 0x876fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 30693 start_va = 0x870000 end_va = 0x876fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 30694 start_va = 0x870000 end_va = 0x876fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 30695 start_va = 0x870000 end_va = 0x876fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 30696 start_va = 0x870000 end_va = 0x876fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 30697 start_va = 0x870000 end_va = 0x876fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 30698 start_va = 0x870000 end_va = 0x876fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 30699 start_va = 0x870000 end_va = 0x876fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 30700 start_va = 0x870000 end_va = 0x876fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 30701 start_va = 0x870000 end_va = 0x876fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 30702 start_va = 0x870000 end_va = 0x876fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 30703 start_va = 0x870000 end_va = 0x876fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 30704 start_va = 0x870000 end_va = 0x876fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 30705 start_va = 0x870000 end_va = 0x876fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 30706 start_va = 0x870000 end_va = 0x876fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 30707 start_va = 0x870000 end_va = 0x876fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 30708 start_va = 0x870000 end_va = 0x876fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 30709 start_va = 0x870000 end_va = 0x876fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 30710 start_va = 0x870000 end_va = 0x876fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 30711 start_va = 0x870000 end_va = 0x876fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 30712 start_va = 0x870000 end_va = 0x876fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 30713 start_va = 0x870000 end_va = 0x876fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 30714 start_va = 0x870000 end_va = 0x876fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 30715 start_va = 0x870000 end_va = 0x876fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 30716 start_va = 0x870000 end_va = 0x876fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 30759 start_va = 0x450000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 30760 start_va = 0x490000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 30761 start_va = 0x9b0000 end_va = 0xa2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 30762 start_va = 0xac0000 end_va = 0xacffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 30828 start_va = 0x870000 end_va = 0x871fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "faultrep.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\faultrep.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\faultrep.dll.mui") Region: id = 30829 start_va = 0x880000 end_va = 0x880fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 30830 start_va = 0x6ee90000 end_va = 0x6f2adfff monitored = 0 entry_point = 0x6ef8ee80 region_type = mapped_file name = "dbgeng.dll" filename = "\\Windows\\SysWOW64\\dbgeng.dll" (normalized: "c:\\windows\\syswow64\\dbgeng.dll") Region: id = 30831 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 30832 start_va = 0x6f810000 end_va = 0x6f87ffff monitored = 0 entry_point = 0x6f864b90 region_type = mapped_file name = "dbgmodel.dll" filename = "\\Windows\\SysWOW64\\DbgModel.dll" (normalized: "c:\\windows\\syswow64\\dbgmodel.dll") Region: id = 30833 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 30834 start_va = 0xc60000 end_va = 0xd49fff monitored = 0 entry_point = 0xc9d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 30844 start_va = 0x70050000 end_va = 0x70059fff monitored = 0 entry_point = 0x70053200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 30845 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 30846 start_va = 0x6f5d0000 end_va = 0x6f5d7fff monitored = 0 entry_point = 0x6f5d17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 30847 start_va = 0xc60000 end_va = 0xd5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 30848 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 30868 start_va = 0xd60000 end_va = 0x1096fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 30869 start_va = 0x880000 end_va = 0x881fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 30870 start_va = 0x880000 end_va = 0x883fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 30871 start_va = 0x880000 end_va = 0x885fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 30872 start_va = 0x880000 end_va = 0x887fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 30873 start_va = 0x6c0000 end_va = 0x7bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 30874 start_va = 0x880000 end_va = 0x889fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 30875 start_va = 0x880000 end_va = 0x88bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 30876 start_va = 0x880000 end_va = 0x88dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 30877 start_va = 0x880000 end_va = 0x88ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 30878 start_va = 0x880000 end_va = 0x891fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 30879 start_va = 0x880000 end_va = 0x893fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 30880 start_va = 0x880000 end_va = 0x895fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 30881 start_va = 0x880000 end_va = 0x897fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 30882 start_va = 0x880000 end_va = 0x899fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 30883 start_va = 0x880000 end_va = 0x89bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 30884 start_va = 0x880000 end_va = 0x89dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 30885 start_va = 0x880000 end_va = 0x89ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 30918 start_va = 0x6530000 end_va = 0x660ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 30999 start_va = 0x6610000 end_va = 0x66dbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006610000" filename = "" Region: id = 31046 start_va = 0x66e0000 end_va = 0x6796fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000066e0000" filename = "" Region: id = 31055 start_va = 0x67a0000 end_va = 0x6845fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000067a0000" filename = "" Region: id = 31117 start_va = 0x880000 end_va = 0x880fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 31118 start_va = 0x890000 end_va = 0x892fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wer.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wer.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wer.dll.mui") Region: id = 31119 start_va = 0x8a0000 end_va = 0x8a3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 31120 start_va = 0x6610000 end_va = 0x6e0ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006610000" filename = "" Region: id = 31121 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 31122 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 31123 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 31124 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 31125 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 31126 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 31127 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 31128 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 31129 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 31130 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 31131 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 31132 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 31133 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 31134 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 31146 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 31147 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 31148 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 31149 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 31150 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 31151 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 31152 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 31153 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 31154 start_va = 0x6610000 end_va = 0x670ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006610000" filename = "" Region: id = 31155 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 31156 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 31157 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 31158 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 31159 start_va = 0xa30000 end_va = 0xa36fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 31167 start_va = 0x6fa00000 end_va = 0x6fa63fff monitored = 0 entry_point = 0x6fa3e270 region_type = mapped_file name = "werui.dll" filename = "\\Windows\\SysWOW64\\werui.dll" (normalized: "c:\\windows\\syswow64\\werui.dll") Region: id = 31168 start_va = 0x450000 end_va = 0x451fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 31169 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 31170 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 31171 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 31172 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 31173 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 31181 start_va = 0x731b0000 end_va = 0x733befff monitored = 0 entry_point = 0x7325b0a0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 31182 start_va = 0x6f460000 end_va = 0x6f5c6fff monitored = 0 entry_point = 0x6f4db9d0 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\SysWOW64\\dui70.dll" (normalized: "c:\\windows\\syswow64\\dui70.dll") Region: id = 31183 start_va = 0x460000 end_va = 0x461fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 31184 start_va = 0x6f430000 end_va = 0x6f457fff monitored = 0 entry_point = 0x6f437820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 31185 start_va = 0xa30000 end_va = 0xa30fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 31186 start_va = 0x470000 end_va = 0x471fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 31187 start_va = 0xa30000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 31188 start_va = 0x759b0000 end_va = 0x75a33fff monitored = 0 entry_point = 0x759d6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 31189 start_va = 0xa40000 end_va = 0xa40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a40000" filename = "" Region: id = 31190 start_va = 0x6f880000 end_va = 0x6f8b3fff monitored = 0 entry_point = 0x6f898280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 31526 start_va = 0x4d0000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 31527 start_va = 0x7c0000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 31528 start_va = 0xa50000 end_va = 0xa8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 31529 start_va = 0x10a0000 end_va = 0x10dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010a0000" filename = "" Region: id = 31530 start_va = 0x6710000 end_va = 0x674ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006710000" filename = "" Region: id = 31531 start_va = 0x6750000 end_va = 0x678ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006750000" filename = "" Region: id = 31621 start_va = 0x6f870000 end_va = 0x6f878fff monitored = 0 entry_point = 0x6f873830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 31775 start_va = 0xa30000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 31776 start_va = 0x6f880000 end_va = 0x6f8b3fff monitored = 0 entry_point = 0x6f898280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 31923 start_va = 0x6f870000 end_va = 0x6f878fff monitored = 0 entry_point = 0x6f873830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 32069 start_va = 0xa30000 end_va = 0xa34fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werui.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\werui.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werui.dll.mui") Region: id = 32070 start_va = 0xa90000 end_va = 0xa90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a90000" filename = "" Region: id = 32071 start_va = 0x6f880000 end_va = 0x6f8b3fff monitored = 0 entry_point = 0x6f898280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 32196 start_va = 0x6f870000 end_va = 0x6f878fff monitored = 0 entry_point = 0x6f873830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 32418 start_va = 0x6790000 end_va = 0x67cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006790000" filename = "" Region: id = 32419 start_va = 0x67d0000 end_va = 0x680ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000067d0000" filename = "" Region: id = 32442 start_va = 0xa90000 end_va = 0xa90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a90000" filename = "" Region: id = 32443 start_va = 0x6f880000 end_va = 0x6f8b3fff monitored = 0 entry_point = 0x6f898280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 32608 start_va = 0x6f870000 end_va = 0x6f878fff monitored = 0 entry_point = 0x6f873830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 32781 start_va = 0x480000 end_va = 0x481fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 32782 start_va = 0x6f6c0000 end_va = 0x6f73afff monitored = 0 entry_point = 0x6f6e4d80 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\SysWOW64\\duser.dll" (normalized: "c:\\windows\\syswow64\\duser.dll") Region: id = 32803 start_va = 0x6810000 end_va = 0x684ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006810000" filename = "" Region: id = 32804 start_va = 0x6850000 end_va = 0x688ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006850000" filename = "" Region: id = 32805 start_va = 0x6f630000 end_va = 0x6f6b0fff monitored = 0 entry_point = 0x6f636310 region_type = mapped_file name = "riched20.dll" filename = "\\Windows\\SysWOW64\\riched20.dll" (normalized: "c:\\windows\\syswow64\\riched20.dll") Region: id = 32806 start_va = 0x6f790000 end_va = 0x6f7a5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 32807 start_va = 0x6f750000 end_va = 0x6f780fff monitored = 0 entry_point = 0x6f7622d0 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\SysWOW64\\msls31.dll" (normalized: "c:\\windows\\syswow64\\msls31.dll") Region: id = 32808 start_va = 0xa90000 end_va = 0xa90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a90000" filename = "" Region: id = 32809 start_va = 0x6890000 end_va = 0x694bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006890000" filename = "" Region: id = 32810 start_va = 0xa90000 end_va = 0xa93fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a90000" filename = "" Region: id = 32811 start_va = 0x74230000 end_va = 0x7424cfff monitored = 0 entry_point = 0x74233b10 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 32812 start_va = 0xaa0000 end_va = 0xaa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000aa0000" filename = "" Region: id = 32813 start_va = 0xab0000 end_va = 0xab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 32814 start_va = 0x6950000 end_va = 0x6950fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006950000" filename = "" Region: id = 32817 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 32818 start_va = 0x6960000 end_va = 0x6960fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "duser.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\duser.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\duser.dll.mui") Region: id = 32819 start_va = 0x6f9f0000 end_va = 0x6f9fcfff monitored = 0 entry_point = 0x6f9f7d80 region_type = mapped_file name = "atlthunk.dll" filename = "\\Windows\\SysWOW64\\atlthunk.dll" (normalized: "c:\\windows\\syswow64\\atlthunk.dll") Region: id = 32820 start_va = 0x6970000 end_va = 0x6972fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui") Region: id = 32821 start_va = 0x4a0000 end_va = 0x4a2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 32822 start_va = 0x6980000 end_va = 0x6e71fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006980000" filename = "" Region: id = 32823 start_va = 0x6e80000 end_va = 0x7ebffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 32840 start_va = 0x7ec0000 end_va = 0x7f01fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007ec0000" filename = "" Region: id = 32868 start_va = 0x490000 end_va = 0x490fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 32869 start_va = 0x77500000 end_va = 0x7761efff monitored = 0 entry_point = 0x77545980 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Thread: id = 874 os_tid = 0x130c Thread: id = 876 os_tid = 0x138c Thread: id = 879 os_tid = 0xdfc Thread: id = 902 os_tid = 0xd28 Thread: id = 903 os_tid = 0xd14 Thread: id = 904 os_tid = 0x13f0 Thread: id = 940 os_tid = 0x134c Thread: id = 951 os_tid = 0xfcc Process: id = "413" image_name = "werfault.exe" filename = "c:\\windows\\syswow64\\werfault.exe" page_root = "0x1a4b2000" os_pid = "0x12b0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "411" os_parent_pid = "0x103c" cmd_line = "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 4156 -s 364" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 30717 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 30718 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 30719 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 30720 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 30721 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 30722 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 30723 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 30724 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 30725 start_va = 0xa50000 end_va = 0xa50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 30726 start_va = 0x10e0000 end_va = 0x1122fff monitored = 0 entry_point = 0x1100f50 region_type = mapped_file name = "werfault.exe" filename = "\\Windows\\SysWOW64\\WerFault.exe" (normalized: "c:\\windows\\syswow64\\werfault.exe") Region: id = 30727 start_va = 0x1130000 end_va = 0x512ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 30728 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 30729 start_va = 0x7ec70000 end_va = 0x7ec92fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ec70000" filename = "" Region: id = 30730 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 30731 start_va = 0x7fff0000 end_va = 0x7dfb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 30732 start_va = 0x7dfb201b0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfb201b0000" filename = "" Region: id = 30733 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 30734 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 30735 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 30736 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 30737 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 30738 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 30739 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 30740 start_va = 0xa60000 end_va = 0xc4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 30763 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 30764 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 30765 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30766 start_va = 0x7eb70000 end_va = 0x7ec6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eb70000" filename = "" Region: id = 30767 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30768 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 30769 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 30770 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 30771 start_va = 0x5f0000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 30772 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 30773 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 30774 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 30775 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 30784 start_va = 0x6fb30000 end_va = 0x6fbb6fff monitored = 0 entry_point = 0x6fb9dbc0 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\SysWOW64\\wer.dll" (normalized: "c:\\windows\\syswow64\\wer.dll") Region: id = 30785 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 30786 start_va = 0xa50000 end_va = 0xa53fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 30787 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 30788 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 30789 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 30790 start_va = 0x6fbc0000 end_va = 0x6fcfefff monitored = 0 entry_point = 0x6fbed880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 30791 start_va = 0x6fb00000 end_va = 0x6fb21fff monitored = 0 entry_point = 0x6fb091f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 30792 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 30793 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 30794 start_va = 0x6faa0000 end_va = 0x6faf3fff monitored = 0 entry_point = 0x6fad10d0 region_type = mapped_file name = "faultrep.dll" filename = "\\Windows\\SysWOW64\\Faultrep.dll" (normalized: "c:\\windows\\syswow64\\faultrep.dll") Region: id = 30795 start_va = 0x6fa70000 end_va = 0x6fa90fff monitored = 0 entry_point = 0x6fa8a910 region_type = mapped_file name = "dbgcore.dll" filename = "\\Windows\\SysWOW64\\dbgcore.dll" (normalized: "c:\\windows\\syswow64\\dbgcore.dll") Region: id = 30796 start_va = 0xa60000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 30797 start_va = 0xb50000 end_va = 0xc4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b50000" filename = "" Region: id = 30798 start_va = 0xa80000 end_va = 0xaaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 30799 start_va = 0xa60000 end_va = 0xa63fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 30800 start_va = 0xa70000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 30835 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 30836 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 30837 start_va = 0x440000 end_va = 0x5c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 30838 start_va = 0xab0000 end_va = 0xad9fff monitored = 0 entry_point = 0xab5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 30839 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 30840 start_va = 0x600000 end_va = 0x780fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 30841 start_va = 0x5130000 end_va = 0x652ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005130000" filename = "" Region: id = 30842 start_va = 0xa80000 end_va = 0xa83fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werfault.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\WerFault.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werfault.exe.mui") Region: id = 30843 start_va = 0xaa0000 end_va = 0xaaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000aa0000" filename = "" Region: id = 30852 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 30853 start_va = 0x5d0000 end_va = 0x5d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 30854 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 30855 start_va = 0xc50000 end_va = 0xd4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 30856 start_va = 0xa90000 end_va = 0xa90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a90000" filename = "" Region: id = 30857 start_va = 0xab0000 end_va = 0xab0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 30858 start_va = 0xac0000 end_va = 0xac0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 30859 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 30860 start_va = 0xac0000 end_va = 0xac0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 30861 start_va = 0x6530000 end_va = 0x6d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006530000" filename = "" Region: id = 30886 start_va = 0xac0000 end_va = 0xac6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 30887 start_va = 0xac0000 end_va = 0xac6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 30888 start_va = 0xac0000 end_va = 0xac6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 30889 start_va = 0xac0000 end_va = 0xac6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 30890 start_va = 0xac0000 end_va = 0xac6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 30891 start_va = 0xac0000 end_va = 0xac6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 30892 start_va = 0xac0000 end_va = 0xac6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 30893 start_va = 0xac0000 end_va = 0xac6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 30894 start_va = 0xac0000 end_va = 0xac6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 30895 start_va = 0xac0000 end_va = 0xac6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 30896 start_va = 0xac0000 end_va = 0xac6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 30897 start_va = 0xac0000 end_va = 0xac6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 30898 start_va = 0xac0000 end_va = 0xac6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 30899 start_va = 0xac0000 end_va = 0xac6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 30900 start_va = 0xac0000 end_va = 0xac6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 30901 start_va = 0xac0000 end_va = 0xac6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 30902 start_va = 0xac0000 end_va = 0xac6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 30903 start_va = 0xac0000 end_va = 0xac6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 30904 start_va = 0xac0000 end_va = 0xac6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 30909 start_va = 0xac0000 end_va = 0xac6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 30910 start_va = 0xac0000 end_va = 0xac6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 30911 start_va = 0xac0000 end_va = 0xac6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 30912 start_va = 0xac0000 end_va = 0xac6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 30913 start_va = 0xac0000 end_va = 0xac6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 30914 start_va = 0xac0000 end_va = 0xac6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 30915 start_va = 0xac0000 end_va = 0xac6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 30916 start_va = 0xac0000 end_va = 0xac6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 30919 start_va = 0x790000 end_va = 0x7cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 30920 start_va = 0x7d0000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 30921 start_va = 0xac0000 end_va = 0xb3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 30945 start_va = 0xb40000 end_va = 0xb41fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "faultrep.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\faultrep.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\faultrep.dll.mui") Region: id = 30970 start_va = 0xc50000 end_va = 0xc50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 30971 start_va = 0xd40000 end_va = 0xd4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d40000" filename = "" Region: id = 30972 start_va = 0x6ee90000 end_va = 0x6f2adfff monitored = 0 entry_point = 0x6ef8ee80 region_type = mapped_file name = "dbgeng.dll" filename = "\\Windows\\SysWOW64\\dbgeng.dll" (normalized: "c:\\windows\\syswow64\\dbgeng.dll") Region: id = 30973 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 30974 start_va = 0x6f810000 end_va = 0x6f87ffff monitored = 0 entry_point = 0x6f864b90 region_type = mapped_file name = "dbgmodel.dll" filename = "\\Windows\\SysWOW64\\DbgModel.dll" (normalized: "c:\\windows\\syswow64\\dbgmodel.dll") Region: id = 30975 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 30976 start_va = 0xc50000 end_va = 0xd39fff monitored = 0 entry_point = 0xc8d650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 30977 start_va = 0x70050000 end_va = 0x70059fff monitored = 0 entry_point = 0x70053200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 30978 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 30979 start_va = 0x6f5d0000 end_va = 0x6f5d7fff monitored = 0 entry_point = 0x6f5d17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 30996 start_va = 0xd50000 end_va = 0xe4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d50000" filename = "" Region: id = 30997 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 30998 start_va = 0x6530000 end_va = 0x6866fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 31028 start_va = 0xc50000 end_va = 0xc51fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 31029 start_va = 0xc50000 end_va = 0xc53fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 31030 start_va = 0xc50000 end_va = 0xc55fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 31031 start_va = 0xc50000 end_va = 0xc57fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 31032 start_va = 0x790000 end_va = 0x88ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 31033 start_va = 0xc50000 end_va = 0xc59fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 31034 start_va = 0xc50000 end_va = 0xc5bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 31035 start_va = 0xc50000 end_va = 0xc5dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 31036 start_va = 0xc50000 end_va = 0xc5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 31037 start_va = 0xc50000 end_va = 0xc61fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 31038 start_va = 0xc50000 end_va = 0xc63fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 31039 start_va = 0xc50000 end_va = 0xc65fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 31040 start_va = 0xc50000 end_va = 0xc67fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 31041 start_va = 0xc50000 end_va = 0xc69fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 31042 start_va = 0xc50000 end_va = 0xc6bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 31043 start_va = 0xc50000 end_va = 0xc6dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 31044 start_va = 0xc50000 end_va = 0xc6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 31073 start_va = 0xc50000 end_va = 0xd2ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 31164 start_va = 0xe50000 end_va = 0xf1afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e50000" filename = "" Region: id = 31180 start_va = 0xf20000 end_va = 0xfd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f20000" filename = "" Region: id = 31191 start_va = 0xfe0000 end_va = 0x1081fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 31194 start_va = 0xd30000 end_va = 0xd30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d30000" filename = "" Region: id = 31195 start_va = 0xe50000 end_va = 0xe52fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wer.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wer.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wer.dll.mui") Region: id = 31196 start_va = 0xe60000 end_va = 0xe63fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e60000" filename = "" Region: id = 31197 start_va = 0x6870000 end_va = 0x706ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006870000" filename = "" Region: id = 31198 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 31199 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 31200 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 31201 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 31202 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 31203 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 31204 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 31221 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 31222 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 31223 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 31224 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 31225 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 31226 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 31227 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 31228 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 31229 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 31230 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 31231 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 31232 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 31233 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 31234 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 31235 start_va = 0xe70000 end_va = 0xe76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 31236 start_va = 0xe70000 end_va = 0xf6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 31237 start_va = 0xf70000 end_va = 0xf76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 31246 start_va = 0xf70000 end_va = 0xf76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 31247 start_va = 0xf70000 end_va = 0xf76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 31248 start_va = 0xf70000 end_va = 0xf76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 31249 start_va = 0xf70000 end_va = 0xf76fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 31250 start_va = 0x6fa00000 end_va = 0x6fa63fff monitored = 0 entry_point = 0x6fa3e270 region_type = mapped_file name = "werui.dll" filename = "\\Windows\\SysWOW64\\werui.dll" (normalized: "c:\\windows\\syswow64\\werui.dll") Region: id = 31251 start_va = 0x5e0000 end_va = 0x5e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 31252 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 31253 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 31254 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 31255 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 31256 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 31277 start_va = 0x731b0000 end_va = 0x733befff monitored = 0 entry_point = 0x7325b0a0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 31278 start_va = 0x6f460000 end_va = 0x6f5c6fff monitored = 0 entry_point = 0x6f4db9d0 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\SysWOW64\\dui70.dll" (normalized: "c:\\windows\\syswow64\\dui70.dll") Region: id = 31279 start_va = 0x890000 end_va = 0x891fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000890000" filename = "" Region: id = 31280 start_va = 0x6f430000 end_va = 0x6f457fff monitored = 0 entry_point = 0x6f437820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 31281 start_va = 0xf70000 end_va = 0xf70fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 31282 start_va = 0x8a0000 end_va = 0x8a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 31283 start_va = 0xf70000 end_va = 0xf70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 31284 start_va = 0x759b0000 end_va = 0x75a33fff monitored = 0 entry_point = 0x759d6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 31285 start_va = 0xf80000 end_va = 0xf80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f80000" filename = "" Region: id = 31286 start_va = 0x6f880000 end_va = 0x6f8b3fff monitored = 0 entry_point = 0x6f898280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 31609 start_va = 0x8b0000 end_va = 0x8effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 31610 start_va = 0x8f0000 end_va = 0x92ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 31611 start_va = 0x930000 end_va = 0x96ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 31612 start_va = 0x970000 end_va = 0x9affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Region: id = 31613 start_va = 0x9b0000 end_va = 0x9effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 31614 start_va = 0x9f0000 end_va = 0xa2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 31687 start_va = 0x6f870000 end_va = 0x6f878fff monitored = 0 entry_point = 0x6f873830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 31798 start_va = 0xf70000 end_va = 0xf70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 31799 start_va = 0x6f880000 end_va = 0x6f8b3fff monitored = 0 entry_point = 0x6f898280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 31942 start_va = 0x6f870000 end_va = 0x6f878fff monitored = 0 entry_point = 0x6f873830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 32086 start_va = 0xf70000 end_va = 0xf74fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werui.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\werui.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werui.dll.mui") Region: id = 32087 start_va = 0xf90000 end_va = 0xf90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f90000" filename = "" Region: id = 32088 start_va = 0x6f880000 end_va = 0x6f8b3fff monitored = 0 entry_point = 0x6f898280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 32199 start_va = 0x6f870000 end_va = 0x6f878fff monitored = 0 entry_point = 0x6f873830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 32440 start_va = 0xf90000 end_va = 0xfcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 32441 start_va = 0xfd0000 end_va = 0x100ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fd0000" filename = "" Region: id = 32467 start_va = 0x1010000 end_va = 0x1010fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001010000" filename = "" Region: id = 32468 start_va = 0x6f880000 end_va = 0x6f8b3fff monitored = 0 entry_point = 0x6f898280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 32625 start_va = 0x6f870000 end_va = 0x6f878fff monitored = 0 entry_point = 0x6f873830 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 32837 start_va = 0xa30000 end_va = 0xa31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 32838 start_va = 0x6f6c0000 end_va = 0x6f73afff monitored = 0 entry_point = 0x6f6e4d80 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\SysWOW64\\duser.dll" (normalized: "c:\\windows\\syswow64\\duser.dll") Region: id = 32846 start_va = 0x1010000 end_va = 0x104ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001010000" filename = "" Region: id = 32847 start_va = 0x1050000 end_va = 0x108ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 32848 start_va = 0x6f630000 end_va = 0x6f6b0fff monitored = 0 entry_point = 0x6f636310 region_type = mapped_file name = "riched20.dll" filename = "\\Windows\\SysWOW64\\riched20.dll" (normalized: "c:\\windows\\syswow64\\riched20.dll") Region: id = 32849 start_va = 0x6f790000 end_va = 0x6f7a5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 32850 start_va = 0x6f750000 end_va = 0x6f780fff monitored = 0 entry_point = 0x6f7622d0 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\SysWOW64\\msls31.dll" (normalized: "c:\\windows\\syswow64\\msls31.dll") Region: id = 32851 start_va = 0x1090000 end_va = 0x1090fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 32852 start_va = 0x6870000 end_va = 0x692bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006870000" filename = "" Region: id = 32853 start_va = 0x1090000 end_va = 0x1093fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001090000" filename = "" Region: id = 32854 start_va = 0x74230000 end_va = 0x7424cfff monitored = 0 entry_point = 0x74233b10 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 32855 start_va = 0x10a0000 end_va = 0x10a3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010a0000" filename = "" Region: id = 32856 start_va = 0x10b0000 end_va = 0x10b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010b0000" filename = "" Region: id = 32857 start_va = 0x10c0000 end_va = 0x10c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010c0000" filename = "" Region: id = 32858 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 32859 start_va = 0x10d0000 end_va = 0x10d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "duser.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\duser.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\duser.dll.mui") Region: id = 32860 start_va = 0x6f9f0000 end_va = 0x6f9fcfff monitored = 0 entry_point = 0x6f9f7d80 region_type = mapped_file name = "atlthunk.dll" filename = "\\Windows\\SysWOW64\\atlthunk.dll" (normalized: "c:\\windows\\syswow64\\atlthunk.dll") Region: id = 32861 start_va = 0x6930000 end_va = 0x6932fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.10586.0_en-us_e9ce2dce92807715\\comctl32.dll.mui") Region: id = 32862 start_va = 0x6940000 end_va = 0x6942fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006940000" filename = "" Region: id = 32863 start_va = 0x6950000 end_va = 0x6e41fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006950000" filename = "" Region: id = 32864 start_va = 0x6e50000 end_va = 0x7e8ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 32865 start_va = 0x7e90000 end_va = 0x7ed1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000007e90000" filename = "" Region: id = 32866 start_va = 0xa40000 end_va = 0xa40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 32867 start_va = 0x77500000 end_va = 0x7761efff monitored = 0 entry_point = 0x77545980 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Thread: id = 877 os_tid = 0x11a8 Thread: id = 881 os_tid = 0x414 Thread: id = 886 os_tid = 0xc9c Thread: id = 909 os_tid = 0xc28 Thread: id = 910 os_tid = 0xdf0 Thread: id = 911 os_tid = 0x12c0 Thread: id = 942 os_tid = 0x12d8 Thread: id = 953 os_tid = 0xa7c Process: id = "414" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x79b2f000" os_pid = "0xc8c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_ensureAccess /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 30741 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 30742 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 30743 start_va = 0x80000 end_va = 0x81fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 30744 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 30745 start_va = 0xd0000 end_va = 0x1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 30746 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 30747 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 30748 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 30749 start_va = 0x7f850000 end_va = 0x7f872fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f850000" filename = "" Region: id = 30750 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 30751 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 30752 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 30753 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 30754 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 30755 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 30756 start_va = 0x70000 end_va = 0x71fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 30776 start_va = 0x400000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 30777 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 30778 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 30779 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 30780 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 30781 start_va = 0x580000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 30782 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 30783 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 30801 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30802 start_va = 0x7f750000 end_va = 0x7f84ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f750000" filename = "" Region: id = 30803 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30804 start_va = 0x570000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 30805 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 30806 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 30807 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 30808 start_va = 0x580000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 30809 start_va = 0x750000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 30810 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 30811 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 30812 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 30813 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 30814 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 30815 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 30816 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 30817 start_va = 0x80000 end_va = 0x83fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 30818 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 30819 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 30820 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 30821 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 30822 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 30823 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 30824 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 30825 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 30826 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 30827 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 30849 start_va = 0x1d0000 end_va = 0x1f9fff monitored = 0 entry_point = 0x1d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 30850 start_va = 0x850000 end_va = 0x9d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 30851 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 30862 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 30863 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 30864 start_va = 0x9e0000 end_va = 0xb60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009e0000" filename = "" Region: id = 30865 start_va = 0xb70000 end_va = 0xd4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 30866 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 30867 start_va = 0x680000 end_va = 0x710fff monitored = 0 entry_point = 0x6b8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 30905 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 30906 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 30907 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 30908 start_va = 0x1f0000 end_va = 0x1f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 30917 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 30924 start_va = 0x500000 end_va = 0x501fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 30925 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 30926 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 30927 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 30928 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Thread: id = 878 os_tid = 0xc30 [0277.631] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0277.631] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0277.631] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0277.631] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0277.632] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0277.632] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0277.632] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0277.633] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0277.633] GetProcessHeap () returned 0x750000 [0277.633] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0277.633] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0277.633] GetLastError () returned 0x7e [0277.633] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0277.634] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0277.634] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x364) returned 0x760a60 [0277.634] SetLastError (dwErrCode=0x7e) [0277.634] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xe00) returned 0x760dd0 [0277.636] GetStartupInfoW (in: lpStartupInfo=0x1cf754 | out: lpStartupInfo=0x1cf754*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0277.636] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0277.636] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0277.636] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0277.636] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_ensureAccess /fn_args=\"1\"" [0277.636] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_ensureAccess /fn_args=\"1\"" [0277.636] GetACP () returned 0x4e4 [0277.636] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x220) returned 0x761bd8 [0277.636] IsValidCodePage (CodePage=0x4e4) returned 1 [0277.636] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1cf774 | out: lpCPInfo=0x1cf774) returned 1 [0277.636] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1cf03c | out: lpCPInfo=0x1cf03c) returned 1 [0277.636] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1cf650, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0277.636] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1cf650, cbMultiByte=256, lpWideCharStr=0x1cedd8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0277.637] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x1cf050 | out: lpCharType=0x1cf050) returned 1 [0277.637] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1cf650, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0277.637] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1cf650, cbMultiByte=256, lpWideCharStr=0x1ced98, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0277.637] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0277.637] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0277.637] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0277.637] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x1ceb88, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0277.637] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x1cf550, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ…\x94", lpUsedDefaultChar=0x0) returned 256 [0277.637] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1cf650, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0277.637] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1cf650, cbMultiByte=256, lpWideCharStr=0x1ceda8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0277.637] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0277.637] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x1ceb98, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0277.637] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x1cf450, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ…\x94", lpUsedDefaultChar=0x0) returned 256 [0277.638] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x80) returned 0x753868 [0277.638] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0277.724] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x188) returned 0x761e00 [0277.724] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0277.724] GetLastError () returned 0x0 [0277.724] SetLastError (dwErrCode=0x0) [0277.724] GetEnvironmentStringsW () returned 0x761f90* [0277.725] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0xa8c) returned 0x762a28 [0277.725] FreeEnvironmentStringsW (penv=0x761f90) returned 1 [0277.725] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x90) returned 0x754558 [0277.725] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x3e) returned 0x75ade8 [0277.725] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x5c) returned 0x758830 [0277.725] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x6e) returned 0x754620 [0277.725] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x78) returned 0x7636e8 [0277.725] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x62) returned 0x7549f0 [0277.725] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x28) returned 0x753d88 [0277.725] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x48) returned 0x753fd8 [0277.726] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x1a) returned 0x750570 [0277.726] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x3a) returned 0x75ac38 [0277.726] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x62) returned 0x753be8 [0277.726] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x2a) returned 0x758638 [0277.726] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x2e) returned 0x758750 [0277.726] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x1c) returned 0x753db8 [0277.726] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x144) returned 0x759a48 [0277.726] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x7c) returned 0x758090 [0277.726] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x36) returned 0x75e230 [0277.726] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x3a) returned 0x75b100 [0277.726] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x90) returned 0x754390 [0277.726] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x24) returned 0x753908 [0277.726] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x30) returned 0x758670 [0277.726] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x36) returned 0x75e3b0 [0277.726] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x48) returned 0x752900 [0277.726] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x52) returned 0x7504b8 [0277.726] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x3c) returned 0x75af50 [0277.726] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xd6) returned 0x759c08 [0277.726] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x2e) returned 0x758788 [0277.726] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x1e) returned 0x752950 [0277.726] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x2c) returned 0x758440 [0277.726] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x54) returned 0x753e00 [0277.726] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x52) returned 0x754060 [0277.726] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x24) returned 0x753e60 [0277.726] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x42) returned 0x7540c0 [0277.726] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x2c) returned 0x758478 [0277.726] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x44) returned 0x759d38 [0277.727] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x24) returned 0x753938 [0277.727] HeapFree (in: hHeap=0x750000, dwFlags=0x0, lpMem=0x762a28 | out: hHeap=0x750000) returned 1 [0277.727] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x800) returned 0x761f90 [0277.728] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0277.728] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0277.728] GetStartupInfoW (in: lpStartupInfo=0x1cf7b8 | out: lpStartupInfo=0x1cf7b8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0277.728] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_ensureAccess /fn_args=\"1\"" [0277.728] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_ensureAccess /fn_args=\"1\"", pNumArgs=0x1cf7a4 | out: pNumArgs=0x1cf7a4) returned 0x762be0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0277.729] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0277.732] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x1000) returned 0x7644c8 [0277.732] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x36) returned 0x75e630 [0277.732] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_token_ensureAccess", cchWideChar=-1, lpMultiByteStr=0x75e630, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_token_ensureAccess", lpUsedDefaultChar=0x0) returned 27 [0277.732] GetLastError () returned 0x0 [0277.732] SetLastError (dwErrCode=0x0) [0277.732] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_ensureAccessW") returned 0x0 [0277.733] GetLastError () returned 0x7f [0277.733] SetLastError (dwErrCode=0x7f) [0277.733] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_ensureAccessA") returned 0x0 [0277.733] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_ensureAccess") returned 0x647cd3d9 [0277.733] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x4) returned 0x753810 [0277.733] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x753810, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0277.733] GetActiveWindow () returned 0x0 [0277.736] GetLastError () returned 0x7f [0277.736] SetLastError (dwErrCode=0x7f) Thread: id = 884 os_tid = 0xca4 Process: id = "415" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6d5b3000" os_pid = "0x10a4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "410" os_parent_pid = "0x108c" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_deserializeTokenId /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "416" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x59ad1000" os_pid = "0x1320" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "411" os_parent_pid = "0x103c" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_duplicateTokenId /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "417" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x443c6000" os_pid = "0xf3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_enumTokenIds /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 30929 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 30930 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 30931 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 30932 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 30933 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 30934 start_va = 0x450000 end_va = 0x451fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 30935 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 30936 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 30937 start_va = 0x7ec40000 end_va = 0x7ec62fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ec40000" filename = "" Region: id = 30938 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 30939 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 30940 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 30941 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 30942 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 30943 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 30944 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 30953 start_va = 0x460000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 30954 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 30955 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 30956 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 30957 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 30958 start_va = 0x5a0000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 30959 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 30960 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 30961 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 30962 start_va = 0x7eb40000 end_va = 0x7ec3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007eb40000" filename = "" Region: id = 30963 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 30964 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 30965 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 30966 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 30967 start_va = 0x5a0000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 30968 start_va = 0x750000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 30969 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 30982 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 30983 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 30984 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 30985 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 30986 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 30987 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 30988 start_va = 0x4c0000 end_va = 0x4c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 30989 start_va = 0x590000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 30990 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 30991 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 30992 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 30993 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 30994 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 30995 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 31021 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 31022 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 31023 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 31024 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 31025 start_va = 0x4d0000 end_va = 0x4f9fff monitored = 0 entry_point = 0x4d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 31026 start_va = 0x850000 end_va = 0x9d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 31027 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 31047 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 31048 start_va = 0x4d0000 end_va = 0x4d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 31049 start_va = 0x9e0000 end_va = 0xb60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009e0000" filename = "" Region: id = 31050 start_va = 0xb70000 end_va = 0xd0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 31051 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 31052 start_va = 0x4e0000 end_va = 0x570fff monitored = 0 entry_point = 0x518cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 31072 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 31083 start_va = 0x4e0000 end_va = 0x4e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 31084 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 31085 start_va = 0x4f0000 end_va = 0x4f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 31108 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 31109 start_va = 0x500000 end_va = 0x501fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 31142 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 31143 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 31144 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 31145 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Thread: id = 887 os_tid = 0xcbc [0278.845] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0278.845] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0278.845] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0278.845] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0278.845] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0278.845] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0278.846] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0278.846] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0278.846] GetProcessHeap () returned 0x750000 [0278.846] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0278.847] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0278.847] GetLastError () returned 0x7e [0278.847] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0278.847] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0278.847] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x364) returned 0x760a60 [0278.847] SetLastError (dwErrCode=0x7e) [0278.847] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xe00) returned 0x760dd0 [0278.849] GetStartupInfoW (in: lpStartupInfo=0x18f84c | out: lpStartupInfo=0x18f84c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0278.849] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0278.849] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0278.849] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0278.849] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_enumTokenIds /fn_args=\"1\"" [0278.849] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_enumTokenIds /fn_args=\"1\"" [0278.849] GetACP () returned 0x4e4 [0278.849] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x220) returned 0x761bd8 [0278.849] IsValidCodePage (CodePage=0x4e4) returned 1 [0278.849] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f86c | out: lpCPInfo=0x18f86c) returned 1 [0278.849] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f134 | out: lpCPInfo=0x18f134) returned 1 [0278.849] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f748, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0278.849] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f748, cbMultiByte=256, lpWideCharStr=0x18eed8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0278.849] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f148 | out: lpCharType=0x18f148) returned 1 [0278.849] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f748, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0278.850] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f748, cbMultiByte=256, lpWideCharStr=0x18ee88, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0278.850] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0278.850] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0278.850] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0278.850] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ec78, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0278.850] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f648, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿKy\x12\x8a\x84ø\x18", lpUsedDefaultChar=0x0) returned 256 [0278.850] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f748, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0278.850] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f748, cbMultiByte=256, lpWideCharStr=0x18eea8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0278.850] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0278.850] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ec98, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0278.850] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f548, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿKy\x12\x8a\x84ø\x18", lpUsedDefaultChar=0x0) returned 256 [0278.850] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x80) returned 0x753868 [0278.850] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0278.850] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x188) returned 0x761e00 [0278.850] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0278.850] GetLastError () returned 0x0 [0278.850] SetLastError (dwErrCode=0x0) [0278.850] GetEnvironmentStringsW () returned 0x761f90* [0278.853] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0xa8c) returned 0x762a28 [0278.853] FreeEnvironmentStringsW (penv=0x761f90) returned 1 [0278.853] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x90) returned 0x7547b8 [0278.853] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x3e) returned 0x75ac38 [0278.853] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x5c) returned 0x758a90 [0278.853] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x6e) returned 0x754880 [0278.853] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x78) returned 0x763e68 [0278.853] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x62) returned 0x754c50 [0278.853] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x28) returned 0x753fe8 [0278.853] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x48) returned 0x754238 [0278.853] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x1a) returned 0x750570 [0278.853] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x3a) returned 0x75ab18 [0278.853] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x62) returned 0x753e48 [0278.854] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x2a) returned 0x7588d0 [0278.854] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x2e) returned 0x758828 [0278.854] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x1c) returned 0x754018 [0278.854] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x144) returned 0x759ca8 [0278.854] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x7c) returned 0x7582f0 [0278.854] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x36) returned 0x75e6f0 [0278.854] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x3a) returned 0x75aec0 [0278.854] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x90) returned 0x7545f0 [0278.854] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x24) returned 0x753908 [0278.854] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x30) returned 0x758668 [0278.854] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x36) returned 0x75e430 [0278.854] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x48) returned 0x752900 [0278.854] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x52) returned 0x7504b8 [0278.854] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x3c) returned 0x75b070 [0278.854] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0xd6) returned 0x759e68 [0278.854] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x2e) returned 0x758710 [0278.854] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x1e) returned 0x752950 [0278.854] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x2c) returned 0x7589b0 [0278.854] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x54) returned 0x754060 [0278.854] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x52) returned 0x7542c0 [0278.854] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x24) returned 0x7540c0 [0278.854] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x42) returned 0x754320 [0278.854] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x2c) returned 0x758860 [0278.854] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x44) returned 0x759f98 [0278.854] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x24) returned 0x753938 [0278.855] HeapFree (in: hHeap=0x750000, dwFlags=0x0, lpMem=0x762a28 | out: hHeap=0x750000) returned 1 [0278.855] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x8, Size=0x800) returned 0x761f90 [0278.855] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0278.855] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0278.855] GetStartupInfoW (in: lpStartupInfo=0x18f8b0 | out: lpStartupInfo=0x18f8b0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0278.855] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_enumTokenIds /fn_args=\"1\"" [0278.856] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_enumTokenIds /fn_args=\"1\"", pNumArgs=0x18f89c | out: pNumArgs=0x18f89c) returned 0x762be0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0278.856] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0279.047] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x1000) returned 0x7644c8 [0279.047] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x36) returned 0x75e170 [0279.047] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_token_enumTokenIds", cchWideChar=-1, lpMultiByteStr=0x75e170, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_token_enumTokenIds", lpUsedDefaultChar=0x0) returned 27 [0279.047] GetLastError () returned 0x0 [0279.047] SetLastError (dwErrCode=0x0) [0279.047] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_enumTokenIdsW") returned 0x0 [0279.047] GetLastError () returned 0x7f [0279.047] SetLastError (dwErrCode=0x7f) [0279.047] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_enumTokenIdsA") returned 0x0 [0279.047] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_enumTokenIds") returned 0x647c5113 [0279.047] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x4) returned 0x753810 [0279.047] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x753810, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0279.048] GetActiveWindow () returned 0x0 [0279.146] GetLastError () returned 0x7f [0279.146] SetLastError (dwErrCode=0x7f) Thread: id = 889 os_tid = 0x13d0 Process: id = "418" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x522bc000" os_pid = "0x1388" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "414" os_parent_pid = "0xc8c" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_ensureAccess /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "419" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x46ade000" os_pid = "0xc88" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenId /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31056 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31057 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31058 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 31059 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 31060 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 31061 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 31062 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 31063 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 31064 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 31065 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 31066 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 31067 start_va = 0x7ef90000 end_va = 0x7efb2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ef90000" filename = "" Region: id = 31068 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 31069 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 31070 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31071 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 31074 start_va = 0x410000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 31075 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 31076 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 31077 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 31078 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 31079 start_va = 0x410000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 31080 start_va = 0x5e0000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 31081 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 31082 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 31086 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31087 start_va = 0x7ee90000 end_va = 0x7ef8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ee90000" filename = "" Region: id = 31088 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31089 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 31090 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 31091 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 31092 start_va = 0x5f0000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 31093 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 31094 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 31095 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 31096 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 31097 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 31098 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 31099 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 31100 start_va = 0x4c0000 end_va = 0x4c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 31101 start_va = 0x4d0000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 31102 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 31103 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 31104 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 31105 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 31106 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 31107 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 31110 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 31111 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 31112 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 31113 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 31114 start_va = 0x6f0000 end_va = 0x877fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006f0000" filename = "" Region: id = 31115 start_va = 0x880000 end_va = 0x8a9fff monitored = 0 entry_point = 0x885680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 31116 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 31135 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 31136 start_va = 0x5d0000 end_va = 0x5d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 31137 start_va = 0x880000 end_va = 0xa00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 31138 start_va = 0xa10000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 31139 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 31140 start_va = 0xa10000 end_va = 0xaa0fff monitored = 0 entry_point = 0xa48cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 31141 start_va = 0xae0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 31160 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 31161 start_va = 0xa10000 end_va = 0xa10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 31162 start_va = 0xa20000 end_va = 0xa20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a20000" filename = "" Region: id = 31163 start_va = 0xa20000 end_va = 0xa27fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a20000" filename = "" Region: id = 31174 start_va = 0xa20000 end_va = 0xa20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Region: id = 31175 start_va = 0xa30000 end_va = 0xa31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 31176 start_va = 0xa20000 end_va = 0xa20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Region: id = 31177 start_va = 0xa30000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 31178 start_va = 0xa20000 end_va = 0xa20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a20000" filename = "" Region: id = 31179 start_va = 0xa30000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Thread: id = 890 os_tid = 0xd48 [0279.501] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0279.501] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0279.501] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0279.501] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0279.502] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0279.502] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0279.502] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0279.502] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0279.503] GetProcessHeap () returned 0x4d0000 [0279.503] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0279.503] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0279.503] GetLastError () returned 0x7e [0279.503] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0279.503] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0279.503] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x364) returned 0x4e0a60 [0279.504] SetLastError (dwErrCode=0x7e) [0279.504] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xe00) returned 0x4e0dd0 [0279.505] GetStartupInfoW (in: lpStartupInfo=0x18fc0c | out: lpStartupInfo=0x18fc0c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0279.505] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0279.505] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0279.505] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0279.505] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenId /fn_args=\"1\"" [0279.505] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenId /fn_args=\"1\"" [0279.505] GetACP () returned 0x4e4 [0279.505] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x0, Size=0x220) returned 0x4e1bd8 [0279.505] IsValidCodePage (CodePage=0x4e4) returned 1 [0279.505] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fc2c | out: lpCPInfo=0x18fc2c) returned 1 [0279.506] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f4f4 | out: lpCPInfo=0x18f4f4) returned 1 [0279.506] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb08, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0279.506] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb08, cbMultiByte=256, lpWideCharStr=0x18f298, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0279.506] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f508 | out: lpCharType=0x18f508) returned 1 [0279.506] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb08, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0279.506] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb08, cbMultiByte=256, lpWideCharStr=0x18f248, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0279.506] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0279.506] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0279.506] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0279.506] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f038, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0279.506] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fa08, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x19§\x8c»Dü\x18", lpUsedDefaultChar=0x0) returned 256 [0279.506] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb08, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0279.506] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fb08, cbMultiByte=256, lpWideCharStr=0x18f268, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0279.506] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0279.506] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f058, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0279.506] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f908, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x19§\x8c»Dü\x18", lpUsedDefaultChar=0x0) returned 256 [0279.506] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x0, Size=0x80) returned 0x4d3868 [0279.507] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0279.507] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x186) returned 0x4e1e00 [0279.507] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0279.507] GetLastError () returned 0x0 [0279.507] SetLastError (dwErrCode=0x0) [0279.507] GetEnvironmentStringsW () returned 0x4e1f90* [0279.507] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x0, Size=0xa8c) returned 0x4e2a28 [0279.507] FreeEnvironmentStringsW (penv=0x4e1f90) returned 1 [0279.507] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x90) returned 0x4d4558 [0279.507] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x3e) returned 0x4daad0 [0279.507] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x5c) returned 0x4d8830 [0279.507] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x6e) returned 0x4d4620 [0279.507] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x78) returned 0x4e3868 [0279.508] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x62) returned 0x4d49f0 [0279.508] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x28) returned 0x4d3d88 [0279.508] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x48) returned 0x4d3fd8 [0279.508] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x1a) returned 0x4d0570 [0279.508] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x3a) returned 0x4dab18 [0279.508] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x62) returned 0x4d3be8 [0279.508] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x2a) returned 0x4d8558 [0279.508] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x2e) returned 0x4d8440 [0279.508] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x1c) returned 0x4d3db8 [0279.508] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x144) returned 0x4d9a48 [0279.508] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x7c) returned 0x4d8090 [0279.508] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x36) returned 0x4de670 [0279.508] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x3a) returned 0x4daf08 [0279.508] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x90) returned 0x4d4390 [0279.508] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x24) returned 0x4d3908 [0279.508] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x30) returned 0x4d84b0 [0279.508] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x36) returned 0x4de4b0 [0279.508] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x48) returned 0x4d2900 [0279.508] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x52) returned 0x4d04b8 [0279.508] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x3c) returned 0x4dac80 [0279.508] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0xd6) returned 0x4d9c08 [0279.508] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x2e) returned 0x4d8718 [0279.508] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x1e) returned 0x4d2950 [0279.508] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x2c) returned 0x4d8590 [0279.508] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x54) returned 0x4d3e00 [0279.508] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x52) returned 0x4d4060 [0279.508] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x24) returned 0x4d3e60 [0279.508] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x42) returned 0x4d40c0 [0279.508] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x2c) returned 0x4d85c8 [0279.508] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x44) returned 0x4d9f98 [0279.508] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x24) returned 0x4d3938 [0279.509] HeapFree (in: hHeap=0x4d0000, dwFlags=0x0, lpMem=0x4e2a28 | out: hHeap=0x4d0000) returned 1 [0279.509] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x8, Size=0x800) returned 0x4e1f90 [0279.509] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0279.509] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0279.509] GetStartupInfoW (in: lpStartupInfo=0x18fc70 | out: lpStartupInfo=0x18fc70*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0279.509] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenId /fn_args=\"1\"" [0279.509] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenId /fn_args=\"1\"", pNumArgs=0x18fc5c | out: pNumArgs=0x18fc5c) returned 0x4e2be0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0279.510] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0279.563] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x0, Size=0x1000) returned 0x4e44c8 [0279.563] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x0, Size=0x34) returned 0x4de270 [0279.563] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_token_freeTokenId", cchWideChar=-1, lpMultiByteStr=0x4de270, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_token_freeTokenId", lpUsedDefaultChar=0x0) returned 26 [0279.563] GetLastError () returned 0x0 [0279.563] SetLastError (dwErrCode=0x0) [0279.563] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_freeTokenIdW") returned 0x0 [0279.563] GetLastError () returned 0x7f [0279.563] SetLastError (dwErrCode=0x7f) [0279.563] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_freeTokenIdA") returned 0x0 [0279.564] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_freeTokenId") returned 0x647c4538 [0279.564] RtlAllocateHeap (HeapHandle=0x4d0000, Flags=0x0, Size=0x4) returned 0x4d3810 [0279.564] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x4d3810, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0279.564] GetActiveWindow () returned 0x0 [0279.565] GetLastError () returned 0x7f [0279.565] SetLastError (dwErrCode=0x7f) Thread: id = 892 os_tid = 0x11fc Process: id = "420" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6257f000" os_pid = "0xb68" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "417" os_parent_pid = "0xf3c" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_enumTokenIds /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "421" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6b7e6000" os_pid = "0x11f0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "419" os_parent_pid = "0xc88" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenId /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "422" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x5b1f4000" os_pid = "0xda8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenIdList /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31205 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31206 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31207 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 31208 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 31209 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 31210 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 31211 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 31212 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 31213 start_va = 0x7a0000 end_va = 0x7a1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 31214 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 31215 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 31216 start_va = 0x7e4d0000 end_va = 0x7e4f2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e4d0000" filename = "" Region: id = 31217 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 31218 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 31219 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31220 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 31238 start_va = 0x400000 end_va = 0x4affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 31239 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 31240 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 31241 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 31242 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 31243 start_va = 0x7b0000 end_va = 0x8dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 31244 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 31245 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 31257 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31258 start_va = 0x7e3d0000 end_va = 0x7e4cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e3d0000" filename = "" Region: id = 31259 start_va = 0x4b0000 end_va = 0x56dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31260 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 31261 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 31262 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 31263 start_va = 0x570000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 31264 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 31265 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 31266 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 31267 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 31268 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 31269 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 31270 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 31271 start_va = 0x7a0000 end_va = 0x7a3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 31272 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 31273 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 31274 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 31275 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 31276 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 31287 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 31288 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 31289 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 31290 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 31291 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 31292 start_va = 0x7b0000 end_va = 0x7d9fff monitored = 0 entry_point = 0x7b5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 31293 start_va = 0x7e0000 end_va = 0x8dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 31294 start_va = 0x8e0000 end_va = 0xa67fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 31295 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 31296 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 31297 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 31298 start_va = 0x4a0000 end_va = 0x4affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 31299 start_va = 0xa70000 end_va = 0xbf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a70000" filename = "" Region: id = 31300 start_va = 0xc00000 end_va = 0xd2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 31301 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 31302 start_va = 0xc00000 end_va = 0xc90fff monitored = 0 entry_point = 0xc38cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 31303 start_va = 0xd20000 end_va = 0xd2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 31304 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 31305 start_va = 0x7b0000 end_va = 0x7b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 31306 start_va = 0x7c0000 end_va = 0x7c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 31307 start_va = 0x7c0000 end_va = 0x7c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 31308 start_va = 0x7c0000 end_va = 0x7c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 31311 start_va = 0x7d0000 end_va = 0x7d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 31312 start_va = 0x7c0000 end_va = 0x7c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 31313 start_va = 0x7d0000 end_va = 0x7d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 31314 start_va = 0x7c0000 end_va = 0x7c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 31315 start_va = 0x7d0000 end_va = 0x7d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Thread: id = 893 os_tid = 0xcb8 [0280.512] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0280.512] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0280.513] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0280.513] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0280.513] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0280.513] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0280.514] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0280.514] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0280.514] GetProcessHeap () returned 0x7e0000 [0280.514] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0280.514] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0280.514] GetLastError () returned 0x7e [0280.515] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0280.515] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0280.515] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x364) returned 0x7f09a0 [0280.515] SetLastError (dwErrCode=0x7e) [0280.515] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0xe00) returned 0x7f0d10 [0280.517] GetStartupInfoW (in: lpStartupInfo=0x18f9bc | out: lpStartupInfo=0x18f9bc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0280.517] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0280.517] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0280.517] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0280.517] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenIdList /fn_args=\"1\"" [0280.517] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenIdList /fn_args=\"1\"" [0280.517] GetACP () returned 0x4e4 [0280.517] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x0, Size=0x220) returned 0x7f1b18 [0280.517] IsValidCodePage (CodePage=0x4e4) returned 1 [0280.517] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f9dc | out: lpCPInfo=0x18f9dc) returned 1 [0280.517] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f2a4 | out: lpCPInfo=0x18f2a4) returned 1 [0280.517] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8b8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0280.517] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8b8, cbMultiByte=256, lpWideCharStr=0x18f048, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0280.517] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f2b8 | out: lpCharType=0x18f2b8) returned 1 [0280.517] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8b8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0280.517] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8b8, cbMultiByte=256, lpWideCharStr=0x18eff8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0280.517] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0280.517] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0280.517] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0280.517] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ede8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0280.518] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f7b8, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÑâH^ôù\x18", lpUsedDefaultChar=0x0) returned 256 [0280.518] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8b8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0280.518] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8b8, cbMultiByte=256, lpWideCharStr=0x18f018, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0280.518] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0280.518] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ee08, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0280.518] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f6b8, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÑâH^ôù\x18", lpUsedDefaultChar=0x0) returned 256 [0280.518] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x0, Size=0x80) returned 0x7e3878 [0280.518] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0280.518] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x18e) returned 0x7f1d40 [0280.518] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0280.518] GetLastError () returned 0x0 [0280.518] SetLastError (dwErrCode=0x0) [0280.518] GetEnvironmentStringsW () returned 0x7f1ed8* [0280.518] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x0, Size=0xa8c) returned 0x7f2970 [0280.519] FreeEnvironmentStringsW (penv=0x7f1ed8) returned 1 [0280.519] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x90) returned 0x7e4568 [0280.519] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x3e) returned 0x7eac00 [0280.519] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x5c) returned 0x7e8840 [0280.519] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x6e) returned 0x7e4630 [0280.519] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x78) returned 0x7f3ab0 [0280.519] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x62) returned 0x7e4a00 [0280.519] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x28) returned 0x7e3d98 [0280.519] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x48) returned 0x7e3fe8 [0280.519] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x1a) returned 0x7e0570 [0280.519] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x3a) returned 0x7eb0c8 [0280.519] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x62) returned 0x7e3bf8 [0280.519] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x2a) returned 0x7e86b8 [0280.519] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x2e) returned 0x7e8418 [0280.519] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x1c) returned 0x7e3dc8 [0280.520] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x144) returned 0x7e9a58 [0280.520] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x7c) returned 0x7e80a0 [0280.520] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x36) returned 0x7ee630 [0280.520] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x3a) returned 0x7eac90 [0280.520] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x90) returned 0x7e43a0 [0280.520] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x24) returned 0x7e3918 [0280.520] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x30) returned 0x7e84f8 [0280.520] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x36) returned 0x7ee170 [0280.520] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x48) returned 0x7e2908 [0280.520] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x52) returned 0x7e04b8 [0280.520] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x3c) returned 0x7ead68 [0280.520] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0xd6) returned 0x7e9e78 [0280.520] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x2e) returned 0x7e8530 [0280.520] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x1e) returned 0x7e2958 [0280.520] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x2c) returned 0x7e85d8 [0280.520] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x54) returned 0x7e3e10 [0280.520] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x52) returned 0x7e4070 [0280.520] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x24) returned 0x7e3e70 [0280.520] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x42) returned 0x7e40d0 [0280.520] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x2c) returned 0x7e86f0 [0280.520] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x44) returned 0x7e9fa8 [0280.520] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x24) returned 0x7e3948 [0280.521] HeapFree (in: hHeap=0x7e0000, dwFlags=0x0, lpMem=0x7f2970 | out: hHeap=0x7e0000) returned 1 [0280.521] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x8, Size=0x800) returned 0x7f1ed8 [0280.521] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0280.521] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0280.521] GetStartupInfoW (in: lpStartupInfo=0x18fa20 | out: lpStartupInfo=0x18fa20*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0280.521] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenIdList /fn_args=\"1\"" [0280.521] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenIdList /fn_args=\"1\"", pNumArgs=0x18fa0c | out: pNumArgs=0x18fa0c) returned 0x7f2b28*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0280.522] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0280.527] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x0, Size=0x1000) returned 0x7f4410 [0280.527] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x0, Size=0x3c) returned 0x7eacd8 [0280.527] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_token_freeTokenIdList", cchWideChar=-1, lpMultiByteStr=0x7eacd8, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_token_freeTokenIdList", lpUsedDefaultChar=0x0) returned 30 [0280.527] GetLastError () returned 0x0 [0280.527] SetLastError (dwErrCode=0x0) [0280.527] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_freeTokenIdListW") returned 0x0 [0280.527] GetLastError () returned 0x7f [0280.527] SetLastError (dwErrCode=0x7f) [0280.527] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_freeTokenIdListA") returned 0x0 [0280.527] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_freeTokenIdList") returned 0x647c502f [0280.527] RtlAllocateHeap (HeapHandle=0x7e0000, Flags=0x0, Size=0x4) returned 0x7e3820 [0280.527] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x7e3820, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0280.527] GetActiveWindow () returned 0x0 [0280.535] GetLastError () returned 0x7f [0280.535] SetLastError (dwErrCode=0x7f) Thread: id = 895 os_tid = 0x12b8 Process: id = "423" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x61835000" os_pid = "0x1144" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "422" os_parent_pid = "0xda8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_freeTokenIdList /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "424" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6050c000" os_pid = "0x13d8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_login /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31339 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31340 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31341 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 31342 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 31343 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 31344 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 31345 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 31346 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 31347 start_va = 0x8b0000 end_va = 0x8b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 31348 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 31349 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 31350 start_va = 0x7ea60000 end_va = 0x7ea82fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ea60000" filename = "" Region: id = 31351 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 31352 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 31353 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31354 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 31355 start_va = 0x1c0000 end_va = 0x1dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 31356 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 31357 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 31358 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 31359 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 31360 start_va = 0x8c0000 end_va = 0xbaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 31364 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 31365 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 31366 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31367 start_va = 0x7e960000 end_va = 0x7ea5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e960000" filename = "" Region: id = 31368 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31369 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 31370 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 31371 start_va = 0x4c0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 31372 start_va = 0x500000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 31373 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 31374 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 31375 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 31376 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 31377 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 31378 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 31399 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 31400 start_va = 0x8b0000 end_va = 0x8b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 31401 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 31402 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 31403 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 31404 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 31405 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 31406 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 31407 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 31408 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 31409 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 31410 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 31411 start_va = 0x600000 end_va = 0x787fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 31412 start_va = 0x8c0000 end_va = 0x8e9fff monitored = 0 entry_point = 0x8c5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 31413 start_va = 0xab0000 end_va = 0xbaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 31414 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 31415 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 31416 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 31417 start_va = 0x1d0000 end_va = 0x1dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 31418 start_va = 0x8c0000 end_va = 0xa40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 31419 start_va = 0xbb0000 end_va = 0xcfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bb0000" filename = "" Region: id = 31420 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 31421 start_va = 0xbb0000 end_va = 0xc40fff monitored = 0 entry_point = 0xbe8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 31422 start_va = 0xcf0000 end_va = 0xcfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 31425 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 31426 start_va = 0xa50000 end_va = 0xa50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 31427 start_va = 0xa60000 end_va = 0xa60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a60000" filename = "" Region: id = 31428 start_va = 0xa60000 end_va = 0xa67fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a60000" filename = "" Region: id = 31429 start_va = 0xa60000 end_va = 0xa60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 31430 start_va = 0xa70000 end_va = 0xa71fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a70000" filename = "" Region: id = 31431 start_va = 0xa60000 end_va = 0xa60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 31432 start_va = 0xa70000 end_va = 0xa70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a70000" filename = "" Region: id = 31433 start_va = 0xa60000 end_va = 0xa60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a60000" filename = "" Region: id = 31434 start_va = 0xa70000 end_va = 0xa70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Thread: id = 896 os_tid = 0xba0 [0289.781] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0289.781] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0289.781] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0289.781] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0289.782] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0289.782] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0289.783] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0289.783] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0289.783] GetProcessHeap () returned 0xab0000 [0289.783] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0289.784] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0289.784] GetLastError () returned 0x7e [0289.785] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0289.785] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0289.785] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x364) returned 0xac0a18 [0289.785] SetLastError (dwErrCode=0x7e) [0289.785] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0xe00) returned 0xac0d88 [0289.787] GetStartupInfoW (in: lpStartupInfo=0x18f968 | out: lpStartupInfo=0x18f968*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0289.787] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0289.787] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0289.787] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0289.787] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_login /fn_args=\"1\"" [0289.787] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_login /fn_args=\"1\"" [0289.787] GetACP () returned 0x4e4 [0289.787] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x0, Size=0x220) returned 0xac1b90 [0289.787] IsValidCodePage (CodePage=0x4e4) returned 1 [0289.788] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f988 | out: lpCPInfo=0x18f988) returned 1 [0289.788] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f250 | out: lpCPInfo=0x18f250) returned 1 [0289.788] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f864, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0289.788] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f864, cbMultiByte=256, lpWideCharStr=0x18eff8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0289.788] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f264 | out: lpCharType=0x18f264) returned 1 [0289.788] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f864, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0289.788] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f864, cbMultiByte=256, lpWideCharStr=0x18efa8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0289.788] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0289.788] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0289.788] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0289.788] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ed98, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0289.788] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f764, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿl½ë\x06 ù\x18", lpUsedDefaultChar=0x0) returned 256 [0289.788] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f864, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0289.788] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f864, cbMultiByte=256, lpWideCharStr=0x18efc8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0289.789] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0289.789] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18edb8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0289.789] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f664, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿl½ë\x06 ù\x18", lpUsedDefaultChar=0x0) returned 256 [0289.789] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x0, Size=0x80) returned 0xab3858 [0289.789] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0289.789] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x17a) returned 0xac1db8 [0289.789] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0289.789] GetLastError () returned 0x0 [0289.789] SetLastError (dwErrCode=0x0) [0289.789] GetEnvironmentStringsW () returned 0xac1f40* [0289.790] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x0, Size=0xa8c) returned 0xac29d8 [0289.790] FreeEnvironmentStringsW (penv=0xac1f40) returned 1 [0289.790] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x90) returned 0xab4548 [0289.790] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x3e) returned 0xabab60 [0289.790] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x5c) returned 0xab8a48 [0289.790] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x6e) returned 0xab4840 [0289.790] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x78) returned 0xac4298 [0289.790] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x62) returned 0xab3fc8 [0289.790] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x28) returned 0xab9e20 [0289.790] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x48) returned 0xab3d78 [0289.790] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x1a) returned 0xab4610 [0289.790] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x3a) returned 0xaba9b0 [0289.790] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x62) returned 0xab47b0 [0289.791] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x2a) returned 0xab8658 [0289.791] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x2e) returned 0xab8700 [0289.791] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x1c) returned 0xab4638 [0289.791] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x144) returned 0xab9c60 [0289.791] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x7c) returned 0xab82a8 [0289.791] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x36) returned 0xabe4e8 [0289.791] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x3a) returned 0xabaa88 [0289.791] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x90) returned 0xaba270 [0289.791] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x24) returned 0xab3bd8 [0289.791] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x30) returned 0xab88c0 [0289.791] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x36) returned 0xabe328 [0289.791] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x48) returned 0xab38f8 [0289.791] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x52) returned 0xab28f0 [0289.791] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x3c) returned 0xabab18 [0289.791] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0xd6) returned 0xab04a0 [0289.791] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x2e) returned 0xab88f8 [0289.791] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x1e) returned 0xab0580 [0289.791] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x2c) returned 0xab8770 [0289.791] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x54) returned 0xab4380 [0289.791] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x52) returned 0xab3df0 [0289.791] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x24) returned 0xab43e0 [0289.791] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x42) returned 0xab4050 [0289.791] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x2c) returned 0xab87a8 [0289.791] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x44) returned 0xab40a0 [0289.791] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x24) returned 0xab3e50 [0289.792] HeapFree (in: hHeap=0xab0000, dwFlags=0x0, lpMem=0xac29d8 | out: hHeap=0xab0000) returned 1 [0289.792] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x8, Size=0x800) returned 0xac1f40 [0289.792] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0289.792] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0289.793] GetStartupInfoW (in: lpStartupInfo=0x18f9cc | out: lpStartupInfo=0x18f9cc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0289.793] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_login /fn_args=\"1\"" [0289.793] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_login /fn_args=\"1\"", pNumArgs=0x18f9b8 | out: pNumArgs=0x18f9b8) returned 0xac2b90*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0289.794] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0289.797] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x0, Size=0x1000) returned 0xac4478 [0289.797] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x0, Size=0x28) returned 0xaba388 [0289.797] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_token_login", cchWideChar=-1, lpMultiByteStr=0xaba388, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_token_login", lpUsedDefaultChar=0x0) returned 20 [0289.798] GetLastError () returned 0x0 [0289.798] SetLastError (dwErrCode=0x0) [0289.798] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_loginW") returned 0x0 [0289.798] GetLastError () returned 0x7f [0289.798] SetLastError (dwErrCode=0x7f) [0289.798] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_loginA") returned 0x0 [0289.798] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_login") returned 0x647c4c4b [0289.798] RtlAllocateHeap (HeapHandle=0xab0000, Flags=0x0, Size=0x4) returned 0xab40f0 [0289.798] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0xab40f0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0289.798] GetActiveWindow () returned 0x0 [0289.800] GetLastError () returned 0x7f [0289.800] SetLastError (dwErrCode=0x7f) Thread: id = 898 os_tid = 0x1244 Process: id = "425" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x50fd8000" os_pid = "0xfb4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "424" os_parent_pid = "0x13d8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_login /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "426" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x35e24000" os_pid = "0xf40" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_logout /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31446 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31447 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31448 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 31449 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 31450 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 31451 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 31452 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 31453 start_va = 0x1f0000 end_va = 0x1f1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 31454 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 31455 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 31456 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 31457 start_va = 0x7f6e0000 end_va = 0x7f702fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6e0000" filename = "" Region: id = 31458 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 31459 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 31460 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31461 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 31462 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 31463 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 31464 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 31465 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 31466 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 31467 start_va = 0x440000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 31468 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 31469 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 31470 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31471 start_va = 0x7f5e0000 end_va = 0x7f6dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f5e0000" filename = "" Region: id = 31472 start_va = 0x590000 end_va = 0x64dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31473 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 31474 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 31475 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 31476 start_va = 0x650000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 31477 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 31478 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 31479 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 31480 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 31481 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 31482 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 31483 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 31484 start_va = 0x400000 end_va = 0x403fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 31485 start_va = 0x430000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 31486 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 31487 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 31488 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 31489 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 31490 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 31491 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 31492 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 31493 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 31494 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 31495 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 31496 start_va = 0x440000 end_va = 0x469fff monitored = 0 entry_point = 0x445680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 31497 start_va = 0x490000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 31498 start_va = 0x750000 end_va = 0x8d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 31499 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 31500 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 31501 start_va = 0x410000 end_va = 0x410fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 31502 start_va = 0x8e0000 end_va = 0xa60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 31503 start_va = 0xa70000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 31504 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 31505 start_va = 0xa70000 end_va = 0xb00fff monitored = 0 entry_point = 0xaa8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 31506 start_va = 0xc10000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 31508 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 31509 start_va = 0x420000 end_va = 0x420fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 31510 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 31511 start_va = 0x440000 end_va = 0x447fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 31512 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 31513 start_va = 0x450000 end_va = 0x451fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 31514 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 31515 start_va = 0x450000 end_va = 0x450fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 31516 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 31517 start_va = 0x450000 end_va = 0x450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Thread: id = 899 os_tid = 0xd34 [0292.163] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0292.164] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0292.164] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0292.164] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0292.164] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0292.164] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0292.165] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0292.165] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0292.165] GetProcessHeap () returned 0x490000 [0292.165] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0292.165] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0292.166] GetLastError () returned 0x7e [0292.166] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0292.166] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0292.166] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x364) returned 0x4a0a58 [0292.166] SetLastError (dwErrCode=0x7e) [0292.166] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xe00) returned 0x4a0dc8 [0292.168] GetStartupInfoW (in: lpStartupInfo=0x18fe44 | out: lpStartupInfo=0x18fe44*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0292.168] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0292.168] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0292.168] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0292.168] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_logout /fn_args=\"1\"" [0292.168] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_logout /fn_args=\"1\"" [0292.168] GetACP () returned 0x4e4 [0292.168] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x0, Size=0x220) returned 0x4a1bd0 [0292.168] IsValidCodePage (CodePage=0x4e4) returned 1 [0292.168] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fe64 | out: lpCPInfo=0x18fe64) returned 1 [0292.168] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f72c | out: lpCPInfo=0x18f72c) returned 1 [0292.168] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd40, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0292.168] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd40, cbMultiByte=256, lpWideCharStr=0x18f4c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0292.168] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f740 | out: lpCharType=0x18f740) returned 1 [0292.168] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd40, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0292.168] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd40, cbMultiByte=256, lpWideCharStr=0x18f488, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0292.168] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0292.169] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0292.169] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0292.169] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f278, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0292.169] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fc40, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÉá\x1eg|þ\x18", lpUsedDefaultChar=0x0) returned 256 [0292.169] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd40, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0292.169] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd40, cbMultiByte=256, lpWideCharStr=0x18f498, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0292.169] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0292.169] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f288, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0292.169] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fb40, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÉá\x1eg|þ\x18", lpUsedDefaultChar=0x0) returned 256 [0292.169] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x0, Size=0x80) returned 0x493860 [0292.169] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0292.169] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x17c) returned 0x4a1df8 [0292.169] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0292.169] GetLastError () returned 0x0 [0292.169] SetLastError (dwErrCode=0x0) [0292.169] GetEnvironmentStringsW () returned 0x4a1f80* [0292.170] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x0, Size=0xa8c) returned 0x4a2a18 [0292.170] FreeEnvironmentStringsW (penv=0x4a1f80) returned 1 [0292.170] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x90) returned 0x494550 [0292.170] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x3e) returned 0x49ad98 [0292.170] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x5c) returned 0x498828 [0292.170] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x6e) returned 0x494618 [0292.170] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x78) returned 0x4a3958 [0292.170] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x62) returned 0x4949e8 [0292.170] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x28) returned 0x493d80 [0292.170] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x48) returned 0x493fd0 [0292.170] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x1a) returned 0x490570 [0292.170] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x3a) returned 0x49aac8 [0292.170] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x62) returned 0x493be0 [0292.170] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x2a) returned 0x498588 [0292.170] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x2e) returned 0x498630 [0292.170] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x1c) returned 0x493db0 [0292.171] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x144) returned 0x499a40 [0292.171] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x7c) returned 0x498088 [0292.171] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x36) returned 0x49e268 [0292.171] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x3a) returned 0x49b020 [0292.171] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x90) returned 0x494388 [0292.171] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x24) returned 0x493900 [0292.171] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x30) returned 0x498748 [0292.171] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x36) returned 0x49e628 [0292.171] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x48) returned 0x4928f8 [0292.171] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x52) returned 0x4904b8 [0292.171] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x3c) returned 0x49b068 [0292.171] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0xd6) returned 0x499e60 [0292.171] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x2e) returned 0x4984a8 [0292.171] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x1e) returned 0x492948 [0292.171] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x2c) returned 0x4985f8 [0292.171] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x54) returned 0x493df8 [0292.171] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x52) returned 0x494058 [0292.171] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x24) returned 0x493e58 [0292.171] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x42) returned 0x4940b8 [0292.171] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x2c) returned 0x4984e0 [0292.171] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x44) returned 0x499f90 [0292.171] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x24) returned 0x493930 [0292.172] HeapFree (in: hHeap=0x490000, dwFlags=0x0, lpMem=0x4a2a18 | out: hHeap=0x490000) returned 1 [0292.172] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x8, Size=0x800) returned 0x4a1f80 [0292.172] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0292.172] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0292.172] GetStartupInfoW (in: lpStartupInfo=0x18fea8 | out: lpStartupInfo=0x18fea8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0292.172] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_logout /fn_args=\"1\"" [0292.172] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_logout /fn_args=\"1\"", pNumArgs=0x18fe94 | out: pNumArgs=0x18fe94) returned 0x4a2bd0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0292.173] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0292.203] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x0, Size=0x1000) returned 0x4a44b8 [0292.203] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x0, Size=0x2a) returned 0x498518 [0292.203] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_token_logout", cchWideChar=-1, lpMultiByteStr=0x498518, cbMultiByte=42, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_token_logout", lpUsedDefaultChar=0x0) returned 21 [0292.204] GetLastError () returned 0x0 [0292.204] SetLastError (dwErrCode=0x0) [0292.204] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_logoutW") returned 0x0 [0292.204] GetLastError () returned 0x7f [0292.204] SetLastError (dwErrCode=0x7f) [0292.204] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_logoutA") returned 0x0 [0292.204] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_logout") returned 0x647c4b1f [0292.204] RtlAllocateHeap (HeapHandle=0x490000, Flags=0x0, Size=0x4) returned 0x493808 [0292.204] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x493808, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0292.204] GetActiveWindow () returned 0x0 [0292.207] GetLastError () returned 0x7f [0292.207] SetLastError (dwErrCode=0x7f) Thread: id = 901 os_tid = 0xd0c Process: id = "427" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x52448000" os_pid = "0x11d8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "426" os_parent_pid = "0xf40" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_logout /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "428" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x7373a000" os_pid = "0x310" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_sameTokenId /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31536 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31537 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31538 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 31539 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 31540 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 31541 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 31542 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 31543 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 31544 start_va = 0x520000 end_va = 0x521fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 31545 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 31546 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 31547 start_va = 0x7f1a0000 end_va = 0x7f1c2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f1a0000" filename = "" Region: id = 31548 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 31549 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 31550 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31551 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 31558 start_va = 0x530000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 31559 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 31560 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 31561 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 31562 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 31563 start_va = 0x530000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 31564 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 31565 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 31566 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 31567 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31568 start_va = 0x7f0a0000 end_va = 0x7f19ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f0a0000" filename = "" Region: id = 31569 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31570 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 31571 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 31572 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 31573 start_va = 0x6a0000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 31574 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 31575 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 31576 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 31577 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 31578 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 31579 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 31580 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 31581 start_va = 0x520000 end_va = 0x523fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 31582 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 31583 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 31584 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 31585 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 31586 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 31587 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 31588 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 31589 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 31590 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 31591 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 31592 start_va = 0x640000 end_va = 0x669fff monitored = 0 entry_point = 0x645680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 31593 start_va = 0x7a0000 end_va = 0x927fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 31594 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 31595 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 31596 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 31597 start_va = 0x930000 end_va = 0xab0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 31598 start_va = 0xac0000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 31599 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 31600 start_va = 0xac0000 end_va = 0xb50fff monitored = 0 entry_point = 0xaf8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 31601 start_va = 0xc10000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 31604 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 31605 start_va = 0x530000 end_va = 0x530fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 31606 start_va = 0x540000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 31607 start_va = 0x640000 end_va = 0x640fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 31608 start_va = 0x640000 end_va = 0x647fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 31615 start_va = 0x640000 end_va = 0x640fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 31616 start_va = 0x650000 end_va = 0x651fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 31617 start_va = 0x640000 end_va = 0x640fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 31618 start_va = 0x650000 end_va = 0x650fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 31619 start_va = 0x640000 end_va = 0x640fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 31620 start_va = 0x650000 end_va = 0x650fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Thread: id = 905 os_tid = 0xee8 [0292.695] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0292.695] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0292.695] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0292.695] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0292.695] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0292.695] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0292.696] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0292.696] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0292.696] GetProcessHeap () returned 0x540000 [0292.696] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0292.697] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0292.697] GetLastError () returned 0x7e [0292.697] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0292.697] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0292.697] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x364) returned 0x550a60 [0292.698] SetLastError (dwErrCode=0x7e) [0292.699] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0xe00) returned 0x550dd0 [0292.701] GetStartupInfoW (in: lpStartupInfo=0x18fd8c | out: lpStartupInfo=0x18fd8c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0292.701] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0292.701] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0292.701] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0292.701] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_sameTokenId /fn_args=\"1\"" [0292.701] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_sameTokenId /fn_args=\"1\"" [0292.701] GetACP () returned 0x4e4 [0292.701] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x0, Size=0x220) returned 0x551bd8 [0292.701] IsValidCodePage (CodePage=0x4e4) returned 1 [0292.701] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fdac | out: lpCPInfo=0x18fdac) returned 1 [0292.701] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f674 | out: lpCPInfo=0x18f674) returned 1 [0292.701] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc88, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0292.701] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc88, cbMultiByte=256, lpWideCharStr=0x18f418, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0292.701] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f688 | out: lpCharType=0x18f688) returned 1 [0292.701] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc88, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0292.701] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc88, cbMultiByte=256, lpWideCharStr=0x18f3c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0292.701] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0292.702] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0292.702] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0292.702] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f1b8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0292.702] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fb88, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ­bT¨Äý\x18", lpUsedDefaultChar=0x0) returned 256 [0292.702] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc88, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0292.702] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fc88, cbMultiByte=256, lpWideCharStr=0x18f3e8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0292.702] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0292.702] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18f1d8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0292.702] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fa88, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ­bT¨Äý\x18", lpUsedDefaultChar=0x0) returned 256 [0292.702] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x0, Size=0x80) returned 0x543868 [0292.702] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0292.702] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x186) returned 0x551e00 [0292.702] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0292.702] GetLastError () returned 0x0 [0292.702] SetLastError (dwErrCode=0x0) [0292.702] GetEnvironmentStringsW () returned 0x551f90* [0292.703] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x0, Size=0xa8c) returned 0x552a28 [0292.703] FreeEnvironmentStringsW (penv=0x551f90) returned 1 [0292.703] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x90) returned 0x544558 [0292.703] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x3e) returned 0x54a9f8 [0292.703] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x5c) returned 0x548830 [0292.703] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x6e) returned 0x544620 [0292.703] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x78) returned 0x5543e8 [0292.703] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x62) returned 0x5449f0 [0292.703] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x28) returned 0x543d88 [0292.703] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x48) returned 0x543fd8 [0292.703] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x1a) returned 0x540570 [0292.703] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x3a) returned 0x54ada0 [0292.703] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x62) returned 0x543be8 [0292.703] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x2a) returned 0x548750 [0292.703] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x2e) returned 0x548408 [0292.703] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x1c) returned 0x543db8 [0292.703] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x144) returned 0x549ca8 [0292.703] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x7c) returned 0x548090 [0292.703] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x36) returned 0x54e1b0 [0292.703] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x3a) returned 0x54aa40 [0292.703] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x90) returned 0x544390 [0292.704] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x24) returned 0x543908 [0292.704] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x30) returned 0x5484b0 [0292.704] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x36) returned 0x54e4b0 [0292.704] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x48) returned 0x542900 [0292.704] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x52) returned 0x5404b8 [0292.704] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x3c) returned 0x54b070 [0292.704] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0xd6) returned 0x549e68 [0292.704] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x2e) returned 0x548590 [0292.704] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x1e) returned 0x542950 [0292.704] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x2c) returned 0x5484e8 [0292.704] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x54) returned 0x543e00 [0292.704] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x52) returned 0x544060 [0292.704] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x24) returned 0x543e60 [0292.704] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x42) returned 0x5440c0 [0292.704] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x2c) returned 0x548638 [0292.704] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x44) returned 0x549f98 [0292.704] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x24) returned 0x543938 [0292.705] HeapFree (in: hHeap=0x540000, dwFlags=0x0, lpMem=0x552a28 | out: hHeap=0x540000) returned 1 [0292.705] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x8, Size=0x800) returned 0x551f90 [0292.705] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0292.705] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0292.705] GetStartupInfoW (in: lpStartupInfo=0x18fdf0 | out: lpStartupInfo=0x18fdf0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0292.705] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_sameTokenId /fn_args=\"1\"" [0292.705] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_sameTokenId /fn_args=\"1\"", pNumArgs=0x18fddc | out: pNumArgs=0x18fddc) returned 0x552be0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0292.748] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0292.751] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x0, Size=0x1000) returned 0x5544c8 [0292.751] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x0, Size=0x34) returned 0x54e4f0 [0292.751] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_token_sameTokenId", cchWideChar=-1, lpMultiByteStr=0x54e4f0, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_token_sameTokenId", lpUsedDefaultChar=0x0) returned 26 [0292.751] GetLastError () returned 0x0 [0292.751] SetLastError (dwErrCode=0x0) [0292.751] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_sameTokenIdW") returned 0x0 [0292.751] GetLastError () returned 0x7f [0292.751] SetLastError (dwErrCode=0x7f) [0292.751] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_sameTokenIdA") returned 0x0 [0292.751] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_token_sameTokenId") returned 0x647c4750 [0292.751] RtlAllocateHeap (HeapHandle=0x540000, Flags=0x0, Size=0x4) returned 0x543810 [0292.751] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x543810, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0292.751] GetActiveWindow () returned 0x0 [0292.752] GetLastError () returned 0x7f [0292.752] SetLastError (dwErrCode=0x7f) Thread: id = 908 os_tid = 0xccc Process: id = "429" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x5134d000" os_pid = "0x1024" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "428" os_parent_pid = "0x310" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_token_sameTokenId /fn_args=\"1\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "430" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x62a50000" os_pid = "0x114c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=must /fn_args=\"1\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31622 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31623 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31624 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 31625 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 31626 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 31627 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 31628 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 31629 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 31630 start_va = 0xb60000 end_va = 0xb61fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 31631 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 31632 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 31633 start_va = 0x7f180000 end_va = 0x7f1a2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f180000" filename = "" Region: id = 31634 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 31635 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 31636 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31637 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 31638 start_va = 0x400000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 31639 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 31640 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 31641 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 31642 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 31643 start_va = 0xb70000 end_va = 0xd0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 31644 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 31645 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 31647 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31648 start_va = 0x7f080000 end_va = 0x7f17ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f080000" filename = "" Region: id = 31649 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31650 start_va = 0x5c0000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 31651 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 31652 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 31653 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 31654 start_va = 0x4c0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 31655 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 31656 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 31657 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 31658 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 31659 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 31660 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 31661 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 31662 start_va = 0xb60000 end_va = 0xb63fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 31663 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 31664 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 31665 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 31666 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 31667 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 31668 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 31669 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 31670 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 31671 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 31672 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 31673 start_va = 0x5d0000 end_va = 0x757fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 31674 start_va = 0xb70000 end_va = 0xb99fff monitored = 0 entry_point = 0xb75680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 31675 start_va = 0xc10000 end_va = 0xd0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 31676 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 31677 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 31678 start_va = 0x760000 end_va = 0x8e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 31679 start_va = 0x8f0000 end_va = 0x8f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 31680 start_va = 0xd10000 end_va = 0xdbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d10000" filename = "" Region: id = 31681 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 31682 start_va = 0xb70000 end_va = 0xc00fff monitored = 0 entry_point = 0xba8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 31683 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 31684 start_va = 0xb70000 end_va = 0xb72fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 31685 start_va = 0xdc0000 end_va = 0xec9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dc0000" filename = "" Region: id = 31686 start_va = 0x10000000 end_va = 0x10023fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000010000000" filename = "" Region: id = 31688 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 31689 start_va = 0xed0000 end_va = 0x10cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ed0000" filename = "" Region: id = 31690 start_va = 0x743a0000 end_va = 0x743b2fff monitored = 0 entry_point = 0x743a1d20 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 31691 start_va = 0x6f9d0000 end_va = 0x6f9ebfff monitored = 0 entry_point = 0x6f9d4720 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 31692 start_va = 0x6f9b0000 end_va = 0x6f9c4fff monitored = 0 entry_point = 0x6f9b5210 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\SysWOW64\\samcli.dll" (normalized: "c:\\windows\\syswow64\\samcli.dll") Region: id = 31693 start_va = 0x6f9a0000 end_va = 0x6f9a9fff monitored = 0 entry_point = 0x6f9a28d0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 31696 start_va = 0x6f970000 end_va = 0x6f99efff monitored = 0 entry_point = 0x6f985140 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\SysWOW64\\logoncli.dll" (normalized: "c:\\windows\\syswow64\\logoncli.dll") Region: id = 31697 start_va = 0x6f960000 end_va = 0x6f96ffff monitored = 0 entry_point = 0x6f9634d0 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 31698 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 31699 start_va = 0x6f940000 end_va = 0x6f958fff monitored = 0 entry_point = 0x6f9447e0 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 31700 start_va = 0x77200000 end_va = 0x7725efff monitored = 0 entry_point = 0x77204af0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 31701 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 31702 start_va = 0xb80000 end_va = 0xb9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 31703 start_va = 0xb80000 end_va = 0xb83fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 31704 start_va = 0xb90000 end_va = 0xb9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 31705 start_va = 0xba0000 end_va = 0xbaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 31706 start_va = 0x900000 end_va = 0x9fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 31707 start_va = 0xba0000 end_va = 0xbbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 31708 start_va = 0xbc0000 end_va = 0xbd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 31709 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 31735 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 31754 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 31777 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 31784 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 31791 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 31794 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 31797 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 31802 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 31867 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 31890 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 31905 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 31911 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 31917 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 31921 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 31922 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 31943 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 31953 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 31973 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 31991 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 31996 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32001 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32004 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32005 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32006 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32031 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32051 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32072 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32078 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32083 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32089 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32090 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32091 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32094 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32100 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32114 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32143 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32164 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32182 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32189 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32197 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32198 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32200 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32201 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32225 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32239 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32260 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32272 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32274 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32282 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32304 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32310 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32328 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32341 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32354 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32394 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32417 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32444 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32469 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32482 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32500 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32507 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32509 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32510 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32539 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32559 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32580 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32586 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32591 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32594 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32595 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32609 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32626 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32643 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32650 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32674 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32692 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32714 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32744 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32747 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32752 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32753 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32780 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32815 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 32839 start_va = 0xba0000 end_va = 0xbb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Thread: id = 912 os_tid = 0xc50 [0293.146] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0293.146] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0293.147] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0293.147] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0293.147] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0293.147] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0293.147] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0293.148] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0293.148] GetProcessHeap () returned 0xc10000 [0293.148] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0293.148] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0293.148] GetLastError () returned 0x7e [0293.148] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0293.148] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0293.148] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x364) returned 0xc20a28 [0293.149] SetLastError (dwErrCode=0x7e) [0293.149] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0xe00) returned 0xc20d98 [0293.150] GetStartupInfoW (in: lpStartupInfo=0x18f94c | out: lpStartupInfo=0x18f94c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0293.150] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0293.150] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0293.150] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0293.150] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=must /fn_args=\"1\"" [0293.151] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=must /fn_args=\"1\"" [0293.151] GetACP () returned 0x4e4 [0293.151] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x0, Size=0x220) returned 0xc21ba0 [0293.151] IsValidCodePage (CodePage=0x4e4) returned 1 [0293.151] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f96c | out: lpCPInfo=0x18f96c) returned 1 [0293.151] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f234 | out: lpCPInfo=0x18f234) returned 1 [0293.151] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f848, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0293.151] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f848, cbMultiByte=256, lpWideCharStr=0x18efd8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0293.151] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f248 | out: lpCharType=0x18f248) returned 1 [0293.151] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f848, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0293.151] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f848, cbMultiByte=256, lpWideCharStr=0x18ef88, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0293.151] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0293.151] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0293.151] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0293.151] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ed78, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0293.151] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f748, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ)ðÔ?\x84ù\x18", lpUsedDefaultChar=0x0) returned 256 [0293.151] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f848, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0293.151] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f848, cbMultiByte=256, lpWideCharStr=0x18efa8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0293.151] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0293.151] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ed98, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0293.152] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f648, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ)ðÔ?\x84ù\x18", lpUsedDefaultChar=0x0) returned 256 [0293.152] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x0, Size=0x80) returned 0xc13830 [0293.152] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0293.152] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x15c) returned 0xc19c70 [0293.152] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0293.152] GetLastError () returned 0x0 [0293.152] SetLastError (dwErrCode=0x0) [0293.152] GetEnvironmentStringsW () returned 0xc21dc8* [0293.152] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x0, Size=0xa8c) returned 0xc22860 [0293.152] FreeEnvironmentStringsW (penv=0xc21dc8) returned 1 [0293.152] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x90) returned 0xc14520 [0293.152] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x3e) returned 0xc1b038 [0293.152] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x5c) returned 0xc187f8 [0293.152] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x6e) returned 0xc145e8 [0293.153] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x78) returned 0xc23f20 [0293.153] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x62) returned 0xc149b8 [0293.153] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x28) returned 0xc13d50 [0293.153] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x48) returned 0xc13fa0 [0293.153] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x1a) returned 0xc10570 [0293.153] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x3a) returned 0xc1b0c8 [0293.153] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x62) returned 0xc13bb0 [0293.153] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x2a) returned 0xc18520 [0293.153] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x2e) returned 0xc18558 [0293.153] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x1c) returned 0xc13d80 [0293.153] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x144) returned 0xc21dc8 [0293.153] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x7c) returned 0xc18058 [0293.153] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x36) returned 0xc1e578 [0293.153] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x3a) returned 0xc1ac48 [0293.153] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x90) returned 0xc14358 [0293.153] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x24) returned 0xc138d0 [0293.153] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x30) returned 0xc18670 [0293.153] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x36) returned 0xc1e038 [0293.153] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x48) returned 0xc128d8 [0293.153] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x52) returned 0xc104b8 [0293.153] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x3c) returned 0xc1b110 [0293.153] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0xd6) returned 0xc19e30 [0293.153] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x2e) returned 0xc18440 [0293.153] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x1e) returned 0xc12928 [0293.153] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x2c) returned 0xc18590 [0293.153] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x54) returned 0xc13dc8 [0293.154] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x52) returned 0xc14028 [0293.154] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x24) returned 0xc13e28 [0293.154] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x42) returned 0xc14088 [0293.154] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x2c) returned 0xc18600 [0293.154] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x44) returned 0xc19f60 [0293.154] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x24) returned 0xc13900 [0293.154] HeapFree (in: hHeap=0xc10000, dwFlags=0x0, lpMem=0xc22860 | out: hHeap=0xc10000) returned 1 [0293.154] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x800) returned 0xc21f18 [0293.155] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0293.155] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0293.155] GetStartupInfoW (in: lpStartupInfo=0x18f9b0 | out: lpStartupInfo=0x18f9b0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0293.155] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=must /fn_args=\"1\"" [0293.155] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=must /fn_args=\"1\"", pNumArgs=0x18f99c | out: pNumArgs=0x18f99c) returned 0xc22b68*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0293.155] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0293.163] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x0, Size=0x1000) returned 0xc24300 [0293.163] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x0, Size=0xa) returned 0xc1a288 [0293.163] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="must", cchWideChar=-1, lpMultiByteStr=0xc1a288, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="must", lpUsedDefaultChar=0x0) returned 5 [0293.163] GetLastError () returned 0x0 [0293.163] SetLastError (dwErrCode=0x0) [0293.163] GetProcAddress (hModule=0x647c0000, lpProcName="mustW") returned 0x0 [0293.163] GetLastError () returned 0x7f [0293.163] SetLastError (dwErrCode=0x7f) [0293.163] GetProcAddress (hModule=0x647c0000, lpProcName="mustA") returned 0x0 [0293.164] GetProcAddress (hModule=0x647c0000, lpProcName="must") returned 0x647c4e94 [0293.164] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x0, Size=0x4) returned 0xc137d8 [0293.164] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0xc137d8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0293.164] GetActiveWindow () returned 0x0 [0293.164] VirtualAlloc (lpAddress=0x0, dwSize=0x2d82, flAllocationType=0x3000, flProtect=0x4) returned 0xb70000 [0293.165] VirtualProtect (in: lpAddress=0xb70000, dwSize=0x2d82, flNewProtect=0x20, lpflOldProtect=0x18f8d4 | out: lpflOldProtect=0x18f8d4*=0x4) returned 1 [0293.173] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x100000) returned 0xdc8020 [0293.187] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x4) returned 0xc13930 [0293.187] RtlAllocateHeap (HeapHandle=0xc10000, Flags=0x8, Size=0x20800) returned 0xc25308 [0293.191] RtlFreeHeap (HeapHandle=0xc10000, Flags=0x0, BaseAddress=0xc13930) returned 1 [0293.194] GetNativeSystemInfo (in: lpSystemInfo=0x18f75c | out: lpSystemInfo=0x18f75c*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0293.194] VirtualAlloc (lpAddress=0x10000000, dwSize=0x24000, flAllocationType=0x3000, flProtect=0x4) returned 0x10000000 [0293.198] LoadLibraryA (lpLibFileName="msvcrt.dll") returned 0x754e0000 [0293.199] GetProcAddress (hModule=0x754e0000, lpProcName="_snprintf") returned 0x75555020 [0293.199] GetProcAddress (hModule=0x754e0000, lpProcName="memchr") returned 0x75568380 [0293.199] GetProcAddress (hModule=0x754e0000, lpProcName="malloc") returned 0x75527900 [0293.199] GetProcAddress (hModule=0x754e0000, lpProcName="_errno") returned 0x75515cd0 [0293.199] GetProcAddress (hModule=0x754e0000, lpProcName="_strtoi64") returned 0x75511e60 [0293.199] GetProcAddress (hModule=0x754e0000, lpProcName="_vsnprintf") returned 0x755563d0 [0293.199] GetProcAddress (hModule=0x754e0000, lpProcName="memset") returned 0x75568c80 [0293.199] GetProcAddress (hModule=0x754e0000, lpProcName="qsort") returned 0x7553c200 [0293.199] GetProcAddress (hModule=0x754e0000, lpProcName="_ftol2_sse") returned 0x7557a580 [0293.199] GetProcAddress (hModule=0x754e0000, lpProcName="_vsnwprintf") returned 0x75556840 [0293.200] GetProcAddress (hModule=0x754e0000, lpProcName="free") returned 0x75527740 [0293.200] GetProcAddress (hModule=0x754e0000, lpProcName="_time64") returned 0x7556ea10 [0293.200] GetProcAddress (hModule=0x754e0000, lpProcName="strncpy") returned 0x75569350 [0293.200] GetProcAddress (hModule=0x754e0000, lpProcName="strchr") returned 0x75568d90 [0293.200] GetProcAddress (hModule=0x754e0000, lpProcName="strtod") returned 0x75511ba0 [0293.200] GetProcAddress (hModule=0x754e0000, lpProcName="localeconv") returned 0x7553c100 [0293.200] GetProcAddress (hModule=0x754e0000, lpProcName="memcpy") returned 0x755684a0 [0293.200] GetProcAddress (hModule=0x754e0000, lpProcName="atol") returned 0x7550fe40 [0293.200] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x75820000 [0293.200] GetProcAddress (hModule=0x75820000, lpProcName="FindNextFileW") returned 0x758469a0 [0293.201] GetProcAddress (hModule=0x75820000, lpProcName="GetTickCount") returned 0x75845eb0 [0293.201] GetProcAddress (hModule=0x75820000, lpProcName="SetThreadPriority") returned 0x75839990 [0293.201] GetProcAddress (hModule=0x75820000, lpProcName="FlushFileBuffers") returned 0x758469b0 [0293.201] GetProcAddress (hModule=0x75820000, lpProcName="LocalAlloc") returned 0x75837a30 [0293.201] GetProcAddress (hModule=0x75820000, lpProcName="GetExitCodeProcess") returned 0x7583fdb0 [0293.201] GetProcAddress (hModule=0x75820000, lpProcName="GetSystemTimeAsFileTime") returned 0x75837620 [0293.201] GetProcAddress (hModule=0x75820000, lpProcName="GetFileAttributesW") returned 0x75846a50 [0293.201] GetProcAddress (hModule=0x75820000, lpProcName="MultiByteToWideChar") returned 0x75832ad0 [0293.201] GetProcAddress (hModule=0x75820000, lpProcName="SetCurrentDirectoryA") returned 0x75862290 [0293.201] GetProcAddress (hModule=0x75820000, lpProcName="Sleep") returned 0x75837990 [0293.202] GetProcAddress (hModule=0x75820000, lpProcName="lstrcmpiW") returned 0x75837590 [0293.202] GetProcAddress (hModule=0x75820000, lpProcName="GetDriveTypeW") returned 0x75846a10 [0293.202] GetProcAddress (hModule=0x75820000, lpProcName="GetLastError") returned 0x75833870 [0293.202] GetProcAddress (hModule=0x75820000, lpProcName="CreateDirectoryW") returned 0x75846860 [0293.202] GetProcAddress (hModule=0x75820000, lpProcName="lstrcatA") returned 0x7583f640 [0293.202] GetProcAddress (hModule=0x75820000, lpProcName="CreateMutexW") returned 0x758466f0 [0293.202] GetProcAddress (hModule=0x75820000, lpProcName="GetCurrentThread") returned 0x758375f0 [0293.202] GetProcAddress (hModule=0x75820000, lpProcName="GetProcessId") returned 0x7583a6a0 [0293.202] GetProcAddress (hModule=0x75820000, lpProcName="DisconnectNamedPipe") returned 0x75860990 [0293.202] GetProcAddress (hModule=0x75820000, lpProcName="lstrcmpA") returned 0x7583cc30 [0293.203] GetProcAddress (hModule=0x75820000, lpProcName="K32GetModuleFileNameExW") returned 0x758616a0 [0293.203] GetProcAddress (hModule=0x75820000, lpProcName="MoveFileW") returned 0x7583b1d0 [0293.203] GetProcAddress (hModule=0x75820000, lpProcName="ExitThread") returned 0x776b7a80 [0293.203] GetProcAddress (hModule=0x75820000, lpProcName="GetNumberFormatA") returned 0x75876060 [0293.203] GetProcAddress (hModule=0x75820000, lpProcName="GetCurrentProcessId") returned 0x758323e0 [0293.203] GetProcAddress (hModule=0x75820000, lpProcName="SwitchToThread") returned 0x7583a690 [0293.203] GetProcAddress (hModule=0x75820000, lpProcName="GetModuleHandleW") returned 0x75839bc0 [0293.203] GetProcAddress (hModule=0x75820000, lpProcName="GetProcAddress") returned 0x758378b0 [0293.203] GetProcAddress (hModule=0x75820000, lpProcName="HeapCreate") returned 0x7583a100 [0293.203] GetProcAddress (hModule=0x75820000, lpProcName="HeapFree") returned 0x75831ba0 [0293.204] GetProcAddress (hModule=0x75820000, lpProcName="HeapAlloc") returned 0x77682bd0 [0293.204] GetProcAddress (hModule=0x75820000, lpProcName="GetModuleHandleA") returned 0x758399f0 [0293.204] GetProcAddress (hModule=0x75820000, lpProcName="LoadLibraryA") returned 0x75844bf0 [0293.204] GetProcAddress (hModule=0x75820000, lpProcName="GetCurrentProcess") returned 0x758338c0 [0293.204] GetProcAddress (hModule=0x75820000, lpProcName="lstrcatW") returned 0x7585d170 [0293.204] GetProcAddress (hModule=0x75820000, lpProcName="WideCharToMultiByte") returned 0x75833880 [0293.204] GetProcAddress (hModule=0x75820000, lpProcName="FindFirstFileW") returned 0x75846960 [0293.204] GetProcAddress (hModule=0x75820000, lpProcName="GetWindowsDirectoryW") returned 0x75845120 [0293.204] GetProcAddress (hModule=0x75820000, lpProcName="SetFileAttributesW") returned 0x75846c20 [0293.204] GetProcAddress (hModule=0x75820000, lpProcName="lstrlenW") returned 0x75833690 [0293.205] GetProcAddress (hModule=0x75820000, lpProcName="LoadLibraryW") returned 0x7583a840 [0293.205] GetProcAddress (hModule=0x75820000, lpProcName="FreeLibrary") returned 0x75839f50 [0293.205] GetProcAddress (hModule=0x75820000, lpProcName="GetCommandLineW") returned 0x7583aba0 [0293.205] GetProcAddress (hModule=0x75820000, lpProcName="GetVersionExA") returned 0x7583a700 [0293.205] GetProcAddress (hModule=0x75820000, lpProcName="GetSystemInfo") returned 0x7583a0f0 [0293.205] GetProcAddress (hModule=0x75820000, lpProcName="GetCurrentDirectoryW") returned 0x7583a9a0 [0293.205] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x74ec0000 [0293.205] GetProcAddress (hModule=0x74ec0000, lpProcName="CharUpperBuffA") returned 0x74f4aba0 [0293.217] GetProcAddress (hModule=0x74ec0000, lpProcName="CharUpperBuffW") returned 0x74ef4d90 [0293.217] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x75e00000 [0293.218] GetProcAddress (hModule=0x75e00000, lpProcName="CommandLineToArgvW") returned 0x75fabf80 [0293.218] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75a90000 [0293.218] GetProcAddress (hModule=0x75a90000, lpProcName="CoCreateInstance") returned 0x75690060 [0293.218] GetProcAddress (hModule=0x75a90000, lpProcName="CoInitializeEx") returned 0x756688d0 [0293.218] GetProcAddress (hModule=0x75a90000, lpProcName="CoSetProxyBlanket") returned 0x756660a0 [0293.218] GetProcAddress (hModule=0x75a90000, lpProcName="CoInitializeSecurity") returned 0x756d3870 [0293.218] LoadLibraryA (lpLibFileName="OLEAUT32.dll") returned 0x74bb0000 [0293.221] GetProcAddress (hModule=0x74bb0000, lpProcName=0x14) returned 0x74bc2a10 [0293.222] GetProcAddress (hModule=0x74bb0000, lpProcName=0x6) returned 0x74bc9d40 [0293.222] GetProcAddress (hModule=0x74bb0000, lpProcName=0x2) returned 0x74bc9c90 [0293.222] GetProcAddress (hModule=0x74bb0000, lpProcName=0x9) returned 0x74bc9570 [0293.222] GetProcAddress (hModule=0x74bb0000, lpProcName=0x13) returned 0x74bc25b0 [0293.222] GetProcAddress (hModule=0x74bb0000, lpProcName=0x10) returned 0x74bc6200 [0293.222] GetProcAddress (hModule=0x74bb0000, lpProcName=0x19) returned 0x74bc5830 [0293.222] VirtualProtect (in: lpAddress=0x10001000, dwSize=0x18800, flNewProtect=0x20, lpflOldProtect=0x18f818 | out: lpflOldProtect=0x18f818*=0x4) returned 1 [0293.224] VirtualProtect (in: lpAddress=0x1001a000, dwSize=0x4800, flNewProtect=0x2, lpflOldProtect=0x18f818 | out: lpflOldProtect=0x18f818*=0x4) returned 1 [0293.224] VirtualProtect (in: lpAddress=0x1001f000, dwSize=0x2000, flNewProtect=0x4, lpflOldProtect=0x18f818 | out: lpflOldProtect=0x18f818*=0x4) returned 1 [0293.224] VirtualProtect (in: lpAddress=0x10022000, dwSize=0x600, flNewProtect=0x2, lpflOldProtect=0x18f818 | out: lpflOldProtect=0x18f818*=0x4) returned 1 [0293.225] VirtualProtect (in: lpAddress=0x10023000, dwSize=0xe00, flNewProtect=0x2, lpflOldProtect=0x18f818 | out: lpflOldProtect=0x18f818*=0x4) returned 1 [0293.225] NtFlushInstructionCache (ProcessHandle=0xffffffff, BaseAddress=0x0, NumberOfBytesToFlush=0x0) returned 0x0 [0293.227] HeapCreate (flOptions=0x0, dwInitialSize=0x96000, dwMaximumSize=0x0) returned 0x1030000 [0293.229] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x100) returned 0x10af5a8 [0293.230] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x7a) returned 0x10af6b0 [0293.230] GetNumberFormatA (in: Locale=0x7d3, dwFlags=0xb4, lpValue="electricmadness", lpFormat=0x0, lpNumberStr=0x18f3cc, cchNumber=34 | out: lpNumberStr="") returned 0 [0293.231] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x28) returned 0x10af738 [0293.231] GetFileAttributesW (lpFileName="C:\\INTERNAL\\__empty" (normalized: "c:\\internal\\__empty")) returned 0xffffffff [0293.247] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10af738 | out: hHeap=0x1030000) returned 1 [0293.250] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f644, cbMultiByte=-1, lpWideCharStr=0x18f444, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0293.250] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f644, cbMultiByte=-1, lpWideCharStr=0x18f444, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0293.250] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f644, cbMultiByte=-1, lpWideCharStr=0x18f444, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0293.250] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f644, cbMultiByte=-1, lpWideCharStr=0x18f444, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0293.250] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f644, cbMultiByte=-1, lpWideCharStr=0x18f444, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0293.250] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f644, cbMultiByte=-1, lpWideCharStr=0x18f444, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0293.250] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f644, cbMultiByte=-1, lpWideCharStr=0x18f444, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0293.250] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f644, cbMultiByte=-1, lpWideCharStr=0x18f444, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0293.251] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f644, cbMultiByte=-1, lpWideCharStr=0x18f444, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0293.251] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f644, cbMultiByte=-1, lpWideCharStr=0x18f444, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0293.251] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f644, cbMultiByte=-1, lpWideCharStr=0x18f444, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0293.251] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f644, cbMultiByte=-1, lpWideCharStr=0x18f444, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0293.510] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f644, cbMultiByte=-1, lpWideCharStr=0x18f444, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0293.510] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f644, cbMultiByte=-1, lpWideCharStr=0x18f444, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0293.510] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f644, cbMultiByte=-1, lpWideCharStr=0x18f444, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0293.510] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f644, cbMultiByte=-1, lpWideCharStr=0x18f444, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0293.510] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f644, cbMultiByte=-1, lpWideCharStr=0x18f444, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0293.510] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f644, cbMultiByte=-1, lpWideCharStr=0x18f444, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0293.510] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f644, cbMultiByte=-1, lpWideCharStr=0x18f444, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0293.511] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f644, cbMultiByte=-1, lpWideCharStr=0x18f444, cchWideChar=255 | out: lpWideCharStr="ef") returned 3 [0293.511] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xd) returned 0x10af738 [0293.511] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x75820000 [0293.511] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x144) returned 0x10af750 [0293.528] LoadLibraryA (lpLibFileName="NTDLL.dll") returned 0x77650000 [0293.528] GetProcAddress (hModule=0x77650000, lpProcName="RtlAddVectoredExceptionHandler") returned 0x77673f90 [0293.529] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10af738 | out: hHeap=0x1030000) returned 1 [0293.529] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xd) returned 0x10af738 [0293.529] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x75820000 [0293.529] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x144) returned 0x10af8a0 [0293.535] LoadLibraryA (lpLibFileName="NTDLL.dll") returned 0x77650000 [0293.535] GetProcAddress (hModule=0x77650000, lpProcName="RtlAddVectoredExceptionHandler") returned 0x77673f90 [0293.536] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10af738 | out: hHeap=0x1030000) returned 1 [0293.536] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xa) returned 0x10af738 [0293.536] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77650000 [0293.536] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x40) returned 0x10af9f0 [0293.537] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10af738 | out: hHeap=0x1030000) returned 1 [0293.537] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xb) returned 0x10af738 [0293.537] LoadLibraryA (lpLibFileName="user32.dll") returned 0x74ec0000 [0293.537] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x6c) returned 0x10afa38 [0293.538] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10af738 | out: hHeap=0x1030000) returned 1 [0293.538] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xa) returned 0x10af738 [0293.538] LoadLibraryA (lpLibFileName="gdi32.dll") returned 0x74a60000 [0293.538] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x24) returned 0x10afab0 [0293.538] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10af738 | out: hHeap=0x1030000) returned 1 [0293.539] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xd) returned 0x10af738 [0293.539] LoadLibraryA (lpLibFileName="netapi32.dll") returned 0x743a0000 [0293.541] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x18) returned 0x10afae0 [0293.541] LoadLibraryA (lpLibFileName="SRVCLI.dll") returned 0x6f9d0000 [0293.545] GetProcAddress (hModule=0x6f9d0000, lpProcName="NetShareEnum") returned 0x6f9d4140 [0293.546] LoadLibraryA (lpLibFileName="SAMCLI.dll") returned 0x6f9b0000 [0293.548] GetProcAddress (hModule=0x6f9b0000, lpProcName="NetUserEnum") returned 0x6f9bc010 [0293.548] LoadLibraryA (lpLibFileName="NETUTILS.dll") returned 0x6f9a0000 [0293.552] GetProcAddress (hModule=0x6f9a0000, lpProcName="NetApiBufferFree") returned 0x6f9a16d0 [0293.552] LoadLibraryA (lpLibFileName="LOGONCLI.dll") returned 0x6f970000 [0293.578] GetProcAddress (hModule=0x6f970000, lpProcName="NetGetDCName") returned 0x6f98de00 [0293.578] LoadLibraryA (lpLibFileName="WKSCLI.dll") returned 0x6f960000 [0293.585] GetProcAddress (hModule=0x6f960000, lpProcName="NetGetJoinInformation") returned 0x6f962e90 [0293.585] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10af738 | out: hHeap=0x1030000) returned 1 [0293.585] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xd) returned 0x10af738 [0293.585] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77260000 [0293.586] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xd4) returned 0x10afb00 [0293.588] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10af738 | out: hHeap=0x1030000) returned 1 [0293.588] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xc) returned 0x10af738 [0293.588] LoadLibraryA (lpLibFileName="shlwapi.dll") returned 0x75a40000 [0293.589] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x2c) returned 0x10afbe0 [0293.589] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10af738 | out: hHeap=0x1030000) returned 1 [0293.589] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xc) returned 0x10af738 [0293.589] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75e00000 [0293.589] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x8) returned 0x10afc18 [0293.589] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10af738 | out: hHeap=0x1030000) returned 1 [0293.589] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xc) returned 0x10af738 [0293.589] LoadLibraryA (lpLibFileName="userenv.dll") returned 0x6f940000 [0293.593] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x4) returned 0x10afc28 [0293.593] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10af738 | out: hHeap=0x1030000) returned 1 [0293.594] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xb) returned 0x10af738 [0293.594] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x77200000 [0293.598] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x10) returned 0x10afc38 [0293.598] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10af738 | out: hHeap=0x1030000) returned 1 [0293.598] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x20) returned 0x10afc50 [0293.598] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10afc50 | out: hHeap=0x1030000) returned 1 [0293.599] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x1ac4) returned 0x10afc50 [0293.599] GetCurrentProcessId () returned 0x114c [0293.599] GetTickCount64 () returned 0x1d4d94d [0293.599] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x10b1294, nSize=0x105 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0293.599] GetCurrentProcess () returned 0xffffffff [0293.600] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18edfc | out: TokenHandle=0x18edfc*=0x1b4) returned 1 [0293.600] GetTokenInformation (in: TokenHandle=0x1b4, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18eddc | out: TokenInformation=0x0, ReturnLength=0x18eddc) returned 0 [0293.600] GetLastError () returned 0x7a [0293.600] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x24) returned 0x10b1720 [0293.600] GetTokenInformation (in: TokenHandle=0x1b4, TokenInformationClass=0x1, TokenInformation=0x10b1720, TokenInformationLength=0x24, ReturnLength=0x18edec | out: TokenInformation=0x10b1720, ReturnLength=0x18edec) returned 1 [0293.600] CloseHandle (hObject=0x1b4) returned 1 [0293.600] AllocateAndInitializeSid (in: pIdentifierAuthority=0x18edf4, nSubAuthorityCount=0x1, nSubAuthority0=0x12, nSubAuthority1=0x0, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x18edfc | out: pSid=0x18edfc*=0xc1a228*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12)) returned 1 [0293.601] EqualSid (pSid1=0x10b1728*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), pSid2=0xc1a228*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12)) returned 0 [0293.601] GetCurrentThread () returned 0xfffffffe [0293.601] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x8, OpenAsSelf=0, TokenHandle=0x18edd0 | out: TokenHandle=0x18edd0*=0x0) returned 0 [0293.601] GetLastError () returned 0x3f0 [0293.601] GetCurrentProcess () returned 0xffffffff [0293.601] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18edd0 | out: TokenHandle=0x18edd0*=0x1b4) returned 1 [0293.601] GetTokenInformation (in: TokenHandle=0x1b4, TokenInformationClass=0x2, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18edc8 | out: TokenInformation=0x0, ReturnLength=0x18edc8) returned 0 [0293.601] GetLastError () returned 0x7a [0293.601] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x140) returned 0x10b1750 [0293.601] GetTokenInformation (in: TokenHandle=0x1b4, TokenInformationClass=0x2, TokenInformation=0x10b1750, TokenInformationLength=0x140, ReturnLength=0x18edec | out: TokenInformation=0x10b1750, ReturnLength=0x18edec) returned 1 [0293.601] AllocateAndInitializeSid (in: pIdentifierAuthority=0x18ede4, nSubAuthorityCount=0x2, nSubAuthority0=0x20, nSubAuthority1=0x220, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x18edf8 | out: pSid=0x18edf8*=0xc1a0d8*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0293.601] EqualSid (pSid1=0x10b17c4*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), pSid2=0xc1a0d8*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 0 [0293.601] EqualSid (pSid1=0x10b17e0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0), pSid2=0xc1a0d8*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 0 [0293.601] EqualSid (pSid1=0x10b17ec*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x72), pSid2=0xc1a0d8*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 0 [0293.601] EqualSid (pSid1=0x10b17f8*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0xc1a0d8*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0293.601] CloseHandle (hObject=0x1b4) returned 1 [0293.602] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10b1750 | out: hHeap=0x1030000) returned 1 [0293.602] NetGetJoinInformation (in: lpServer=0x0, lpNameBuffer=0x18edfc, BufferType=0x18edf8 | out: lpNameBuffer=0x18edfc*="WORKGROUP", BufferType=0x18edf8) returned 0x0 [0293.628] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x14) returned 0x10b1750 [0293.628] NetGetDCName (in: servername=0x0, domainname=0x0, bufptr=0x18edfc | out: bufptr=0x18edfc) returned 0x995 [0293.632] LookupAccountSidW (in: lpSystemName=0x0, Sid=0x10b1728*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), Name=0x10afd64, cchName=0x18f85c, ReferencedDomainName=0x18f5d8, cchReferencedDomainName=0x18f860, peUse=0x18f858 | out: Name="RDhJ0CNFevzX", cchName=0x18f85c, ReferencedDomainName="XC64ZB", cchReferencedDomainName=0x18f860, peUse=0x18f858) returned 1 [0293.635] GetSystemMetrics (nIndex=4096) returned 0 [0293.650] GetModuleFileNameW (in: hModule=0x10000000, lpFilename=0x10afe78, nSize=0x104 | out: lpFilename="") returned 0x0 [0293.650] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=must /fn_args=\"1\"" [0293.650] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=must /fn_args=\"1\"", pNumArgs=0x18edf4 | out: pNumArgs=0x18edf4) returned 0xc498a0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0293.650] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe") returned 40 [0293.650] GetComputerNameW (in: lpBuffer=0x18e9ec, nSize=0x18ebf0 | out: lpBuffer="XC64ZB", nSize=0x18ebf0) returned 1 [0293.650] GetNumberFormatA (in: Locale=0x7d3, dwFlags=0xb4, lpValue="electricmadness", lpFormat=0x0, lpNumberStr=0x18e56c, cchNumber=34 | out: lpNumberStr="ìé\x18") returned 0 [0293.651] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xa) returned 0x10af738 [0293.651] GetVolumeInformationW (in: lpRootPathName="c:\\\\", lpVolumeNameBuffer=0x18e5ec, nVolumeNameSize=0x100, lpVolumeSerialNumber=0x18ebf4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x18e7ec, nFileSystemNameSize=0x100 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x18ebf4*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0293.651] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10af738 | out: hHeap=0x1030000) returned 1 [0293.652] _vsnwprintf (in: _Buffer=0x18ec0c, _BufferCount=0xfa, _Format="%u", _ArgList=0x18e5dc | out: _Buffer="203980600") returned 9 [0293.652] lstrcatW (in: lpString1="XC64ZB203980600", lpString2="RDhJ0CNFevzX" | out: lpString1="XC64ZB203980600RDhJ0CNFevzX") returned="XC64ZB203980600RDhJ0CNFevzX" [0293.652] CharUpperBuffW (in: lpsz="XC64ZB203980600RDhJ0CNFevzX", cchLength=0x1b | out: lpsz="XC64ZB203980600RDHJ0CNFEVZX") returned 0x1b [0293.652] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x21) returned 0x10b1770 [0293.652] lstrlenW (lpString="䉁䑃䙅ခ\x18醺") returned 7 [0293.653] lstrlenW (lpString="䉁䑃䙅䆫\x18큈") returned 7 [0293.653] lstrlenW (lpString="䉁䑃䙅䆫") returned 4 [0293.653] lstrlenW (lpString="䉁䑃䙅䆫") returned 4 [0293.653] lstrlenW (lpString="䉁䑃䙅䆫") returned 4 [0293.653] lstrlenW (lpString="䉁䑃䙅䆫") returned 4 [0293.653] lstrlenW (lpString="䉁䑃䙅䆫") returned 4 [0293.654] lstrlenW (lpString="䉁䑃䙅䆫") returned 4 [0293.654] lstrlenW (lpString="䉁䑃䙅䆫") returned 4 [0293.654] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10b1770 | out: hHeap=0x1030000) returned 1 [0293.654] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x10afd00, cbMultiByte=-1, lpWideCharStr=0x10afd20, cchWideChar=32 | out: lpWideCharStr="fdircmne") returned 9 [0293.654] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x1b) returned 0x10b1770 [0293.654] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xb) returned 0x10af738 [0293.654] lstrlenW (lpString="䉁䑃䙅ခ\x18醺") returned 7 [0293.654] lstrlenW (lpString="䉁䑃䙅ခ") returned 4 [0293.654] lstrlenW (lpString="䉁䑃䙅ခ") returned 4 [0293.655] lstrlenW (lpString="䉁䑃䙅ခ") returned 4 [0293.655] lstrlenW (lpString="䉁䑃䙅ခ") returned 4 [0293.655] lstrlenW (lpString="䉁䑃䙅ခ") returned 4 [0293.655] lstrlenW (lpString="䉁䑃䙅ခ") returned 4 [0293.655] lstrlenW (lpString="䉁䑃䙅ခ") returned 4 [0293.655] lstrlenW (lpString="䉁䑃䙅ခ") returned 4 [0293.655] lstrlenW (lpString="䉁䑃䙅ခ") returned 4 [0293.655] lstrlenW (lpString="䉁䑃䙅ခ") returned 4 [0293.655] lstrlenW (lpString="䉁䑃䙅ခ") returned 4 [0293.655] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10b1770 | out: hHeap=0x1030000) returned 1 [0293.655] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10af738 | out: hHeap=0x1030000) returned 1 [0293.655] GetCurrentProcess () returned 0xffffffff [0293.655] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18edfc | out: TokenHandle=0x18edfc*=0x1fc) returned 1 [0293.655] GetTokenInformation (in: TokenHandle=0x1fc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18eddc | out: TokenInformation=0x0, ReturnLength=0x18eddc) returned 0 [0293.655] GetLastError () returned 0x7a [0293.655] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x14) returned 0x10b1770 [0293.655] GetTokenInformation (in: TokenHandle=0x1fc, TokenInformationClass=0x19, TokenInformation=0x10b1770, TokenInformationLength=0x14, ReturnLength=0x18edf4 | out: TokenInformation=0x10b1770, ReturnLength=0x18edf4) returned 1 [0293.656] GetSidSubAuthorityCount (pSid=0x10b1778*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0x10b1779 [0293.656] GetSidSubAuthority (pSid=0x10b1778*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0x10b1780 [0293.656] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10b1770 | out: hHeap=0x1030000) returned 1 [0293.656] CloseHandle (hObject=0x1fc) returned 1 [0293.656] GetVersionExA (in: lpVersionInformation=0x10afc50*(dwOSVersionInfoSize=0x9c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x10afc50*(dwOSVersionInfoSize=0x9c, dwMajorVersion=0x6, dwMinorVersion=0x2, dwBuildNumber=0x23f0, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0293.656] GetCurrentProcess () returned 0xffffffff [0293.656] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x18edfc | out: Wow64Process=0x18edfc*=1) returned 1 [0293.656] GetWindowsDirectoryW (in: lpBuffer=0x10b0c70, uSize=0x104 | out: lpBuffer="C:\\Windows") returned 0xa [0293.656] GetNumberFormatA (in: Locale=0x7d3, dwFlags=0xb4, lpValue="electricmadness", lpFormat=0x0, lpNumberStr=0x18ed94, cchNumber=34 | out: lpNumberStr="") returned 0 [0293.656] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x16) returned 0x10b1770 [0293.656] GetEnvironmentVariableW (in: lpName="SystemRoot", lpBuffer=0x18f5cc, nSize=0x104 | out: lpBuffer="") returned 0xa [0293.656] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10b1770 | out: hHeap=0x1030000) returned 1 [0293.656] GetEnvironmentVariableW (in: lpName="USERPROFILE", lpBuffer=0x10b1084, nSize=0x209 | out: lpBuffer="") returned 0x15 [0293.656] GetEnvironmentVariableW (in: lpName="TEMP", lpBuffer=0x10b0e7a, nSize=0x20a | out: lpBuffer="") returned 0x24 [0293.656] GetEnvironmentVariableW (in: lpName="SystemDrive", lpBuffer=0x18f7d8, nSize=0x40 | out: lpBuffer="") returned 0x2 [0293.656] GetComputerNameW (in: lpBuffer=0x10b15ec, nSize=0x18f860 | out: lpBuffer="XC64ZB", nSize=0x18f860) returned 1 [0293.656] lstrlenW (lpString="䉁䑃䙅睬녩➳￾ÿ\x18䬇ခ\x18") returned 14 [0293.656] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0293.656] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0293.657] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0293.657] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0293.657] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0293.657] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0293.657] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0293.657] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0293.657] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0293.657] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0293.657] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0293.657] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0293.657] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0293.657] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0293.657] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0293.657] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0293.657] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0293.657] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0293.658] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0293.658] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0293.658] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0293.658] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0293.658] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0293.658] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0293.658] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0293.658] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0293.658] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0293.658] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0293.658] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0293.658] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0293.658] lstrlenW (lpString="䉁䑃䙅睬") returned 4 [0293.676] lstrlenW (lpString="䉁䑃䙅") returned 3 [0293.676] lstrlenW (lpString="䉁䑃䙅") returned 3 [0293.676] lstrlenW (lpString="䉁䑃䙅") returned 3 [0293.677] lstrlenW (lpString="䉁䑃䙅") returned 3 [0293.677] lstrlenW (lpString="䉁䑃䙅") returned 3 [0293.677] lstrlenW (lpString="䉁䑃䙅") returned 3 [0293.677] lstrlenW (lpString="䉁䑃䙅") returned 3 [0293.677] lstrlenW (lpString="䉁䑃䙅") returned 3 [0293.677] lstrlenW (lpString="䉁䑃䙅") returned 3 [0293.677] lstrlenW (lpString="䉁䑃䙅") returned 3 [0293.677] lstrlenW (lpString="䉁䑃䙅") returned 3 [0293.677] lstrlenW (lpString="䉁䑃䙅") returned 3 [0293.677] lstrlenW (lpString="䉁䑃䙅") returned 3 [0293.677] lstrlenW (lpString="䉁䑃䙅") returned 3 [0293.677] lstrlenW (lpString="䉁䑃䙅") returned 3 [0293.677] lstrlenW (lpString="䉁䑃䙅") returned 3 [0293.677] lstrlenW (lpString="䉁䑃䙅") returned 3 [0293.677] lstrlenW (lpString="䉁䑃䙅") returned 3 [0293.677] lstrlenW (lpString="䉁䑃䙅") returned 3 [0293.678] lstrlenW (lpString="䉁䑃䙅") returned 3 [0293.678] lstrlenW (lpString="䉁䑃䙅") returned 3 [0293.678] lstrlenW (lpString="䉁䑃䙅") returned 3 [0293.678] lstrlenW (lpString="䉁䑃䙅") returned 3 [0293.678] lstrlenW (lpString="䉁䑃䙅") returned 3 [0293.678] lstrlenW (lpString="䉁䑃䙅") returned 3 [0293.678] lstrlenW (lpString="䉁䑃䙅") returned 3 [0293.678] lstrlenW (lpString="䉁䑃䙅") returned 3 [0293.678] lstrlenW (lpString="䉁䑃䙅") returned 3 [0293.678] lstrlenW (lpString="䉁䑃䙅") returned 3 [0293.678] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x2d) returned 0x10b1770 [0293.678] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xc) returned 0x10af738 [0293.678] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xd) returned 0x10b17a8 [0293.678] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x13) returned 0x10b17c0 [0293.678] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xd) returned 0x10b17e0 [0293.679] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10b1770 | out: hHeap=0x1030000) returned 1 [0293.679] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x26) returned 0x10b1770 [0293.679] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xc) returned 0x10b17f8 [0293.679] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xd) returned 0x10b1810 [0293.679] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xc) returned 0x10b1828 [0293.679] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xd) returned 0x10b1840 [0293.679] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10b1770 | out: hHeap=0x1030000) returned 1 [0293.679] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xc) returned 0x10b1770 [0293.679] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x4) returned 0x10b1788 [0293.680] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xc) returned 0x10b1858 [0293.680] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10b1770 | out: hHeap=0x1030000) returned 1 [0293.680] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xd) returned 0x10b1770 [0293.680] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x4) returned 0x10b1798 [0293.680] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xd) returned 0x10b1870 [0293.680] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10b1770 | out: hHeap=0x1030000) returned 1 [0293.680] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x14) returned 0x10b1888 [0293.680] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x8) returned 0x10b1770 [0293.680] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x8) returned 0x10b18a8 [0293.680] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xc) returned 0x10b18b8 [0293.680] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10b1888 | out: hHeap=0x1030000) returned 1 [0293.680] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x12) returned 0x10b1888 [0293.680] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x8) returned 0x10b18d0 [0293.680] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x9) returned 0x10b18e0 [0293.680] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x9) returned 0x10b18f8 [0293.680] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10b1888 | out: hHeap=0x1030000) returned 1 [0293.680] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x25) returned 0x10b1910 [0293.680] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xc) returned 0x10b1888 [0293.680] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xc) returned 0x10b1940 [0293.680] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xb) returned 0x10b1958 [0293.680] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xe) returned 0x10b1970 [0293.681] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10b1910 | out: hHeap=0x1030000) returned 1 [0293.681] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x53) returned 0x10af008 [0293.684] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x18) returned 0x10b1910 [0293.684] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xd) returned 0x10af068 [0293.684] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xe) returned 0x10af1c8 [0293.684] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x10) returned 0x10af108 [0293.684] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xc) returned 0x10af198 [0293.684] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x10) returned 0x10af0c0 [0293.684] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xc) returned 0x10af150 [0293.684] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10af008 | out: hHeap=0x1030000) returned 1 [0293.684] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x2f) returned 0x10af008 [0293.684] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xc) returned 0x10af0d8 [0293.684] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x15) returned 0x10af040 [0293.684] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xd) returned 0x10af270 [0293.684] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xd) returned 0x10af120 [0293.685] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10af008 | out: hHeap=0x1030000) returned 1 [0293.685] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x3e) returned 0x10af288 [0293.685] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x10) returned 0x10af168 [0293.685] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xe) returned 0x10af0f0 [0293.685] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xd) returned 0x10af180 [0293.685] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x14) returned 0x10af008 [0293.685] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xf) returned 0x10af228 [0293.685] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10af288 | out: hHeap=0x1030000) returned 1 [0293.685] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xf) returned 0x10af138 [0293.685] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x4) returned 0x10b1930 [0293.685] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xf) returned 0x10af240 [0293.685] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10af138 | out: hHeap=0x1030000) returned 1 [0293.686] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x9) returned 0x10af1b0 [0293.686] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x4) returned 0x10af028 [0293.686] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x9) returned 0x10af258 [0293.686] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10af1b0 | out: hHeap=0x1030000) returned 1 [0293.686] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x22) returned 0x10af288 [0293.686] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xc) returned 0x10af0a8 [0293.686] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xa) returned 0x10af138 [0293.686] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xb) returned 0x10af1b0 [0293.686] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xd) returned 0x10af1e0 [0293.686] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10af288 | out: hHeap=0x1030000) returned 1 [0293.686] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xe) returned 0x10af1f8 [0293.686] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x4) returned 0x10af288 [0293.686] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xe) returned 0x10af210 [0293.686] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10af1f8 | out: hHeap=0x1030000) returned 1 [0293.686] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x1c) returned 0x10af298 [0293.686] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x8) returned 0x10af2c0 [0293.686] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x10) returned 0x10af1f8 [0293.687] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xc) returned 0x1030960 [0293.687] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10af298 | out: hHeap=0x1030000) returned 1 [0293.687] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x9) returned 0x10309a8 [0293.687] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x4) returned 0x10af298 [0293.687] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x9) returned 0x10309c0 [0293.687] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10309a8 | out: hHeap=0x1030000) returned 1 [0293.687] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x2b) returned 0x10af2d0 [0293.687] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xc) returned 0x1030930 [0293.687] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xd) returned 0x1030ba0 [0293.687] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x10) returned 0x1030990 [0293.687] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xe) returned 0x1030a80 [0293.688] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10af2d0 | out: hHeap=0x1030000) returned 1 [0293.688] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x72) returned 0x10af2d0 [0293.688] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x14) returned 0x10af350 [0293.688] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x18) returned 0x10af370 [0293.688] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x19) returned 0x10af390 [0293.688] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x12) returned 0x10af3b8 [0293.688] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x20) returned 0x10af3d8 [0293.688] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xf) returned 0x10309f0 [0293.688] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10af2d0 | out: hHeap=0x1030000) returned 1 [0293.688] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x30) returned 0x10af2d0 [0293.688] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x8) returned 0x10af2a8 [0293.688] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x25) returned 0x10af308 [0293.688] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xb) returned 0x1030a20 [0293.689] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10af2d0 | out: hHeap=0x1030000) returned 1 [0293.689] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x2a) returned 0x10af2d0 [0293.689] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xc) returned 0x1030a50 [0293.689] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xd) returned 0x10309d8 [0293.689] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xc) returned 0x1030ae0 [0293.689] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x11) returned 0x10af400 [0293.689] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10af2d0 | out: hHeap=0x1030000) returned 1 [0293.689] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x2a) returned 0x10af2d0 [0293.689] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x8) returned 0x10af338 [0293.689] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x14) returned 0x10af420 [0293.689] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x16) returned 0x10af440 [0293.690] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10af2d0 | out: hHeap=0x1030000) returned 1 [0293.690] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xa) returned 0x1030900 [0293.690] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x4) returned 0x10af2d0 [0293.690] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xa) returned 0x1030bb8 [0293.690] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x1030900 | out: hHeap=0x1030000) returned 1 [0293.690] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xd) returned 0x1030a08 [0293.690] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x4) returned 0x10af2e0 [0293.690] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xd) returned 0x1030a38 [0293.691] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x1030a08 | out: hHeap=0x1030000) returned 1 [0293.691] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xb) returned 0x1030918 [0293.691] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x4) returned 0x10af2f0 [0293.691] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xb) returned 0x1030a08 [0293.691] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x1030918 | out: hHeap=0x1030000) returned 1 [0293.691] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x1f) returned 0x10af460 [0293.691] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x8) returned 0x1030e90 [0293.691] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0xe) returned 0x1030a68 [0293.691] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x11) returned 0x10af488 [0293.691] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10af460 | out: hHeap=0x1030000) returned 1 [0293.691] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1fc [0293.711] Process32First (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0293.712] RtlAllocateHeap (HeapHandle=0x1030000, Flags=0x8, Size=0x20) returned 0x10af460 [0293.713] HeapFree (in: hHeap=0x1030000, dwFlags=0x0, lpMem=0x10af460 | out: hHeap=0x1030000) returned 1 [0293.713] Sleep (dwMilliseconds=0xa) [0293.771] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x73, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0293.772] Sleep (dwMilliseconds=0xa) [0293.808] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0293.809] Sleep (dwMilliseconds=0xa) [0293.953] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0293.954] Sleep (dwMilliseconds=0xa) [0294.041] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x178, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0294.042] Sleep (dwMilliseconds=0xa) [0294.074] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1b4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0294.075] Sleep (dwMilliseconds=0xa) [0294.211] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1b4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0294.212] Sleep (dwMilliseconds=0xa) [0294.301] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x214, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1bc, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0294.302] Sleep (dwMilliseconds=0xa) [0294.351] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x21c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1bc, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0294.352] Sleep (dwMilliseconds=0xa) [0294.639] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0294.639] Sleep (dwMilliseconds=0xa) [0294.687] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0294.687] Sleep (dwMilliseconds=0xa) [0294.743] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1fc, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0294.744] Sleep (dwMilliseconds=0xa) [0294.791] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x364, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0294.792] Sleep (dwMilliseconds=0xa) [0294.828] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x37c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0294.829] Sleep (dwMilliseconds=0xa) [0294.927] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0294.928] Sleep (dwMilliseconds=0xa) [0294.966] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0294.967] Sleep (dwMilliseconds=0xa) [0295.014] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x3f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0295.015] Sleep (dwMilliseconds=0xa) [0295.059] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x210, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0295.060] Sleep (dwMilliseconds=0xa) [0295.101] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x45c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0295.102] Sleep (dwMilliseconds=0xa) [0295.164] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0295.165] Sleep (dwMilliseconds=0xa) [0295.205] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x364, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0295.206] Sleep (dwMilliseconds=0xa) [0295.244] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x274, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0295.245] Sleep (dwMilliseconds=0xa) [0295.303] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x644, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0295.304] Sleep (dwMilliseconds=0xa) [0295.341] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x778, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2c, th32ParentProcessID=0x764, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0295.342] Sleep (dwMilliseconds=0xa) [0295.385] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x7fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x364, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0295.386] Sleep (dwMilliseconds=0xa) [0295.444] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1d, th32ParentProcessID=0x274, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0295.445] Sleep (dwMilliseconds=0xa) [0295.484] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x92c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x274, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0295.485] Sleep (dwMilliseconds=0xa) [0295.558] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x828, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0295.559] Sleep (dwMilliseconds=0xa) [0295.610] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x274, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0295.611] Sleep (dwMilliseconds=0xa) [0295.651] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x274, pcPriClassBase=8, dwFlags=0x0, szExeFile="ApplicationFrameHost.exe")) returned 1 [0295.652] Sleep (dwMilliseconds=0xa) [0295.674] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xa50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x274, pcPriClassBase=8, dwFlags=0x0, szExeFile="SystemSettings.exe")) returned 1 [0295.676] Sleep (dwMilliseconds=0xa) [0295.716] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x86c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x274, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0295.717] Sleep (dwMilliseconds=0xa) [0295.743] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x330, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x214, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0295.745] Sleep (dwMilliseconds=0xa) [0295.769] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0295.770] Sleep (dwMilliseconds=0xa) [0295.801] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="require-wife.exe")) returned 1 [0295.802] Sleep (dwMilliseconds=0xa) [0296.061] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xde8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="hold_just.exe")) returned 1 [0296.062] Sleep (dwMilliseconds=0xa) [0296.375] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xdf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="hear.exe")) returned 1 [0296.376] Sleep (dwMilliseconds=0xa) [0296.468] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="sourcecampaignmake.exe")) returned 1 [0296.469] Sleep (dwMilliseconds=0xa) [0296.570] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="natureinformationidea.exe")) returned 1 [0296.571] Sleep (dwMilliseconds=0xa) [0296.671] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="entire-oil-if.exe")) returned 1 [0296.672] Sleep (dwMilliseconds=0xa) [0296.859] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="him_between.exe")) returned 1 [0296.860] Sleep (dwMilliseconds=0xa) [0296.998] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="sort few.exe")) returned 1 [0296.999] Sleep (dwMilliseconds=0xa) [0297.037] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="involve_her_hundred.exe")) returned 1 [0297.038] Sleep (dwMilliseconds=0xa) [0297.061] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe54, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="page.exe")) returned 1 [0297.062] Sleep (dwMilliseconds=0xa) [0297.151] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe5c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="say glass.exe")) returned 1 [0297.152] Sleep (dwMilliseconds=0xa) [0297.206] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="hour.exe")) returned 1 [0297.207] Sleep (dwMilliseconds=0xa) [0297.500] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="red.exe")) returned 1 [0297.501] Sleep (dwMilliseconds=0xa) [0297.583] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="stockupon.exe")) returned 1 [0297.584] Sleep (dwMilliseconds=0xa) [0297.670] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="method.exe")) returned 1 [0297.671] Sleep (dwMilliseconds=0xa) [0297.772] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xea0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="huge-on-his.exe")) returned 1 [0297.773] Sleep (dwMilliseconds=0xa) [0297.819] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xeb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0297.821] Sleep (dwMilliseconds=0xa) [0297.862] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xec0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0297.863] Sleep (dwMilliseconds=0xa) [0297.942] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xec8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0297.943] Sleep (dwMilliseconds=0xa) [0297.995] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xed0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0297.996] Sleep (dwMilliseconds=0xa) [0298.039] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xedc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0298.040] Sleep (dwMilliseconds=0xa) [0298.111] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xef0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0298.112] Sleep (dwMilliseconds=0xa) [0298.272] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xef8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0298.275] Sleep (dwMilliseconds=0xa) [0298.356] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0298.356] Sleep (dwMilliseconds=0xa) [0298.474] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0298.476] Sleep (dwMilliseconds=0xa) [0298.572] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0298.574] Sleep (dwMilliseconds=0xa) [0298.671] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0298.673] Sleep (dwMilliseconds=0xa) [0298.771] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0298.776] Sleep (dwMilliseconds=0xa) [0298.923] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0298.924] Sleep (dwMilliseconds=0xa) [0298.951] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0298.952] Sleep (dwMilliseconds=0xa) [0299.029] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf5c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0299.030] Sleep (dwMilliseconds=0xa) [0299.112] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0299.113] Sleep (dwMilliseconds=0xa) [0299.331] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0299.332] Sleep (dwMilliseconds=0xa) [0299.430] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0299.431] Sleep (dwMilliseconds=0xa) [0299.512] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0299.513] Sleep (dwMilliseconds=0xa) [0299.601] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xf90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0299.602] Sleep (dwMilliseconds=0xa) [0299.682] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfa0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0299.684] Sleep (dwMilliseconds=0xa) [0299.811] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfa8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0299.812] Sleep (dwMilliseconds=0xa) [0299.920] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0299.921] Sleep (dwMilliseconds=0xa) [0300.012] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0300.013] Sleep (dwMilliseconds=0xa) [0300.114] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0300.116] Sleep (dwMilliseconds=0xa) [0300.182] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0300.183] Sleep (dwMilliseconds=0xa) [0300.234] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xfec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0300.235] Sleep (dwMilliseconds=0xa) [0300.307] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xff4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0300.309] Sleep (dwMilliseconds=0xa) [0300.515] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0300.516] Sleep (dwMilliseconds=0xa) [0300.562] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0xe14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0300.563] Sleep (dwMilliseconds=0xa) [0300.619] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x100c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0300.621] Sleep (dwMilliseconds=0xa) [0300.655] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1014, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0300.656] Sleep (dwMilliseconds=0xa) [0300.720] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1028, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0300.721] Sleep (dwMilliseconds=0xa) [0300.843] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1030, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0300.844] Sleep (dwMilliseconds=0xa) [0301.119] Process32Next (in: hSnapshot=0x1fc, lppe=0x18eb20 | out: lppe=0x18eb20*(dwSize=0x128, cntUsage=0x0, th32ProcessID=0x1040, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x778, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0301.120] Sleep (dwMilliseconds=0xa) Thread: id = 914 os_tid = 0x11c4 Process: id = "431" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x63866000" os_pid = "0xd98" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_addProvider /fn_args=\"Install\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31710 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31711 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31712 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 31713 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 31714 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 31715 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 31716 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 31717 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 31718 start_va = 0xb50000 end_va = 0xb51fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b50000" filename = "" Region: id = 31719 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 31720 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 31721 start_va = 0x7e960000 end_va = 0x7e982fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e960000" filename = "" Region: id = 31722 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 31723 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 31724 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31725 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 31728 start_va = 0x400000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 31729 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 31730 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 31731 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 31732 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 31733 start_va = 0xb60000 end_va = 0xddffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 31734 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 31736 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 31737 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31738 start_va = 0x7e860000 end_va = 0x7e95ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e860000" filename = "" Region: id = 31739 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31740 start_va = 0x570000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 31741 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 31742 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 31743 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 31744 start_va = 0x580000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 31745 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 31746 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 31747 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 31748 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 31749 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 31750 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 31751 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 31752 start_va = 0xb50000 end_va = 0xb53fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b50000" filename = "" Region: id = 31753 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 31755 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 31756 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 31757 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 31758 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 31759 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 31760 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 31761 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 31762 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 31763 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 31764 start_va = 0x680000 end_va = 0x807fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 31765 start_va = 0xb60000 end_va = 0xb89fff monitored = 0 entry_point = 0xb65680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 31766 start_va = 0xce0000 end_va = 0xddffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 31767 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 31768 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 31769 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 31770 start_va = 0x810000 end_va = 0x990fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 31771 start_va = 0xb60000 end_va = 0xbbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 31772 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 31773 start_va = 0xbc0000 end_va = 0xc50fff monitored = 0 entry_point = 0xbf8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 31774 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 31780 start_va = 0xb60000 end_va = 0xb60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 31781 start_va = 0xbb0000 end_va = 0xbbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bb0000" filename = "" Region: id = 31782 start_va = 0xb70000 end_va = 0xb70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b70000" filename = "" Region: id = 31783 start_va = 0xb70000 end_va = 0xb77fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b70000" filename = "" Region: id = 31785 start_va = 0xb70000 end_va = 0xb70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 31786 start_va = 0xb80000 end_va = 0xb81fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 31787 start_va = 0xb70000 end_va = 0xb70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 31788 start_va = 0xb80000 end_va = 0xb80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 31789 start_va = 0xb70000 end_va = 0xb70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b70000" filename = "" Region: id = 31790 start_va = 0xb80000 end_va = 0xb80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Thread: id = 915 os_tid = 0xc10 [0293.917] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0293.918] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0293.918] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0293.918] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0293.918] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0293.918] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0293.919] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0293.920] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0293.920] GetProcessHeap () returned 0xce0000 [0293.920] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0293.920] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0293.920] GetLastError () returned 0x7e [0293.920] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0293.920] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0293.921] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x364) returned 0xcf0a60 [0293.921] SetLastError (dwErrCode=0x7e) [0293.921] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0xe00) returned 0xcf0dd0 [0293.923] GetStartupInfoW (in: lpStartupInfo=0x18f8fc | out: lpStartupInfo=0x18f8fc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0293.923] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0293.923] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0293.923] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0293.923] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_addProvider /fn_args=\"Install\"" [0293.923] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_addProvider /fn_args=\"Install\"" [0293.923] GetACP () returned 0x4e4 [0293.923] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x0, Size=0x220) returned 0xcf1bd8 [0293.924] IsValidCodePage (CodePage=0x4e4) returned 1 [0293.924] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f91c | out: lpCPInfo=0x18f91c) returned 1 [0293.924] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f1e4 | out: lpCPInfo=0x18f1e4) returned 1 [0293.924] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7f8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0293.924] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7f8, cbMultiByte=256, lpWideCharStr=0x18ef88, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0293.924] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f1f8 | out: lpCharType=0x18f1f8) returned 1 [0293.924] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7f8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0293.924] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7f8, cbMultiByte=256, lpWideCharStr=0x18ef38, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0293.925] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0293.925] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0293.925] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0293.925] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ed28, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0293.925] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f6f8, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿV³©\x1c4ù\x18", lpUsedDefaultChar=0x0) returned 256 [0293.925] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7f8, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0293.925] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7f8, cbMultiByte=256, lpWideCharStr=0x18ef58, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0293.925] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0293.925] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ed48, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0293.925] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f5f8, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿV³©\x1c4ù\x18", lpUsedDefaultChar=0x0) returned 256 [0293.926] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x0, Size=0x80) returned 0xce3868 [0293.926] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0293.926] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x186) returned 0xcf1e00 [0293.926] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0293.926] GetLastError () returned 0x0 [0293.926] SetLastError (dwErrCode=0x0) [0293.926] GetEnvironmentStringsW () returned 0xcf1f90* [0293.927] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x0, Size=0xa8c) returned 0xcf2a28 [0293.927] FreeEnvironmentStringsW (penv=0xcf1f90) returned 1 [0293.927] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x90) returned 0xce4558 [0293.927] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x3e) returned 0xcead10 [0293.927] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x5c) returned 0xce8a90 [0293.927] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x6e) returned 0xce4620 [0293.927] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x78) returned 0xcf3968 [0293.928] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x62) returned 0xce49f0 [0293.928] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x28) returned 0xce3d88 [0293.928] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x48) returned 0xce3fd8 [0293.928] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x1a) returned 0xce0570 [0293.928] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x3a) returned 0xceafe0 [0293.928] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x62) returned 0xce3be8 [0293.928] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x2a) returned 0xce8860 [0293.928] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x2e) returned 0xce89b0 [0293.928] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x1c) returned 0xce3db8 [0293.928] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x144) returned 0xce9ca8 [0293.928] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x7c) returned 0xce8090 [0293.928] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x36) returned 0xcee3f0 [0293.928] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x3a) returned 0xcead58 [0293.928] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x90) returned 0xce4390 [0293.928] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x24) returned 0xce3908 [0293.928] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x30) returned 0xce8748 [0293.929] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x36) returned 0xcee3b0 [0293.929] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x48) returned 0xce2900 [0293.929] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x52) returned 0xce04b8 [0293.930] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x3c) returned 0xceaa40 [0293.930] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0xd6) returned 0xce9e68 [0293.930] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x2e) returned 0xce8978 [0293.930] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x1e) returned 0xce2950 [0293.930] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x2c) returned 0xce8780 [0293.930] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x54) returned 0xce3e00 [0293.930] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x52) returned 0xce4060 [0293.930] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x24) returned 0xce3e60 [0293.930] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x42) returned 0xce40c0 [0293.930] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x2c) returned 0xce8898 [0293.930] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x44) returned 0xce9f98 [0293.930] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x24) returned 0xce3938 [0293.931] HeapFree (in: hHeap=0xce0000, dwFlags=0x0, lpMem=0xcf2a28 | out: hHeap=0xce0000) returned 1 [0293.931] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x8, Size=0x800) returned 0xcf1f90 [0293.931] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0293.931] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0293.931] GetStartupInfoW (in: lpStartupInfo=0x18f960 | out: lpStartupInfo=0x18f960*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0293.932] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_addProvider /fn_args=\"Install\"" [0293.932] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_addProvider /fn_args=\"Install\"", pNumArgs=0x18f94c | out: pNumArgs=0x18f94c) returned 0xcf2be0*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0293.933] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0293.992] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x0, Size=0x1000) returned 0xcf44c8 [0293.992] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x0, Size=0x28) returned 0xcea6e0 [0293.992] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_addProvider", cchWideChar=-1, lpMultiByteStr=0xcea6e0, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_addProvider", lpUsedDefaultChar=0x0) returned 20 [0293.992] GetLastError () returned 0x0 [0293.992] SetLastError (dwErrCode=0x0) [0293.993] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_addProviderW") returned 0x0 [0293.993] GetLastError () returned 0x7f [0293.993] SetLastError (dwErrCode=0x7f) [0293.993] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_addProviderA") returned 0x0 [0293.993] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_addProvider") returned 0x647cb3e5 [0293.993] RtlAllocateHeap (HeapHandle=0xce0000, Flags=0x0, Size=0x10) returned 0xcea200 [0293.993] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Install", cchWideChar=-1, lpMultiByteStr=0xcea200, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Install", lpUsedDefaultChar=0x0) returned 8 [0293.993] GetActiveWindow () returned 0x0 [0293.994] GetLastError () returned 0x7f [0293.994] SetLastError (dwErrCode=0x7f) Thread: id = 917 os_tid = 0xbe0 Process: id = "432" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6b179000" os_pid = "0xea8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "431" os_parent_pid = "0xd98" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_addProvider /fn_args=\"Install\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "433" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x47a7e000" os_pid = "0xc3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_create /fn_args=\"Install\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31803 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31804 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31805 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 31806 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 31807 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 31808 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 31809 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 31810 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 31811 start_va = 0x520000 end_va = 0x521fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 31812 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 31813 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 31814 start_va = 0x7ee30000 end_va = 0x7ee52fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ee30000" filename = "" Region: id = 31815 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 31816 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 31817 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31818 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 31859 start_va = 0x530000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 31860 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 31861 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 31862 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 31863 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 31864 start_va = 0x670000 end_va = 0x88ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 31865 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 31866 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 31868 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31869 start_va = 0x7ed30000 end_va = 0x7ee2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ed30000" filename = "" Region: id = 31870 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31871 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 31872 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 31873 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 31874 start_va = 0x4c0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 31875 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 31876 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 31877 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 31878 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 31879 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 31880 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 31881 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 31882 start_va = 0x5c0000 end_va = 0x5c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 31883 start_va = 0x660000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 31884 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 31885 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 31886 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 31887 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 31888 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 31889 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 31891 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 31892 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 31893 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 31894 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 31895 start_va = 0x5d0000 end_va = 0x5f9fff monitored = 0 entry_point = 0x5d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 31896 start_va = 0x890000 end_va = 0xa17fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000890000" filename = "" Region: id = 31897 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 31898 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 31899 start_va = 0x5d0000 end_va = 0x5d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 31900 start_va = 0x5e0000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 31901 start_va = 0xa20000 end_va = 0xba0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a20000" filename = "" Region: id = 31902 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 31903 start_va = 0x670000 end_va = 0x700fff monitored = 0 entry_point = 0x6a8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 31904 start_va = 0x790000 end_va = 0x88ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 31906 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 31907 start_va = 0x5e0000 end_va = 0x5e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 31908 start_va = 0x630000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 31909 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 31910 start_va = 0x5f0000 end_va = 0x5f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 31912 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 31913 start_va = 0x600000 end_va = 0x601fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 31914 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 31915 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 31916 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 31918 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Thread: id = 919 os_tid = 0x1368 [0294.731] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0294.732] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0294.732] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0294.732] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0294.732] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0294.732] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0294.733] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0294.733] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0294.733] GetProcessHeap () returned 0x790000 [0294.733] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0294.733] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0294.733] GetLastError () returned 0x7e [0294.733] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0294.734] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0294.734] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x364) returned 0x7a09a8 [0294.734] SetLastError (dwErrCode=0x7e) [0294.734] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0xe00) returned 0x7a0d18 [0294.735] GetStartupInfoW (in: lpStartupInfo=0x18f8e4 | out: lpStartupInfo=0x18f8e4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0294.736] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0294.736] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0294.736] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0294.736] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_create /fn_args=\"Install\"" [0294.736] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_create /fn_args=\"Install\"" [0294.736] GetACP () returned 0x4e4 [0294.736] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x0, Size=0x220) returned 0x7a1b20 [0294.736] IsValidCodePage (CodePage=0x4e4) returned 1 [0294.736] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f904 | out: lpCPInfo=0x18f904) returned 1 [0294.736] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f1cc | out: lpCPInfo=0x18f1cc) returned 1 [0294.736] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7e0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0294.736] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7e0, cbMultiByte=256, lpWideCharStr=0x18ef68, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0294.736] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f1e0 | out: lpCharType=0x18f1e0) returned 1 [0294.736] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7e0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0294.736] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7e0, cbMultiByte=256, lpWideCharStr=0x18ef28, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0294.736] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0294.736] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0294.736] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0294.737] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ed18, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0294.737] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f6e0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ­Ò\x1ez\x1cù\x18", lpUsedDefaultChar=0x0) returned 256 [0294.737] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7e0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0294.737] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7e0, cbMultiByte=256, lpWideCharStr=0x18ef38, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0294.737] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0294.737] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ed28, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0294.737] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f5e0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ­Ò\x1ez\x1cù\x18", lpUsedDefaultChar=0x0) returned 256 [0294.737] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x0, Size=0x80) returned 0x793880 [0294.737] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0294.737] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x194) returned 0x7a1d48 [0294.737] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0294.737] GetLastError () returned 0x0 [0294.737] SetLastError (dwErrCode=0x0) [0294.737] GetEnvironmentStringsW () returned 0x7a1ee8* [0294.737] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x0, Size=0xa8c) returned 0x7a2980 [0294.738] FreeEnvironmentStringsW (penv=0x7a1ee8) returned 1 [0294.738] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x90) returned 0x794570 [0294.738] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x3e) returned 0x79afb0 [0294.738] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x5c) returned 0x798848 [0294.738] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x6e) returned 0x794638 [0294.738] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x78) returned 0x7a39c0 [0294.738] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x62) returned 0x794a08 [0294.738] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x28) returned 0x793da0 [0294.738] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x48) returned 0x793ff0 [0294.738] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x1a) returned 0x790570 [0294.738] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x3a) returned 0x79ac08 [0294.738] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x62) returned 0x793c00 [0294.738] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x2a) returned 0x7986f8 [0294.738] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x2e) returned 0x798500 [0294.738] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x1c) returned 0x793dd0 [0294.738] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x144) returned 0x799a60 [0294.738] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x7c) returned 0x7980a8 [0294.738] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x36) returned 0x79dfb8 [0294.738] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x3a) returned 0x79a9c8 [0294.738] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x90) returned 0x7943a8 [0294.738] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x24) returned 0x793920 [0294.738] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x30) returned 0x798688 [0294.738] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x36) returned 0x79e378 [0294.738] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x48) returned 0x792910 [0294.738] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x52) returned 0x7904b8 [0294.738] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x3c) returned 0x79ad28 [0294.739] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0xd6) returned 0x799e80 [0294.739] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x2e) returned 0x7986c0 [0294.739] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x1e) returned 0x792960 [0294.739] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x2c) returned 0x798570 [0294.739] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x54) returned 0x793e18 [0294.739] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x52) returned 0x794078 [0294.739] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x24) returned 0x793e78 [0294.739] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x42) returned 0x7940d8 [0294.739] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x2c) returned 0x7985a8 [0294.739] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x44) returned 0x799fb0 [0294.739] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x24) returned 0x793950 [0294.740] HeapFree (in: hHeap=0x790000, dwFlags=0x0, lpMem=0x7a2980 | out: hHeap=0x790000) returned 1 [0294.745] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x800) returned 0x7a1ee8 [0294.745] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0294.745] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0294.745] GetStartupInfoW (in: lpStartupInfo=0x18f948 | out: lpStartupInfo=0x18f948*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0294.745] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_create /fn_args=\"Install\"" [0294.745] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_create /fn_args=\"Install\"", pNumArgs=0x18f934 | out: pNumArgs=0x18f934) returned 0x7a2b38*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0294.745] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0294.748] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x0, Size=0x1000) returned 0x7a4420 [0294.748] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x0, Size=0x36) returned 0x79e238 [0294.748] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_create", cchWideChar=-1, lpMultiByteStr=0x79e238, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_create", lpUsedDefaultChar=0x0) returned 27 [0294.748] GetLastError () returned 0x0 [0294.748] SetLastError (dwErrCode=0x0) [0294.748] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_createW") returned 0x0 [0294.748] GetLastError () returned 0x7f [0294.748] SetLastError (dwErrCode=0x7f) [0294.749] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_createA") returned 0x0 [0294.749] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_create") returned 0x647c7d14 [0294.749] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x0, Size=0x10) returned 0x79a1d0 [0294.749] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Install", cchWideChar=-1, lpMultiByteStr=0x79a1d0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Install", lpUsedDefaultChar=0x0) returned 8 [0294.749] GetActiveWindow () returned 0x0 [0294.749] GetLastError () returned 0x7f [0294.750] SetLastError (dwErrCode=0x7f) Thread: id = 921 os_tid = 0xda4 Process: id = "434" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x65f6d000" os_pid = "0xdb8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "433" os_parent_pid = "0xc3c" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_create /fn_args=\"Install\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "435" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x6a494000" os_pid = "0xc48" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decrypt /fn_args=\"Install\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 31924 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 31925 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 31926 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 31927 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 31928 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 31929 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 31930 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 31931 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 31932 start_va = 0xfb0000 end_va = 0xfb1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 31933 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 31934 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 31935 start_va = 0x7e920000 end_va = 0x7e942fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e920000" filename = "" Region: id = 31936 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 31937 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 31938 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 31939 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 31944 start_va = 0x400000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 31945 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 31946 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 31947 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 31948 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 31949 start_va = 0xfc0000 end_va = 0x116ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fc0000" filename = "" Region: id = 31950 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 31951 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 31954 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 31955 start_va = 0x7e820000 end_va = 0x7e91ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e820000" filename = "" Region: id = 31956 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 31957 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 31958 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 31959 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 31960 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 31961 start_va = 0x560000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 31962 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 31963 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 31964 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 31965 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 31966 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 31967 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 31968 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 31969 start_va = 0xfb0000 end_va = 0xfb3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 31970 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 31971 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 31972 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 31974 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 31975 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 31976 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 31977 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 31978 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 31979 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 31980 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 31981 start_va = 0x660000 end_va = 0x7e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 31982 start_va = 0xfc0000 end_va = 0xfe9fff monitored = 0 entry_point = 0xfc5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 31983 start_va = 0x1070000 end_va = 0x116ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001070000" filename = "" Region: id = 31984 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 31985 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 31986 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 31987 start_va = 0x7f0000 end_va = 0x970fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 31988 start_va = 0x1170000 end_va = 0x127ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001170000" filename = "" Region: id = 31989 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 31990 start_va = 0xfc0000 end_va = 0x1050fff monitored = 0 entry_point = 0xff8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 31992 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 31993 start_va = 0xfc0000 end_va = 0xfc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fc0000" filename = "" Region: id = 31994 start_va = 0xfd0000 end_va = 0xfd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fd0000" filename = "" Region: id = 31995 start_va = 0xfd0000 end_va = 0xfd7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fd0000" filename = "" Region: id = 31997 start_va = 0xfd0000 end_va = 0xfd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fd0000" filename = "" Region: id = 31998 start_va = 0xfe0000 end_va = 0xfe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fe0000" filename = "" Region: id = 31999 start_va = 0xfd0000 end_va = 0xfd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fd0000" filename = "" Region: id = 32000 start_va = 0xfe0000 end_va = 0xfe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fe0000" filename = "" Region: id = 32002 start_va = 0xfd0000 end_va = 0xfd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fd0000" filename = "" Region: id = 32003 start_va = 0xfe0000 end_va = 0xfe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Thread: id = 922 os_tid = 0xd18 [0295.151] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0295.151] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0295.152] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0295.152] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0295.152] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0295.152] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0295.153] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0295.153] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0295.153] GetProcessHeap () returned 0x1070000 [0295.153] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0295.154] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0295.154] GetLastError () returned 0x7e [0295.154] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0295.154] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0295.154] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x364) returned 0x10809a8 [0295.154] SetLastError (dwErrCode=0x7e) [0295.154] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0xe00) returned 0x1080d18 [0295.156] GetStartupInfoW (in: lpStartupInfo=0x18fb0c | out: lpStartupInfo=0x18fb0c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0295.156] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0295.156] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0295.156] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0295.156] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decrypt /fn_args=\"Install\"" [0295.156] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decrypt /fn_args=\"Install\"" [0295.156] GetACP () returned 0x4e4 [0295.156] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x0, Size=0x220) returned 0x1081b20 [0295.156] IsValidCodePage (CodePage=0x4e4) returned 1 [0295.156] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fb2c | out: lpCPInfo=0x18fb2c) returned 1 [0295.156] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f3f4 | out: lpCPInfo=0x18f3f4) returned 1 [0295.156] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa08, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0295.156] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa08, cbMultiByte=256, lpWideCharStr=0x18f198, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ") returned 256 [0295.156] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ젻ıĀ", cchSrc=256, lpCharType=0x18f408 | out: lpCharType=0x18f408) returned 1 [0295.156] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa08, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0295.156] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa08, cbMultiByte=256, lpWideCharStr=0x18f148, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0295.156] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0295.157] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0295.157] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0295.157] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18ef38, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0295.157] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f908, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÓÄ5ÔDû\x18", lpUsedDefaultChar=0x0) returned 256 [0295.157] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa08, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0295.157] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fa08, cbMultiByte=256, lpWideCharStr=0x18f168, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0295.157] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0295.157] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ef58, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0295.157] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f808, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÓÄ5ÔDû\x18", lpUsedDefaultChar=0x0) returned 256 [0295.157] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x0, Size=0x80) returned 0x1073880 [0295.157] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0295.157] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x196) returned 0x1081d48 [0295.157] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0295.157] GetLastError () returned 0x0 [0295.157] SetLastError (dwErrCode=0x0) [0295.157] GetEnvironmentStringsW () returned 0x1081ee8* [0295.158] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x0, Size=0xa8c) returned 0x1082980 [0295.158] FreeEnvironmentStringsW (penv=0x1081ee8) returned 1 [0295.158] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x90) returned 0x1074570 [0295.158] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x3e) returned 0x107aa10 [0295.158] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x5c) returned 0x1078848 [0295.158] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x6e) returned 0x1074638 [0295.158] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x78) returned 0x1083d40 [0295.158] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x62) returned 0x1074a08 [0295.158] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x28) returned 0x1073da0 [0295.158] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x48) returned 0x1073ff0 [0295.158] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x1a) returned 0x1070570 [0295.158] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x3a) returned 0x107b118 [0295.158] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x62) returned 0x1073c00 [0295.158] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x2a) returned 0x1078688 [0295.158] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x2e) returned 0x10787a0 [0295.158] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x1c) returned 0x1073dd0 [0295.158] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x144) returned 0x1079cc0 [0295.158] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x7c) returned 0x10780a8 [0295.158] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x36) returned 0x107e3b8 [0295.159] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x3a) returned 0x107ac08 [0295.159] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x90) returned 0x10743a8 [0295.159] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x24) returned 0x1073920 [0295.159] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x30) returned 0x1078618 [0295.159] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x36) returned 0x107e138 [0295.159] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x48) returned 0x1072910 [0295.159] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x52) returned 0x10704b8 [0295.159] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x3c) returned 0x107ae90 [0295.159] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0xd6) returned 0x1079e80 [0295.159] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x2e) returned 0x1078420 [0295.159] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x1e) returned 0x1072960 [0295.159] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x2c) returned 0x10786c0 [0295.159] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x54) returned 0x1073e18 [0295.159] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x52) returned 0x1074078 [0295.159] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x24) returned 0x1073e78 [0295.159] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x42) returned 0x10740d8 [0295.159] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x2c) returned 0x10786f8 [0295.159] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x44) returned 0x1079fb0 [0295.159] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x24) returned 0x1073950 [0295.160] HeapFree (in: hHeap=0x1070000, dwFlags=0x0, lpMem=0x1082980 | out: hHeap=0x1070000) returned 1 [0295.160] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x8, Size=0x800) returned 0x1081ee8 [0295.160] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0295.160] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0295.160] GetStartupInfoW (in: lpStartupInfo=0x18fb70 | out: lpStartupInfo=0x18fb70*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0295.160] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decrypt /fn_args=\"Install\"" [0295.160] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decrypt /fn_args=\"Install\"", pNumArgs=0x18fb5c | out: pNumArgs=0x18fb5c) returned 0x1082b38*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0295.161] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0295.167] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x0, Size=0x1000) returned 0x1084420 [0295.167] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x0, Size=0x38) returned 0x107e538 [0295.167] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_decrypt", cchWideChar=-1, lpMultiByteStr=0x107e538, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_decrypt", lpUsedDefaultChar=0x0) returned 28 [0295.167] GetLastError () returned 0x0 [0295.168] SetLastError (dwErrCode=0x0) [0295.168] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_decryptW") returned 0x0 [0295.168] GetLastError () returned 0x7f [0295.168] SetLastError (dwErrCode=0x7f) [0295.168] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_decryptA") returned 0x0 [0295.168] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_decrypt") returned 0x647c7430 [0295.168] RtlAllocateHeap (HeapHandle=0x1070000, Flags=0x0, Size=0x10) returned 0x107a158 [0295.168] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Install", cchWideChar=-1, lpMultiByteStr=0x107a158, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Install", lpUsedDefaultChar=0x0) returned 8 [0295.168] GetActiveWindow () returned 0x0 [0295.169] GetLastError () returned 0x7f [0295.169] SetLastError (dwErrCode=0x7f) Thread: id = 924 os_tid = 0xd64 Process: id = "436" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x73fab000" os_pid = "0x1380" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "435" os_parent_pid = "0xc48" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decrypt /fn_args=\"Install\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "437" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x17baa000" os_pid = "0xc38" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decryptAny /fn_args=\"Install\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32007 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32008 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32009 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 32010 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 32011 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 32012 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 32013 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 32014 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 32015 start_va = 0xb50000 end_va = 0xb51fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b50000" filename = "" Region: id = 32016 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 32017 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 32018 start_va = 0x7f670000 end_va = 0x7f692fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f670000" filename = "" Region: id = 32019 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 32020 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 32021 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32022 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 32023 start_va = 0x400000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 32024 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 32025 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 32026 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 32027 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 32028 start_va = 0xb60000 end_va = 0xc7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 32029 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 32030 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 32032 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 32033 start_va = 0x7f570000 end_va = 0x7f66ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f570000" filename = "" Region: id = 32034 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 32035 start_va = 0x570000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 32036 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 32037 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 32038 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 32039 start_va = 0x580000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 32040 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 32041 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 32042 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 32043 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 32044 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 32045 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 32046 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 32047 start_va = 0xb50000 end_va = 0xb53fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b50000" filename = "" Region: id = 32048 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 32049 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 32050 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 32052 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 32053 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 32054 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 32055 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 32056 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 32057 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 32058 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 32059 start_va = 0x680000 end_va = 0x807fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 32060 start_va = 0xc80000 end_va = 0xca9fff monitored = 0 entry_point = 0xc85680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 32061 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 32062 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 32063 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 32064 start_va = 0x810000 end_va = 0x990fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 32065 start_va = 0xc80000 end_va = 0xe7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 32066 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 32067 start_va = 0xc80000 end_va = 0xd10fff monitored = 0 entry_point = 0xcb8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 32068 start_va = 0xe70000 end_va = 0xe7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 32073 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 32074 start_va = 0xb60000 end_va = 0xb60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 32075 start_va = 0xb80000 end_va = 0xc7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 32076 start_va = 0xb70000 end_va = 0xb70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b70000" filename = "" Region: id = 32077 start_va = 0xb70000 end_va = 0xb77fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b70000" filename = "" Region: id = 32079 start_va = 0xb70000 end_va = 0xb70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 32080 start_va = 0xc80000 end_va = 0xc81fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c80000" filename = "" Region: id = 32081 start_va = 0xb70000 end_va = 0xb70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 32082 start_va = 0xc80000 end_va = 0xc80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c80000" filename = "" Region: id = 32084 start_va = 0xb70000 end_va = 0xb70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b70000" filename = "" Region: id = 32085 start_va = 0xc80000 end_va = 0xc80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Thread: id = 925 os_tid = 0xffc [0295.534] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0295.534] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0295.535] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0295.535] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0295.535] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0295.535] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0295.536] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0295.536] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0295.536] GetProcessHeap () returned 0xb80000 [0295.536] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0295.536] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0295.536] GetLastError () returned 0x7e [0295.536] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0295.537] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0295.537] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x364) returned 0xb90a88 [0295.537] SetLastError (dwErrCode=0x7e) [0295.537] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0xe00) returned 0xb90df8 [0295.538] GetStartupInfoW (in: lpStartupInfo=0x18f974 | out: lpStartupInfo=0x18f974*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0295.538] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0295.538] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0295.538] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0295.539] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decryptAny /fn_args=\"Install\"" [0295.539] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decryptAny /fn_args=\"Install\"" [0295.539] GetACP () returned 0x4e4 [0295.539] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x0, Size=0x220) returned 0xb91c00 [0295.539] IsValidCodePage (CodePage=0x4e4) returned 1 [0295.539] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f994 | out: lpCPInfo=0x18f994) returned 1 [0295.539] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f25c | out: lpCPInfo=0x18f25c) returned 1 [0295.539] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f870, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0295.539] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f870, cbMultiByte=256, lpWideCharStr=0x18eff8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0295.539] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f270 | out: lpCharType=0x18f270) returned 1 [0295.539] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f870, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0295.539] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f870, cbMultiByte=256, lpWideCharStr=0x18efb8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0295.539] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0295.539] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0295.539] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0295.539] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18eda8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0295.539] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f770, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\r¨ÇЬù\x18", lpUsedDefaultChar=0x0) returned 256 [0295.539] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f870, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0295.539] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f870, cbMultiByte=256, lpWideCharStr=0x18efc8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0295.540] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0295.540] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18edb8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0295.540] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f670, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\r¨ÇЬù\x18", lpUsedDefaultChar=0x0) returned 256 [0295.540] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x0, Size=0x80) returned 0xb83890 [0295.540] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0295.540] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x19c) returned 0xb91e28 [0295.540] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0295.540] GetLastError () returned 0x0 [0295.540] SetLastError (dwErrCode=0x0) [0295.540] GetEnvironmentStringsW () returned 0xb91fd0* [0295.540] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x0, Size=0xa8c) returned 0xb92a68 [0295.540] FreeEnvironmentStringsW (penv=0xb91fd0) returned 1 [0295.540] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x90) returned 0xb84580 [0295.540] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x3e) returned 0xb8af30 [0295.541] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x5c) returned 0xb88858 [0295.541] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x6e) returned 0xb84648 [0295.541] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x78) returned 0xb93b28 [0295.541] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x62) returned 0xb84a18 [0295.541] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x28) returned 0xb83db0 [0295.541] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x48) returned 0xb84000 [0295.541] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x1a) returned 0xb80570 [0295.541] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x3a) returned 0xb8b050 [0295.541] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x62) returned 0xb83c10 [0295.542] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x2a) returned 0xb88740 [0295.542] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x2e) returned 0xb88580 [0295.542] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x1c) returned 0xb83de0 [0295.542] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x144) returned 0xb89cd0 [0295.542] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x7c) returned 0xb880b8 [0295.542] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x36) returned 0xb8e6d8 [0295.542] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x3a) returned 0xb8ab88 [0295.542] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x90) returned 0xb843b8 [0295.542] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x24) returned 0xb83930 [0295.542] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x30) returned 0xb88468 [0295.542] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x36) returned 0xb8e458 [0295.542] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x48) returned 0xb82918 [0295.542] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x52) returned 0xb804b8 [0295.542] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x3c) returned 0xb8b098 [0295.542] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0xd6) returned 0xb89e90 [0295.542] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x2e) returned 0xb88698 [0295.542] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x1e) returned 0xb82968 [0295.542] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x2c) returned 0xb88510 [0295.542] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x54) returned 0xb83e28 [0295.542] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x52) returned 0xb84088 [0295.542] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x24) returned 0xb83e88 [0295.542] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x42) returned 0xb840e8 [0295.542] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x2c) returned 0xb885f0 [0295.542] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x44) returned 0xb89fc0 [0295.542] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x24) returned 0xb83960 [0295.543] HeapFree (in: hHeap=0xb80000, dwFlags=0x0, lpMem=0xb92a68 | out: hHeap=0xb80000) returned 1 [0295.559] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x8, Size=0x800) returned 0xb91fd0 [0295.560] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0295.560] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0295.560] GetStartupInfoW (in: lpStartupInfo=0x18f9d8 | out: lpStartupInfo=0x18f9d8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0295.560] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decryptAny /fn_args=\"Install\"" [0295.560] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decryptAny /fn_args=\"Install\"", pNumArgs=0x18f9c4 | out: pNumArgs=0x18f9c4) returned 0xb92c20*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0295.560] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0295.563] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x0, Size=0x1000) returned 0xb94508 [0295.563] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x0, Size=0x3e) returned 0xb8acf0 [0295.563] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_decryptAny", cchWideChar=-1, lpMultiByteStr=0xb8acf0, cbMultiByte=62, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_decryptAny", lpUsedDefaultChar=0x0) returned 31 [0295.563] GetLastError () returned 0x0 [0295.563] SetLastError (dwErrCode=0x0) [0295.563] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_decryptAnyW") returned 0x0 [0295.563] GetLastError () returned 0x7f [0295.563] SetLastError (dwErrCode=0x7f) [0295.563] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_decryptAnyA") returned 0x0 [0295.563] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_decryptAny") returned 0x647c7a5d [0295.563] RtlAllocateHeap (HeapHandle=0xb80000, Flags=0x0, Size=0x10) returned 0xb8a348 [0295.563] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Install", cchWideChar=-1, lpMultiByteStr=0xb8a348, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Install", lpUsedDefaultChar=0x0) returned 8 [0295.564] GetActiveWindow () returned 0x0 [0295.564] GetLastError () returned 0x7f [0295.565] SetLastError (dwErrCode=0x7f) Thread: id = 927 os_tid = 0x11c0 Process: id = "438" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x15a33000" os_pid = "0x13b0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "437" os_parent_pid = "0xc38" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_decryptAny /fn_args=\"Install\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "439" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x52284000" os_pid = "0xd60" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_deserializeCertificateId /fn_args=\"Install\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32115 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32116 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32117 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 32118 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 32119 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 32120 start_va = 0x570000 end_va = 0x571fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 32121 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 32122 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 32123 start_va = 0x7fa40000 end_va = 0x7fa62fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007fa40000" filename = "" Region: id = 32124 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 32125 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 32126 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32127 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 32128 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 32129 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 32130 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 32135 start_va = 0x400000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 32136 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 32137 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 32138 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 32139 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 32140 start_va = 0x580000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 32141 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 32142 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 32144 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 32145 start_va = 0x7f940000 end_va = 0x7fa3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f940000" filename = "" Region: id = 32146 start_va = 0x4c0000 end_va = 0x57dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 32147 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 32148 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 32149 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 32150 start_va = 0x6d0000 end_va = 0x7cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 32151 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 32152 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 32153 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 32154 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 32155 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 32156 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 32157 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 32158 start_va = 0x580000 end_va = 0x583fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 32159 start_va = 0x5d0000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 32160 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 32161 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 32162 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 32163 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 32165 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 32166 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 32167 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 32168 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 32169 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 32170 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 32171 start_va = 0x590000 end_va = 0x5b9fff monitored = 0 entry_point = 0x595680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 32172 start_va = 0x7d0000 end_va = 0x957fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 32173 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 32174 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 32175 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 32176 start_va = 0x4b0000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 32177 start_va = 0x960000 end_va = 0xae0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000960000" filename = "" Region: id = 32178 start_va = 0xaf0000 end_va = 0xc6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 32179 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 32180 start_va = 0xaf0000 end_va = 0xb80fff monitored = 0 entry_point = 0xb28cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 32181 start_va = 0xc60000 end_va = 0xc6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 32183 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 32184 start_va = 0x590000 end_va = 0x590fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 32185 start_va = 0x5a0000 end_va = 0x5a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 32186 start_va = 0x5a0000 end_va = 0x5a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 32190 start_va = 0x5a0000 end_va = 0x5a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 32191 start_va = 0x5b0000 end_va = 0x5b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 32192 start_va = 0x5a0000 end_va = 0x5a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 32193 start_va = 0x5b0000 end_va = 0x5b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 32194 start_va = 0x5a0000 end_va = 0x5a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 32195 start_va = 0x5b0000 end_va = 0x5b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Thread: id = 929 os_tid = 0x11f4 [0296.565] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0296.567] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0296.567] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0296.567] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0296.568] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0296.568] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0296.618] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0296.619] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0296.619] GetProcessHeap () returned 0x5d0000 [0296.619] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0296.619] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0296.619] GetLastError () returned 0x7e [0296.619] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0296.619] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0296.619] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x364) returned 0x5e0aa8 [0296.620] SetLastError (dwErrCode=0x7e) [0296.620] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0xe00) returned 0x5e0e18 [0296.621] GetStartupInfoW (in: lpStartupInfo=0x18f768 | out: lpStartupInfo=0x18f768*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0296.621] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0296.621] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0296.621] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0296.621] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_deserializeCertificateId /fn_args=\"Install\"" [0296.622] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_deserializeCertificateId /fn_args=\"Install\"" [0296.622] GetACP () returned 0x4e4 [0296.622] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x220) returned 0x5e1c20 [0296.622] IsValidCodePage (CodePage=0x4e4) returned 1 [0296.622] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f788 | out: lpCPInfo=0x18f788) returned 1 [0296.622] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f050 | out: lpCPInfo=0x18f050) returned 1 [0296.622] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f664, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0296.622] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f664, cbMultiByte=256, lpWideCharStr=0x18edf8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0296.622] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f064 | out: lpCharType=0x18f064) returned 1 [0296.622] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f664, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0296.622] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f664, cbMultiByte=256, lpWideCharStr=0x18eda8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0296.622] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0296.622] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0296.622] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0296.622] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18eb98, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0296.622] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f564, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x7f/ú´ ÷\x18", lpUsedDefaultChar=0x0) returned 256 [0296.622] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f664, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0296.622] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f664, cbMultiByte=256, lpWideCharStr=0x18edc8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0296.623] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0296.623] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ebb8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0296.623] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f464, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x7f/ú´ ÷\x18", lpUsedDefaultChar=0x0) returned 256 [0296.623] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x80) returned 0x5d38b0 [0296.623] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0296.623] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x1b8) returned 0x5e1e48 [0296.623] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0296.623] GetLastError () returned 0x0 [0296.623] SetLastError (dwErrCode=0x0) [0296.623] GetEnvironmentStringsW () returned 0x5e2008* [0296.623] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0xa8c) returned 0x5e2aa0 [0296.623] FreeEnvironmentStringsW (penv=0x5e2008) returned 1 [0296.623] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x90) returned 0x5d45a0 [0296.624] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x3e) returned 0x5daf98 [0296.624] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x5c) returned 0x5d8878 [0296.624] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x6e) returned 0x5d4668 [0296.624] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x78) returned 0x5e3f60 [0296.624] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x62) returned 0x5d4a38 [0296.624] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x28) returned 0x5d3dd0 [0296.624] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x48) returned 0x5d4020 [0296.624] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x1a) returned 0x5d0570 [0296.624] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x3a) returned 0x5db100 [0296.624] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x62) returned 0x5d3c30 [0296.624] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x2a) returned 0x5d84f8 [0296.624] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x2e) returned 0x5d87d0 [0296.624] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x1c) returned 0x5d3e00 [0296.624] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x144) returned 0x5d9cf0 [0296.624] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x7c) returned 0x5d80d8 [0296.624] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x36) returned 0x5de578 [0296.624] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x3a) returned 0x5dab18 [0296.624] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x90) returned 0x5d43d8 [0296.624] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x24) returned 0x5d3950 [0296.624] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x30) returned 0x5d86b8 [0296.624] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x36) returned 0x5de0b8 [0296.624] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x48) returned 0x5d2930 [0296.624] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x52) returned 0x5d04b8 [0296.624] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x3c) returned 0x5daf08 [0296.625] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0xd6) returned 0x5d9eb0 [0296.625] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x2e) returned 0x5d8568 [0296.625] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x1e) returned 0x5d2980 [0296.625] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x2c) returned 0x5d8450 [0296.625] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x54) returned 0x5d3e48 [0296.625] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x52) returned 0x5d40a8 [0296.625] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x24) returned 0x5d3ea8 [0296.625] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x42) returned 0x5d4108 [0296.625] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x2c) returned 0x5d86f0 [0296.625] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x44) returned 0x5d9fe0 [0296.625] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x24) returned 0x5d3980 [0296.626] HeapFree (in: hHeap=0x5d0000, dwFlags=0x0, lpMem=0x5e2aa0 | out: hHeap=0x5d0000) returned 1 [0296.626] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x8, Size=0x800) returned 0x5e2008 [0296.626] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0296.626] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0296.626] GetStartupInfoW (in: lpStartupInfo=0x18f7cc | out: lpStartupInfo=0x18f7cc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0296.626] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_deserializeCertificateId /fn_args=\"Install\"" [0296.626] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_deserializeCertificateId /fn_args=\"Install\"", pNumArgs=0x18f7b8 | out: pNumArgs=0x18f7b8) returned 0x5e2c58*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0296.627] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0296.629] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x1000) returned 0x5e4540 [0296.629] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x5a) returned 0x5da728 [0296.629] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_deserializeCertificateId", cchWideChar=-1, lpMultiByteStr=0x5da728, cbMultiByte=90, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_deserializeCertificateId", lpUsedDefaultChar=0x0) returned 45 [0296.629] GetLastError () returned 0x0 [0296.629] SetLastError (dwErrCode=0x0) [0296.629] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_deserializeCertificateIdW") returned 0x0 [0296.630] GetLastError () returned 0x7f [0296.630] SetLastError (dwErrCode=0x7f) [0296.630] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_deserializeCertificateIdA") returned 0x0 [0296.630] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_deserializeCertificateId") returned 0x647cddbf [0296.630] RtlAllocateHeap (HeapHandle=0x5d0000, Flags=0x0, Size=0x10) returned 0x5da320 [0296.630] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Install", cchWideChar=-1, lpMultiByteStr=0x5da320, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Install", lpUsedDefaultChar=0x0) returned 8 [0296.630] GetActiveWindow () returned 0x0 [0296.632] GetLastError () returned 0x7f [0296.632] SetLastError (dwErrCode=0x7f) Thread: id = 931 os_tid = 0x970 Process: id = "440" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x7a800000" os_pid = "0x59c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "439" os_parent_pid = "0xd60" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_deserializeCertificateId /fn_args=\"Install\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "441" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x381d8000" os_pid = "0x12c8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_duplicateCertificateId /fn_args=\"Install\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32202 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32203 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32204 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 32205 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 32206 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 32207 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 32208 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 32209 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 32210 start_va = 0xdb0000 end_va = 0xdb1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 32211 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 32212 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 32213 start_va = 0x7ecb0000 end_va = 0x7ecd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ecb0000" filename = "" Region: id = 32214 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 32215 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 32216 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32217 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 32218 start_va = 0x400000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 32219 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 32220 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 32221 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 32222 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 32223 start_va = 0xdc0000 end_va = 0x105ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dc0000" filename = "" Region: id = 32224 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 32226 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 32227 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 32228 start_va = 0x7ebb0000 end_va = 0x7ecaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ebb0000" filename = "" Region: id = 32229 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 32230 start_va = 0x5c0000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 32231 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 32232 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 32233 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 32234 start_va = 0x4c0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 32235 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 32236 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 32237 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 32238 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 32240 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 32241 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 32242 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 32243 start_va = 0xdb0000 end_va = 0xdb3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 32244 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 32245 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 32246 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 32247 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 32248 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 32249 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 32250 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 32251 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 32254 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 32255 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 32256 start_va = 0x5d0000 end_va = 0x757fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 32257 start_va = 0xdc0000 end_va = 0xde9fff monitored = 0 entry_point = 0xdc5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 32258 start_va = 0xf60000 end_va = 0x105ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f60000" filename = "" Region: id = 32259 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 32261 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 32262 start_va = 0x760000 end_va = 0x8e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 32263 start_va = 0x8f0000 end_va = 0x8f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 32264 start_va = 0xdc0000 end_va = 0xdfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dc0000" filename = "" Region: id = 32265 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 32266 start_va = 0xe00000 end_va = 0xe90fff monitored = 0 entry_point = 0xe38cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 32267 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 32268 start_va = 0xdc0000 end_va = 0xdc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dc0000" filename = "" Region: id = 32269 start_va = 0xdf0000 end_va = 0xdfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000df0000" filename = "" Region: id = 32270 start_va = 0xdd0000 end_va = 0xdd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 32271 start_va = 0xdd0000 end_va = 0xdd7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 32273 start_va = 0xdd0000 end_va = 0xdd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 32275 start_va = 0xde0000 end_va = 0xde1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000de0000" filename = "" Region: id = 32276 start_va = 0xdd0000 end_va = 0xdd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 32277 start_va = 0xde0000 end_va = 0xde0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000de0000" filename = "" Region: id = 32278 start_va = 0xdd0000 end_va = 0xdd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 32279 start_va = 0xde0000 end_va = 0xde0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Thread: id = 932 os_tid = 0x11bc [0297.532] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0297.533] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0297.533] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0297.533] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0297.533] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0297.533] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0297.534] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0297.534] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0297.534] GetProcessHeap () returned 0xf60000 [0297.534] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0297.534] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0297.534] GetLastError () returned 0x7e [0297.534] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0297.535] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0297.535] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x364) returned 0xf70aa8 [0297.535] SetLastError (dwErrCode=0x7e) [0297.535] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0xe00) returned 0xf70e18 [0297.537] GetStartupInfoW (in: lpStartupInfo=0x18f9d4 | out: lpStartupInfo=0x18f9d4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0297.537] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0297.537] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0297.537] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0297.537] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_duplicateCertificateId /fn_args=\"Install\"" [0297.537] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_duplicateCertificateId /fn_args=\"Install\"" [0297.537] GetACP () returned 0x4e4 [0297.537] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x0, Size=0x220) returned 0xf71c20 [0297.537] IsValidCodePage (CodePage=0x4e4) returned 1 [0297.537] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f9f4 | out: lpCPInfo=0x18f9f4) returned 1 [0297.537] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f2bc | out: lpCPInfo=0x18f2bc) returned 1 [0297.537] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8d0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0297.537] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8d0, cbMultiByte=256, lpWideCharStr=0x18f058, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0297.537] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f2d0 | out: lpCharType=0x18f2d0) returned 1 [0297.537] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8d0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0297.537] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8d0, cbMultiByte=256, lpWideCharStr=0x18f018, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0297.537] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0297.537] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0297.537] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0297.538] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ee08, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0297.538] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f7d0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ¸\x07ßR\x0cú\x18", lpUsedDefaultChar=0x0) returned 256 [0297.538] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8d0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0297.538] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f8d0, cbMultiByte=256, lpWideCharStr=0x18f028, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0297.538] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0297.538] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ee18, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0297.538] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f6d0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ¸\x07ßR\x0cú\x18", lpUsedDefaultChar=0x0) returned 256 [0297.538] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x0, Size=0x80) returned 0xf638b0 [0297.538] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0297.538] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x1b4) returned 0xf71e48 [0297.538] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0297.538] GetLastError () returned 0x0 [0297.538] SetLastError (dwErrCode=0x0) [0297.538] GetEnvironmentStringsW () returned 0xf72008* [0297.538] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x0, Size=0xa8c) returned 0xf72aa0 [0297.540] FreeEnvironmentStringsW (penv=0xf72008) returned 1 [0297.540] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x90) returned 0xf64800 [0297.540] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x3e) returned 0xf6abf0 [0297.540] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x5c) returned 0xf68ad8 [0297.540] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x6e) returned 0xf648c8 [0297.540] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x78) returned 0xf73c60 [0297.540] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x62) returned 0xf64c98 [0297.540] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x28) returned 0xf63dd0 [0297.540] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x48) returned 0xf64020 [0297.540] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x1a) returned 0xf60570 [0297.540] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x3a) returned 0xf6ae78 [0297.540] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x62) returned 0xf63c30 [0297.540] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x2a) returned 0xf68870 [0297.540] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x2e) returned 0xf688a8 [0297.540] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x1c) returned 0xf63e00 [0297.540] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x144) returned 0xf69cf0 [0297.540] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x7c) returned 0xf68338 [0297.540] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x36) returned 0xf6e078 [0297.541] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x3a) returned 0xf6aec0 [0297.541] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x90) returned 0xf643d8 [0297.541] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x24) returned 0xf63950 [0297.541] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x30) returned 0xf688e0 [0297.541] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x36) returned 0xf6e1f8 [0297.541] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x48) returned 0xf62930 [0297.541] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x52) returned 0xf604b8 [0297.541] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x3c) returned 0xf6b028 [0297.541] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0xd6) returned 0xf69eb0 [0297.541] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x2e) returned 0xf68918 [0297.541] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x1e) returned 0xf62980 [0297.541] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x2c) returned 0xf689f8 [0297.541] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x54) returned 0xf63e48 [0297.541] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x52) returned 0xf640a8 [0297.541] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x24) returned 0xf63ea8 [0297.541] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x42) returned 0xf64108 [0297.541] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x2c) returned 0xf68758 [0297.541] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x44) returned 0xf69fe0 [0297.541] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x24) returned 0xf63980 [0297.542] HeapFree (in: hHeap=0xf60000, dwFlags=0x0, lpMem=0xf72aa0 | out: hHeap=0xf60000) returned 1 [0297.542] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x8, Size=0x800) returned 0xf72008 [0297.542] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0297.542] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0297.542] GetStartupInfoW (in: lpStartupInfo=0x18fa38 | out: lpStartupInfo=0x18fa38*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0297.542] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_duplicateCertificateId /fn_args=\"Install\"" [0297.542] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_duplicateCertificateId /fn_args=\"Install\"", pNumArgs=0x18fa24 | out: pNumArgs=0x18fa24) returned 0xf72c58*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0297.543] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0297.545] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x0, Size=0x1000) returned 0xf74540 [0297.545] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x0, Size=0x56) returned 0xf6a728 [0297.545] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_duplicateCertificateId", cchWideChar=-1, lpMultiByteStr=0xf6a728, cbMultiByte=86, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_duplicateCertificateId", lpUsedDefaultChar=0x0) returned 43 [0297.545] GetLastError () returned 0x0 [0297.545] SetLastError (dwErrCode=0x0) [0297.545] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_duplicateCertificateIdW") returned 0x0 [0297.546] GetLastError () returned 0x7f [0297.546] SetLastError (dwErrCode=0x7f) [0297.546] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_duplicateCertificateIdA") returned 0x0 [0297.546] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_duplicateCertificateId") returned 0x647c6aee [0297.546] RtlAllocateHeap (HeapHandle=0xf60000, Flags=0x0, Size=0x10) returned 0xf6a0e0 [0297.546] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Install", cchWideChar=-1, lpMultiByteStr=0xf6a0e0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Install", lpUsedDefaultChar=0x0) returned 8 [0297.546] GetActiveWindow () returned 0x0 [0297.547] GetLastError () returned 0x7f [0297.547] SetLastError (dwErrCode=0x7f) Thread: id = 934 os_tid = 0xa88 Process: id = "442" image_name = "werfault.exe" filename = "c:\\windows\\syswow64\\werfault.exe" page_root = "0x14ebd000" os_pid = "0x13e4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "441" os_parent_pid = "0x12c8" cmd_line = "C:\\Windows\\SysWOW64\\WerFault.exe -u -p 4808 -s 364" cur_dir = "C:\\Windows\\system32\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32283 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32284 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32285 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 32286 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 32287 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 32288 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 32289 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 32290 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 32291 start_va = 0xd60000 end_va = 0xd60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d60000" filename = "" Region: id = 32292 start_va = 0x10e0000 end_va = 0x1122fff monitored = 0 entry_point = 0x1100f50 region_type = mapped_file name = "werfault.exe" filename = "\\Windows\\SysWOW64\\WerFault.exe" (normalized: "c:\\windows\\syswow64\\werfault.exe") Region: id = 32293 start_va = 0x1130000 end_va = 0x512ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001130000" filename = "" Region: id = 32294 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 32295 start_va = 0x7f950000 end_va = 0x7f972fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f950000" filename = "" Region: id = 32296 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 32297 start_va = 0x7fff0000 end_va = 0x7dfb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 32298 start_va = 0x7dfb201b0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007dfb201b0000" filename = "" Region: id = 32299 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32300 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 32301 start_va = 0x400000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 32302 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 32303 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 32305 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 32306 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 32307 start_va = 0xd70000 end_va = 0xfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d70000" filename = "" Region: id = 32308 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 32309 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 32311 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 32312 start_va = 0x7f850000 end_va = 0x7f94ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f850000" filename = "" Region: id = 32313 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 32314 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 32315 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 32316 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 32317 start_va = 0x520000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 32318 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 32319 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 32320 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 32321 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 32322 start_va = 0xd60000 end_va = 0xd63fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d60000" filename = "" Region: id = 32323 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 32324 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 32325 start_va = 0x6fb30000 end_va = 0x6fbb6fff monitored = 0 entry_point = 0x6fb9dbc0 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\SysWOW64\\wer.dll" (normalized: "c:\\windows\\syswow64\\wer.dll") Region: id = 32326 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 32327 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 32329 start_va = 0x6fbc0000 end_va = 0x6fcfefff monitored = 0 entry_point = 0x6fbed880 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\SysWOW64\\dbghelp.dll" (normalized: "c:\\windows\\syswow64\\dbghelp.dll") Region: id = 32330 start_va = 0x6fb00000 end_va = 0x6fb21fff monitored = 0 entry_point = 0x6fb091f0 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 32331 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 32332 start_va = 0x719c0000 end_va = 0x719dafff monitored = 0 entry_point = 0x719c9050 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 32333 start_va = 0x6faa0000 end_va = 0x6faf3fff monitored = 0 entry_point = 0x6fad10d0 region_type = mapped_file name = "faultrep.dll" filename = "\\Windows\\SysWOW64\\Faultrep.dll" (normalized: "c:\\windows\\syswow64\\faultrep.dll") Region: id = 32334 start_va = 0x6fa70000 end_va = 0x6fa90fff monitored = 0 entry_point = 0x6fa8a910 region_type = mapped_file name = "dbgcore.dll" filename = "\\Windows\\SysWOW64\\dbgcore.dll" (normalized: "c:\\windows\\syswow64\\dbgcore.dll") Region: id = 32335 start_va = 0xd70000 end_va = 0xeaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d70000" filename = "" Region: id = 32336 start_va = 0xeb0000 end_va = 0xfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 32337 start_va = 0xd70000 end_va = 0xdeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d70000" filename = "" Region: id = 32338 start_va = 0xea0000 end_va = 0xeaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 32339 start_va = 0xd70000 end_va = 0xd73fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d70000" filename = "" Region: id = 32340 start_va = 0xde0000 end_va = 0xdeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 32342 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 32343 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 32344 start_va = 0x530000 end_va = 0x6b7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 32345 start_va = 0xd80000 end_va = 0xda9fff monitored = 0 entry_point = 0xd85680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 32346 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 32347 start_va = 0x6c0000 end_va = 0x840fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 32348 start_va = 0xd80000 end_va = 0xd83fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "werfault.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\WerFault.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\werfault.exe.mui") Region: id = 32349 start_va = 0x5130000 end_va = 0x652ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005130000" filename = "" Region: id = 32350 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 32351 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 32352 start_va = 0x74250000 end_va = 0x742c4fff monitored = 0 entry_point = 0x74289a60 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 32353 start_va = 0xd90000 end_va = 0xdcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d90000" filename = "" Region: id = 32355 start_va = 0xd90000 end_va = 0xd90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d90000" filename = "" Region: id = 32356 start_va = 0xdc0000 end_va = 0xdcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dc0000" filename = "" Region: id = 32357 start_va = 0xda0000 end_va = 0xda0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 32358 start_va = 0xdb0000 end_va = 0xdb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 32359 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 32360 start_va = 0xdb0000 end_va = 0xdb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 32361 start_va = 0x6530000 end_va = 0x6d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006530000" filename = "" Region: id = 32362 start_va = 0xdb0000 end_va = 0xdb6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 32363 start_va = 0xdb0000 end_va = 0xdb6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 32364 start_va = 0xdb0000 end_va = 0xdb6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 32365 start_va = 0xdb0000 end_va = 0xdb6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 32366 start_va = 0xdb0000 end_va = 0xdb6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 32367 start_va = 0xdb0000 end_va = 0xdb6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 32368 start_va = 0xdb0000 end_va = 0xdb6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 32369 start_va = 0xdb0000 end_va = 0xdb6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 32370 start_va = 0xdb0000 end_va = 0xdb6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 32371 start_va = 0xdb0000 end_va = 0xdb6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 32372 start_va = 0xdb0000 end_va = 0xdb6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 32373 start_va = 0xdb0000 end_va = 0xdb6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 32374 start_va = 0xdb0000 end_va = 0xdb6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 32375 start_va = 0xdb0000 end_va = 0xdb6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 32376 start_va = 0xdb0000 end_va = 0xdb6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 32377 start_va = 0xdb0000 end_va = 0xdb6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 32395 start_va = 0xdb0000 end_va = 0xdb6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 32396 start_va = 0xdb0000 end_va = 0xdb6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 32397 start_va = 0xdb0000 end_va = 0xdb6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 32398 start_va = 0xdb0000 end_va = 0xdb6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 32399 start_va = 0xdb0000 end_va = 0xdb6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 32400 start_va = 0xdb0000 end_va = 0xdb6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 32401 start_va = 0xdb0000 end_va = 0xdb6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 32402 start_va = 0xdb0000 end_va = 0xdb6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 32403 start_va = 0xdb0000 end_va = 0xdb6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 32404 start_va = 0xdb0000 end_va = 0xdb6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 32405 start_va = 0xdb0000 end_va = 0xdb6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 32414 start_va = 0x450000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 32415 start_va = 0x490000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 32416 start_va = 0xdf0000 end_va = 0xe6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000df0000" filename = "" Region: id = 32460 start_va = 0xdb0000 end_va = 0xdb1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "faultrep.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\faultrep.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\faultrep.dll.mui") Region: id = 32461 start_va = 0xdd0000 end_va = 0xdd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 32462 start_va = 0x6ee90000 end_va = 0x6f2adfff monitored = 0 entry_point = 0x6ef8ee80 region_type = mapped_file name = "dbgeng.dll" filename = "\\Windows\\SysWOW64\\dbgeng.dll" (normalized: "c:\\windows\\syswow64\\dbgeng.dll") Region: id = 32463 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 32464 start_va = 0x6f810000 end_va = 0x6f87ffff monitored = 0 entry_point = 0x6f864b90 region_type = mapped_file name = "dbgmodel.dll" filename = "\\Windows\\SysWOW64\\DbgModel.dll" (normalized: "c:\\windows\\syswow64\\dbgmodel.dll") Region: id = 32465 start_va = 0x6fd30000 end_va = 0x6fd5cfff monitored = 0 entry_point = 0x6fd42b00 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Region: id = 32466 start_va = 0xfb0000 end_va = 0x1099fff monitored = 0 entry_point = 0xfed650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 32476 start_va = 0x70050000 end_va = 0x70059fff monitored = 0 entry_point = 0x70053200 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 32477 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 32478 start_va = 0x6f5d0000 end_va = 0x6f5d7fff monitored = 0 entry_point = 0x6f5d17b0 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 32479 start_va = 0xfb0000 end_va = 0x10affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 32480 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 32481 start_va = 0x6530000 end_va = 0x6866fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 32483 start_va = 0xdd0000 end_va = 0xdd1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 32484 start_va = 0xdd0000 end_va = 0xdd3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 32485 start_va = 0xdd0000 end_va = 0xdd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 32486 start_va = 0xdd0000 end_va = 0xdd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 32487 start_va = 0x850000 end_va = 0x94ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 32488 start_va = 0xdd0000 end_va = 0xdd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 32489 start_va = 0xdd0000 end_va = 0xddbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 32490 start_va = 0xdd0000 end_va = 0xdddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 32491 start_va = 0xdd0000 end_va = 0xddffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 32492 start_va = 0xe70000 end_va = 0xe81fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 32493 start_va = 0xe70000 end_va = 0xe83fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 32494 start_va = 0xe70000 end_va = 0xe85fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 32495 start_va = 0xe70000 end_va = 0xe87fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 32496 start_va = 0xe70000 end_va = 0xe89fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 32497 start_va = 0xe70000 end_va = 0xe8bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 32498 start_va = 0xe70000 end_va = 0xe8dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 32499 start_va = 0xe70000 end_va = 0xe8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 32508 start_va = 0x6870000 end_va = 0x694ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 32540 start_va = 0x6950000 end_va = 0x6a1afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006950000" filename = "" Region: id = 32541 start_va = 0x6a20000 end_va = 0x6ad8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006a20000" filename = "" Region: id = 32560 start_va = 0x6ae0000 end_va = 0x6b89fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006ae0000" filename = "" Region: id = 32596 start_va = 0xdd0000 end_va = 0xdd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 32597 start_va = 0xe70000 end_va = 0xe72fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wer.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\wer.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wer.dll.mui") Region: id = 32598 start_va = 0xe80000 end_va = 0xe83fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e80000" filename = "" Region: id = 32599 start_va = 0x6950000 end_va = 0x714ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006950000" filename = "" Region: id = 32600 start_va = 0xe90000 end_va = 0xe96fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 32601 start_va = 0xe90000 end_va = 0xe96fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 32602 start_va = 0xe90000 end_va = 0xe96fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 32603 start_va = 0xe90000 end_va = 0xe96fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 32604 start_va = 0xe90000 end_va = 0xe96fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 32605 start_va = 0xe90000 end_va = 0xe96fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 32606 start_va = 0xe90000 end_va = 0xe96fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 32607 start_va = 0xe90000 end_va = 0xe96fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 32610 start_va = 0xe90000 end_va = 0xe96fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 32611 start_va = 0xe90000 end_va = 0xe96fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 32612 start_va = 0xe90000 end_va = 0xe96fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 32613 start_va = 0xe90000 end_va = 0xe96fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 32614 start_va = 0xe90000 end_va = 0xe96fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 32615 start_va = 0xe90000 end_va = 0xe96fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 32616 start_va = 0xe90000 end_va = 0xe96fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 32617 start_va = 0xe90000 end_va = 0xe96fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 32618 start_va = 0xe90000 end_va = 0xe96fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 32619 start_va = 0xe90000 end_va = 0xe96fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 32620 start_va = 0xe90000 end_va = 0xe96fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 32621 start_va = 0xe90000 end_va = 0xe96fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 32622 start_va = 0xe90000 end_va = 0xe96fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 32623 start_va = 0xe90000 end_va = 0xe96fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 32624 start_va = 0x6950000 end_va = 0x6a4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006950000" filename = "" Region: id = 32627 start_va = 0xe90000 end_va = 0xe96fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 32628 start_va = 0xe90000 end_va = 0xe96fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 32629 start_va = 0xe90000 end_va = 0xe96fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 32630 start_va = 0xe90000 end_va = 0xe96fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 32631 start_va = 0xe90000 end_va = 0xe96fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 32632 start_va = 0x6fa00000 end_va = 0x6fa63fff monitored = 0 entry_point = 0x6fa3e270 region_type = mapped_file name = "werui.dll" filename = "\\Windows\\SysWOW64\\werui.dll" (normalized: "c:\\windows\\syswow64\\werui.dll") Region: id = 32633 start_va = 0x450000 end_va = 0x451fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 32634 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 32635 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 32636 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 32637 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 32638 start_va = 0x74bb0000 end_va = 0x74c41fff monitored = 0 entry_point = 0x74be8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 32639 start_va = 0x731b0000 end_va = 0x733befff monitored = 0 entry_point = 0x7325b0a0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll") Region: id = 32640 start_va = 0x6f460000 end_va = 0x6f5c6fff monitored = 0 entry_point = 0x6f4db9d0 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\SysWOW64\\dui70.dll" (normalized: "c:\\windows\\syswow64\\dui70.dll") Region: id = 32641 start_va = 0x460000 end_va = 0x461fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 32642 start_va = 0x6f430000 end_va = 0x6f457fff monitored = 0 entry_point = 0x6f437820 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 32644 start_va = 0xe90000 end_va = 0xe90fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 32645 start_va = 0x470000 end_va = 0x471fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 32646 start_va = 0xe90000 end_va = 0xe90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 32647 start_va = 0x759b0000 end_va = 0x75a33fff monitored = 0 entry_point = 0x759d6220 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 32648 start_va = 0x10b0000 end_va = 0x10b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010b0000" filename = "" Region: id = 32649 start_va = 0x6f880000 end_va = 0x6f8b3fff monitored = 0 entry_point = 0x6f898280 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Thread: id = 935 os_tid = 0xe1c Thread: id = 936 os_tid = 0x136c Thread: id = 939 os_tid = 0x11e4 Process: id = "443" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x525e3000" os_pid = "0x1184" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "441" os_parent_pid = "0x12c8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_duplicateCertificateId /fn_args=\"Install\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "444" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x792f0000" os_pid = "0x1200" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureCertificateAccess /fn_args=\"Install\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32378 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32379 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32380 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 32381 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 32382 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 32383 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 32384 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 32385 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 32386 start_va = 0x590000 end_va = 0x591fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 32387 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 32388 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 32389 start_va = 0x7e890000 end_va = 0x7e8b2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e890000" filename = "" Region: id = 32390 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 32391 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 32392 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32393 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 32406 start_va = 0x400000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 32407 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 32408 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 32409 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 32410 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 32411 start_va = 0x5a0000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 32412 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 32413 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 32420 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 32421 start_va = 0x7e790000 end_va = 0x7e88ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e790000" filename = "" Region: id = 32422 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 32423 start_va = 0x500000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 32424 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 32425 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 32426 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 32427 start_va = 0x510000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 32428 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 32429 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 32430 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 32431 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 32432 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 32433 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 32434 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 32435 start_va = 0x610000 end_va = 0x613fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 32436 start_va = 0x780000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 32437 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 32438 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 32439 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 32445 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 32446 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 32447 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 32448 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 32449 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 32450 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 32451 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 32452 start_va = 0x620000 end_va = 0x649fff monitored = 0 entry_point = 0x625680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 32453 start_va = 0x880000 end_va = 0xa07fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 32454 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 32455 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 32456 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 32457 start_va = 0x620000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 32458 start_va = 0xa10000 end_va = 0xb90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a10000" filename = "" Region: id = 32459 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 32470 start_va = 0x660000 end_va = 0x6f0fff monitored = 0 entry_point = 0x698cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 32471 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 32472 start_va = 0x620000 end_va = 0x620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 32473 start_va = 0x650000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 32474 start_va = 0x630000 end_va = 0x630fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 32475 start_va = 0x630000 end_va = 0x637fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 32501 start_va = 0x630000 end_va = 0x630fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 32502 start_va = 0x640000 end_va = 0x641fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 32503 start_va = 0x630000 end_va = 0x630fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 32504 start_va = 0x640000 end_va = 0x640fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 32505 start_va = 0x630000 end_va = 0x630fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 32506 start_va = 0x640000 end_va = 0x640fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Thread: id = 937 os_tid = 0xd00 [0298.488] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0298.488] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0298.488] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0298.488] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0298.488] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0298.488] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0298.489] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0298.489] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0298.490] GetProcessHeap () returned 0x780000 [0298.490] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0298.490] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0298.490] GetLastError () returned 0x7e [0298.490] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0298.491] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0298.491] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x364) returned 0x790aa8 [0298.491] SetLastError (dwErrCode=0x7e) [0298.491] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0xe00) returned 0x790e18 [0298.493] GetStartupInfoW (in: lpStartupInfo=0x18f8b8 | out: lpStartupInfo=0x18f8b8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0298.493] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0298.493] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0298.493] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0298.493] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureCertificateAccess /fn_args=\"Install\"" [0298.493] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureCertificateAccess /fn_args=\"Install\"" [0298.493] GetACP () returned 0x4e4 [0298.493] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x0, Size=0x220) returned 0x791c20 [0298.493] IsValidCodePage (CodePage=0x4e4) returned 1 [0298.493] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f8d8 | out: lpCPInfo=0x18f8d8) returned 1 [0298.493] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f1a0 | out: lpCPInfo=0x18f1a0) returned 1 [0298.493] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7b4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0298.493] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7b4, cbMultiByte=256, lpWideCharStr=0x18ef48, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0298.493] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f1b4 | out: lpCharType=0x18f1b4) returned 1 [0298.494] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7b4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0298.494] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7b4, cbMultiByte=256, lpWideCharStr=0x18eef8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0298.494] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0298.494] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0298.494] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0298.494] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ece8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0298.494] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f6b4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x98µ\x9aiðø\x18", lpUsedDefaultChar=0x0) returned 256 [0298.494] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7b4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0298.494] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f7b4, cbMultiByte=256, lpWideCharStr=0x18ef18, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0298.494] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0298.494] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ed08, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0298.494] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f5b4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x98µ\x9aiðø\x18", lpUsedDefaultChar=0x0) returned 256 [0298.494] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x0, Size=0x80) returned 0x7838b0 [0298.494] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0298.494] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x1b6) returned 0x791e48 [0298.495] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0298.495] GetLastError () returned 0x0 [0298.495] SetLastError (dwErrCode=0x0) [0298.495] GetEnvironmentStringsW () returned 0x792008* [0298.495] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x0, Size=0xa8c) returned 0x792aa0 [0298.495] FreeEnvironmentStringsW (penv=0x792008) returned 1 [0298.495] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x90) returned 0x7845a0 [0298.495] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x3e) returned 0x78ae30 [0298.495] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x5c) returned 0x788878 [0298.495] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x6e) returned 0x784668 [0298.495] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x78) returned 0x794460 [0298.495] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x62) returned 0x784a38 [0298.495] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x28) returned 0x783dd0 [0298.496] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x48) returned 0x784020 [0298.496] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x1a) returned 0x780570 [0298.496] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x3a) returned 0x78b070 [0298.496] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x62) returned 0x783c30 [0298.496] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x2a) returned 0x7885a0 [0298.496] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x2e) returned 0x7885d8 [0298.496] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x1c) returned 0x783e00 [0298.496] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x144) returned 0x789cf0 [0298.496] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x7c) returned 0x7880d8 [0298.496] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x36) returned 0x78e278 [0298.496] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x3a) returned 0x78aba8 [0298.496] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x90) returned 0x7843d8 [0298.496] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x24) returned 0x783950 [0298.496] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x30) returned 0x788610 [0298.496] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x36) returned 0x78e038 [0298.496] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x48) returned 0x782930 [0298.496] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x52) returned 0x7804b8 [0298.496] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x3c) returned 0x78ade8 [0298.496] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0xd6) returned 0x789eb0 [0298.496] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x2e) returned 0x788680 [0298.496] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x1e) returned 0x782980 [0298.496] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x2c) returned 0x788648 [0298.496] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x54) returned 0x783e48 [0298.496] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x52) returned 0x7840a8 [0298.496] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x24) returned 0x783ea8 [0298.496] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x42) returned 0x784108 [0298.496] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x2c) returned 0x788798 [0298.496] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x44) returned 0x789fe0 [0298.496] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x24) returned 0x783980 [0298.497] HeapFree (in: hHeap=0x780000, dwFlags=0x0, lpMem=0x792aa0 | out: hHeap=0x780000) returned 1 [0298.497] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x8, Size=0x800) returned 0x792008 [0298.497] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0298.497] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0298.498] GetStartupInfoW (in: lpStartupInfo=0x18f91c | out: lpStartupInfo=0x18f91c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0298.498] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureCertificateAccess /fn_args=\"Install\"" [0298.498] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureCertificateAccess /fn_args=\"Install\"", pNumArgs=0x18f908 | out: pNumArgs=0x18f908) returned 0x792c58*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0298.498] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0298.501] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x0, Size=0x1000) returned 0x794540 [0298.501] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x0, Size=0x58) returned 0x78a728 [0298.501] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_ensureCertificateAccess", cchWideChar=-1, lpMultiByteStr=0x78a728, cbMultiByte=88, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_ensureCertificateAccess", lpUsedDefaultChar=0x0) returned 44 [0298.501] GetLastError () returned 0x0 [0298.501] SetLastError (dwErrCode=0x0) [0298.501] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_ensureCertificateAccessW") returned 0x0 [0298.501] GetLastError () returned 0x7f [0298.501] SetLastError (dwErrCode=0x7f) [0298.502] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_ensureCertificateAccessA") returned 0x0 [0298.502] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_ensureCertificateAccess") returned 0x647c84a4 [0298.502] RtlAllocateHeap (HeapHandle=0x780000, Flags=0x0, Size=0x10) returned 0x78a398 [0298.502] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Install", cchWideChar=-1, lpMultiByteStr=0x78a398, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Install", lpUsedDefaultChar=0x0) returned 8 [0298.502] GetActiveWindow () returned 0x0 [0298.504] GetLastError () returned 0x7f [0298.504] SetLastError (dwErrCode=0x7f) Thread: id = 941 os_tid = 0xcec Process: id = "445" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x73d9b000" os_pid = "0xcac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "444" os_parent_pid = "0x1200" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureCertificateAccess /fn_args=\"Install\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "446" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x50f06000" os_pid = "0x11d0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureKeyAccess /fn_args=\"Install\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32511 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32512 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32513 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 32514 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 32515 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 32516 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 32517 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 32518 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 32519 start_va = 0xcc0000 end_va = 0xcc1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 32520 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 32521 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 32522 start_va = 0x7f6f0000 end_va = 0x7f712fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 32523 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 32524 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 32525 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32526 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 32531 start_va = 0x400000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 32532 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 32533 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 32534 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 32535 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 32536 start_va = 0xcd0000 end_va = 0xfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 32537 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 32538 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 32542 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 32543 start_va = 0x7f5f0000 end_va = 0x7f6effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f5f0000" filename = "" Region: id = 32544 start_va = 0x4a0000 end_va = 0x55dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 32545 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 32546 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 32547 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 32548 start_va = 0x560000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 32549 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 32550 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 32551 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 32552 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 32553 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 32554 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 32555 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 32556 start_va = 0xcc0000 end_va = 0xcc3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 32557 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 32558 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 32561 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 32562 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 32563 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 32564 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 32565 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 32566 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 32567 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 32568 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 32569 start_va = 0x660000 end_va = 0x7e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 32570 start_va = 0xcd0000 end_va = 0xcf9fff monitored = 0 entry_point = 0xcd5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 32571 start_va = 0xeb0000 end_va = 0xfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 32572 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 32573 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 32574 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 32575 start_va = 0x490000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 32576 start_va = 0x7f0000 end_va = 0x970fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 32577 start_va = 0xcd0000 end_va = 0xd0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 32578 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 32579 start_va = 0xd10000 end_va = 0xda0fff monitored = 0 entry_point = 0xd48cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 32581 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 32582 start_va = 0xcd0000 end_va = 0xcd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 32583 start_va = 0xd00000 end_va = 0xd0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 32584 start_va = 0xce0000 end_va = 0xce0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 32585 start_va = 0xce0000 end_va = 0xce7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 32587 start_va = 0xce0000 end_va = 0xce0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 32588 start_va = 0xcf0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 32589 start_va = 0xce0000 end_va = 0xce0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 32590 start_va = 0xcf0000 end_va = 0xcf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 32592 start_va = 0xce0000 end_va = 0xce0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 32593 start_va = 0xcf0000 end_va = 0xcf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Thread: id = 943 os_tid = 0x1108 [0299.317] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0299.317] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0299.317] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0299.318] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0299.318] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0299.318] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0299.383] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0299.383] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0299.384] GetProcessHeap () returned 0xeb0000 [0299.384] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0299.384] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0299.384] GetLastError () returned 0x7e [0299.384] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0299.384] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0299.384] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x364) returned 0xec0a90 [0299.384] SetLastError (dwErrCode=0x7e) [0299.384] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0xe00) returned 0xec0e00 [0299.386] GetStartupInfoW (in: lpStartupInfo=0x18f894 | out: lpStartupInfo=0x18f894*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0299.386] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0299.386] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0299.386] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0299.386] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureKeyAccess /fn_args=\"Install\"" [0299.386] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureKeyAccess /fn_args=\"Install\"" [0299.386] GetACP () returned 0x4e4 [0299.386] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x0, Size=0x220) returned 0xec1c08 [0299.386] IsValidCodePage (CodePage=0x4e4) returned 1 [0299.386] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f8b4 | out: lpCPInfo=0x18f8b4) returned 1 [0299.386] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f17c | out: lpCPInfo=0x18f17c) returned 1 [0299.386] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f790, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0299.386] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f790, cbMultiByte=256, lpWideCharStr=0x18ef18, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0299.386] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f190 | out: lpCharType=0x18f190) returned 1 [0299.387] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f790, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0299.387] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f790, cbMultiByte=256, lpWideCharStr=0x18eed8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0299.387] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0299.387] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0299.387] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0299.387] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ecc8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0299.387] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f690, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿªX\x93ìÌø\x18", lpUsedDefaultChar=0x0) returned 256 [0299.387] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f790, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0299.387] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f790, cbMultiByte=256, lpWideCharStr=0x18eee8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0299.387] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0299.387] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ecd8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0299.387] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f590, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿªX\x93ìÌø\x18", lpUsedDefaultChar=0x0) returned 256 [0299.387] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x0, Size=0x80) returned 0xeb3898 [0299.387] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0299.387] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x1a6) returned 0xec1e30 [0299.387] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0299.387] GetLastError () returned 0x0 [0299.387] SetLastError (dwErrCode=0x0) [0299.387] GetEnvironmentStringsW () returned 0xec1fe8* [0299.388] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x0, Size=0xa8c) returned 0xec2a80 [0299.388] FreeEnvironmentStringsW (penv=0xec1fe8) returned 1 [0299.388] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x90) returned 0xeb4588 [0299.388] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x3e) returned 0xebad40 [0299.388] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x5c) returned 0xeb8ac0 [0299.388] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x6e) returned 0xeb4650 [0299.388] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x78) returned 0xec3cc0 [0299.388] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x62) returned 0xeb4a20 [0299.388] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x28) returned 0xeb3db8 [0299.388] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x48) returned 0xeb4008 [0299.389] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x1a) returned 0xeb0570 [0299.389] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x3a) returned 0xebaea8 [0299.389] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x62) returned 0xeb3c18 [0299.389] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x2a) returned 0xeb8630 [0299.389] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x2e) returned 0xeb8518 [0299.389] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x1c) returned 0xeb3de8 [0299.389] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x144) returned 0xeb9cd8 [0299.389] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x7c) returned 0xeb80c0 [0299.389] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x36) returned 0xebe1a0 [0299.389] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x3a) returned 0xebb0a0 [0299.389] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x90) returned 0xeb43c0 [0299.389] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x24) returned 0xeb3938 [0299.389] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x30) returned 0xeb8588 [0299.389] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x36) returned 0xebe560 [0299.389] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x48) returned 0xeb2920 [0299.389] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x52) returned 0xeb04b8 [0299.389] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x3c) returned 0xebaa70 [0299.389] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0xd6) returned 0xeb9e98 [0299.389] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x2e) returned 0xeb86d8 [0299.389] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x1e) returned 0xeb2970 [0299.389] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x2c) returned 0xeb8710 [0299.389] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x54) returned 0xeb3e30 [0299.389] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x52) returned 0xeb4090 [0299.389] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x24) returned 0xeb3e90 [0299.389] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x42) returned 0xeb40f0 [0299.389] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x2c) returned 0xeb8748 [0299.389] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x44) returned 0xeb9fc8 [0299.389] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x24) returned 0xeb3968 [0299.390] HeapFree (in: hHeap=0xeb0000, dwFlags=0x0, lpMem=0xec2a80 | out: hHeap=0xeb0000) returned 1 [0299.390] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x8, Size=0x800) returned 0xec1fe8 [0299.390] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0299.390] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0299.390] GetStartupInfoW (in: lpStartupInfo=0x18f8f8 | out: lpStartupInfo=0x18f8f8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0299.390] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureKeyAccess /fn_args=\"Install\"" [0299.390] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureKeyAccess /fn_args=\"Install\"", pNumArgs=0x18f8e4 | out: pNumArgs=0x18f8e4) returned 0xec2c38*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0299.391] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0299.393] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x0, Size=0x1000) returned 0xec4520 [0299.393] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x0, Size=0x48) returned 0xeba710 [0299.393] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_ensureKeyAccess", cchWideChar=-1, lpMultiByteStr=0xeba710, cbMultiByte=72, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_ensureKeyAccess", lpUsedDefaultChar=0x0) returned 36 [0299.393] GetLastError () returned 0x0 [0299.393] SetLastError (dwErrCode=0x0) [0299.394] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_ensureKeyAccessW") returned 0x0 [0299.394] GetLastError () returned 0x7f [0299.394] SetLastError (dwErrCode=0x7f) [0299.394] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_ensureKeyAccessA") returned 0x0 [0299.394] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_ensureKeyAccess") returned 0x647c86f6 [0299.394] RtlAllocateHeap (HeapHandle=0xeb0000, Flags=0x0, Size=0x10) returned 0xeba260 [0299.394] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Install", cchWideChar=-1, lpMultiByteStr=0xeba260, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Install", lpUsedDefaultChar=0x0) returned 8 [0299.394] GetActiveWindow () returned 0x0 [0299.395] GetLastError () returned 0x7f [0299.395] SetLastError (dwErrCode=0x7f) Thread: id = 945 os_tid = 0x12f0 Process: id = "447" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x2079000" os_pid = "0xc90" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "446" os_parent_pid = "0x11d0" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_ensureKeyAccess /fn_args=\"Install\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "448" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x4371b000" os_pid = "0x12f4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumCertificateIds /fn_args=\"Install\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32651 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32652 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32653 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 32654 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 32655 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 32656 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 32657 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 32658 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 32659 start_va = 0x740000 end_va = 0x741fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 32660 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 32661 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 32662 start_va = 0x7e7f0000 end_va = 0x7e812fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e7f0000" filename = "" Region: id = 32663 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 32664 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 32665 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32666 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 32667 start_va = 0x400000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 32668 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 32669 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 32670 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 32671 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 32672 start_va = 0x750000 end_va = 0x9fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 32673 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 32675 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 32676 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 32677 start_va = 0x7e6f0000 end_va = 0x7e7effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e6f0000" filename = "" Region: id = 32678 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 32679 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 32680 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 32681 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 32682 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 32683 start_va = 0x560000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 32684 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 32685 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 32686 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 32687 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 32688 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 32689 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 32690 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 32691 start_va = 0x740000 end_va = 0x743fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 32693 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 32694 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 32695 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 32696 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 32697 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 32698 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 32699 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 32700 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 32701 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 32702 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 32703 start_va = 0x750000 end_va = 0x8d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 32704 start_va = 0x900000 end_va = 0x9fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 32705 start_va = 0xa00000 end_va = 0xa29fff monitored = 0 entry_point = 0xa05680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 32706 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 32707 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 32708 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 32709 start_va = 0xa00000 end_va = 0xb80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a00000" filename = "" Region: id = 32710 start_va = 0xb90000 end_va = 0xd7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 32711 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 32712 start_va = 0xb90000 end_va = 0xc20fff monitored = 0 entry_point = 0xbc8cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 32713 start_va = 0xd70000 end_va = 0xd7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d70000" filename = "" Region: id = 32715 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 32739 start_va = 0x8e0000 end_va = 0x8e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008e0000" filename = "" Region: id = 32740 start_va = 0x8f0000 end_va = 0x8f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 32741 start_va = 0x8f0000 end_va = 0x8f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 32745 start_va = 0x8f0000 end_va = 0x8f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 32746 start_va = 0xb90000 end_va = 0xb91fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b90000" filename = "" Region: id = 32748 start_va = 0x8f0000 end_va = 0x8f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 32749 start_va = 0xb90000 end_va = 0xb90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b90000" filename = "" Region: id = 32750 start_va = 0x8f0000 end_va = 0x8f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 32751 start_va = 0xb90000 end_va = 0xb90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Thread: id = 946 os_tid = 0x12a4 [0300.294] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0300.294] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0300.294] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0300.294] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0300.295] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0300.295] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0300.295] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0300.295] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0300.296] GetProcessHeap () returned 0x900000 [0300.296] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0300.296] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0300.296] GetLastError () returned 0x7e [0300.296] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0300.296] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0300.296] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x364) returned 0x910aa8 [0300.296] SetLastError (dwErrCode=0x7e) [0300.297] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0xe00) returned 0x910e18 [0300.298] GetStartupInfoW (in: lpStartupInfo=0x18fe54 | out: lpStartupInfo=0x18fe54*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0300.298] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0300.298] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0300.298] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0300.298] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumCertificateIds /fn_args=\"Install\"" [0300.298] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumCertificateIds /fn_args=\"Install\"" [0300.298] GetACP () returned 0x4e4 [0300.298] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x0, Size=0x220) returned 0x911c20 [0300.298] IsValidCodePage (CodePage=0x4e4) returned 1 [0300.298] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fe74 | out: lpCPInfo=0x18fe74) returned 1 [0300.298] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f73c | out: lpCPInfo=0x18f73c) returned 1 [0300.298] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd50, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0300.298] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd50, cbMultiByte=256, lpWideCharStr=0x18f4d8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0300.299] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f750 | out: lpCharType=0x18f750) returned 1 [0300.299] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd50, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0300.299] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd50, cbMultiByte=256, lpWideCharStr=0x18f498, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0300.299] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0300.299] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0300.299] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0300.299] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f288, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0300.299] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fc50, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿQAå)\x8cþ\x18", lpUsedDefaultChar=0x0) returned 256 [0300.299] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd50, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0300.299] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd50, cbMultiByte=256, lpWideCharStr=0x18f4a8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0300.299] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0300.299] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f298, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0300.299] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fb50, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿQAå)\x8cþ\x18", lpUsedDefaultChar=0x0) returned 256 [0300.300] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x0, Size=0x80) returned 0x9038a8 [0300.300] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0300.300] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x1ac) returned 0x911e48 [0300.300] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0300.300] GetLastError () returned 0x0 [0300.300] SetLastError (dwErrCode=0x0) [0300.300] GetEnvironmentStringsW () returned 0x912000* [0300.300] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x0, Size=0xa8c) returned 0x912a98 [0300.300] FreeEnvironmentStringsW (penv=0x912000) returned 1 [0300.301] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x90) returned 0x904598 [0300.301] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x3e) returned 0x90ac80 [0300.301] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x5c) returned 0x908ad8 [0300.301] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x6e) returned 0x904890 [0300.301] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x78) returned 0x9143d8 [0300.301] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x62) returned 0x904a30 [0300.301] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x28) returned 0x903dc8 [0300.301] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x48) returned 0x904018 [0300.301] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x1a) returned 0x903df8 [0300.301] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x3a) returned 0x90b148 [0300.301] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x62) returned 0x904660 [0300.301] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x2a) returned 0x9087c8 [0300.301] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x2e) returned 0x9089f8 [0300.301] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x1c) returned 0x904800 [0300.301] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x144) returned 0x909cf0 [0300.301] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x7c) returned 0x9043d0 [0300.302] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x36) returned 0x90e0f8 [0300.302] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x3a) returned 0x90ade8 [0300.302] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x90) returned 0x903e40 [0300.302] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x24) returned 0x904828 [0300.302] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x30) returned 0x908720 [0300.302] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x36) returned 0x90e238 [0300.302] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x48) returned 0x903c28 [0300.302] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x52) returned 0x903948 [0300.302] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x3c) returned 0x90af98 [0300.302] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0xd6) returned 0x909eb0 [0300.302] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x2e) returned 0x9086b0 [0300.302] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x1e) returned 0x903c78 [0300.302] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x2c) returned 0x908950 [0300.302] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x54) returned 0x902928 [0300.302] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x52) returned 0x9004b8 [0300.302] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x24) returned 0x9040a0 [0300.302] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x42) returned 0x9040d0 [0300.302] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x2c) returned 0x908838 [0300.302] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x44) returned 0x909fe0 [0300.302] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x24) returned 0x904120 [0300.303] HeapFree (in: hHeap=0x900000, dwFlags=0x0, lpMem=0x912a98 | out: hHeap=0x900000) returned 1 [0300.310] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x8, Size=0x800) returned 0x912000 [0300.310] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0300.310] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0300.310] GetStartupInfoW (in: lpStartupInfo=0x18feb8 | out: lpStartupInfo=0x18feb8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0300.310] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumCertificateIds /fn_args=\"Install\"" [0300.310] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumCertificateIds /fn_args=\"Install\"", pNumArgs=0x18fea4 | out: pNumArgs=0x18fea4) returned 0x912c50*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0300.311] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0300.314] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x0, Size=0x1000) returned 0x914538 [0300.314] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x0, Size=0x4e) returned 0x908310 [0300.314] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_enumCertificateIds", cchWideChar=-1, lpMultiByteStr=0x908310, cbMultiByte=78, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_enumCertificateIds", lpUsedDefaultChar=0x0) returned 39 [0300.314] GetLastError () returned 0x0 [0300.315] SetLastError (dwErrCode=0x0) [0300.315] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_enumCertificateIdsW") returned 0x0 [0300.315] GetLastError () returned 0x7f [0300.315] SetLastError (dwErrCode=0x7f) [0300.315] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_enumCertificateIdsA") returned 0x0 [0300.315] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_enumCertificateIds") returned 0x647c9404 [0300.315] RtlAllocateHeap (HeapHandle=0x900000, Flags=0x0, Size=0x10) returned 0x90a338 [0300.315] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Install", cchWideChar=-1, lpMultiByteStr=0x90a338, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Install", lpUsedDefaultChar=0x0) returned 8 [0300.315] GetActiveWindow () returned 0x0 [0300.316] GetLastError () returned 0x7f [0300.316] SetLastError (dwErrCode=0x7f) Thread: id = 948 os_tid = 0x5c0 Process: id = "449" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x3dc7000" os_pid = "0xd38" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "448" os_parent_pid = "0x12f4" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumCertificateIds /fn_args=\"Install\"" cur_dir = "C:\\Windows\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Process: id = "450" image_name = "sxnuff.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe" page_root = "0x62c31000" os_pid = "0x11b8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xcf8" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumTokenCertificateIds /fn_args=\"Install\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f443" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 32754 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 32755 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 32756 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 32757 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 32758 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 32759 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 32760 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 32761 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 32762 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 32763 start_va = 0x1310000 end_va = 0x1331fff monitored = 1 entry_point = 0x1311bac region_type = mapped_file name = "sxnuff.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe") Region: id = 32764 start_va = 0x77650000 end_va = 0x777cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 32765 start_va = 0x7e950000 end_va = 0x7e972fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e950000" filename = "" Region: id = 32766 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 32767 start_va = 0x7fff0000 end_va = 0x7ffb201affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 32768 start_va = 0x7ffb201b0000 end_va = 0x7ffb20370fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 32769 start_va = 0x7ffb20371000 end_va = 0x7ffffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ffb20371000" filename = "" Region: id = 32772 start_va = 0x410000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 32773 start_va = 0x533d0000 end_va = 0x5341ffff monitored = 0 entry_point = 0x533e8180 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 32774 start_va = 0x53420000 end_va = 0x53499fff monitored = 0 entry_point = 0x53433290 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 32775 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 32776 start_va = 0x534a0000 end_va = 0x534a7fff monitored = 0 entry_point = 0x534a17c0 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 32777 start_va = 0x4d0000 end_va = 0x78ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 32778 start_va = 0x75820000 end_va = 0x758fffff monitored = 0 entry_point = 0x75833980 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 32779 start_va = 0x75c80000 end_va = 0x75dfdfff monitored = 0 entry_point = 0x75d31b90 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 32783 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 32784 start_va = 0x7e850000 end_va = 0x7e94ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007e850000" filename = "" Region: id = 32785 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 32786 start_va = 0x74ec0000 end_va = 0x75006fff monitored = 0 entry_point = 0x74ed1cf0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 32787 start_va = 0x74a60000 end_va = 0x74baefff monitored = 0 entry_point = 0x74b16820 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 32788 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 32789 start_va = 0x4d0000 end_va = 0x5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 32790 start_va = 0x690000 end_va = 0x78ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 32791 start_va = 0x75e00000 end_va = 0x771fefff monitored = 0 entry_point = 0x75fbb990 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 32792 start_va = 0x754e0000 end_va = 0x7559dfff monitored = 0 entry_point = 0x75515630 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 32793 start_va = 0x74c50000 end_va = 0x74c86fff monitored = 0 entry_point = 0x74c53b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 32794 start_va = 0x74560000 end_va = 0x74a58fff monitored = 0 entry_point = 0x74767610 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 32795 start_va = 0x75610000 end_va = 0x757ccfff monitored = 0 entry_point = 0x756f2a10 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 32796 start_va = 0x75900000 end_va = 0x759acfff monitored = 0 entry_point = 0x75914f00 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 32797 start_va = 0x74380000 end_va = 0x7439dfff monitored = 0 entry_point = 0x7438b640 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 32798 start_va = 0x5d0000 end_va = 0x5d3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 32799 start_va = 0x74370000 end_va = 0x74379fff monitored = 0 entry_point = 0x74372a00 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 32800 start_va = 0x755b0000 end_va = 0x75607fff monitored = 0 entry_point = 0x755f25c0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 32801 start_va = 0x757d0000 end_va = 0x75813fff monitored = 0 entry_point = 0x757e9d80 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 32802 start_va = 0x77260000 end_va = 0x772dafff monitored = 0 entry_point = 0x7727e970 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 32816 start_va = 0x75a40000 end_va = 0x75a84fff monitored = 0 entry_point = 0x75a5de90 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 32824 start_va = 0x772e0000 end_va = 0x772ebfff monitored = 0 entry_point = 0x772e3930 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 32825 start_va = 0x744d0000 end_va = 0x7455cfff monitored = 0 entry_point = 0x74519b90 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 32826 start_va = 0x74430000 end_va = 0x74473fff monitored = 0 entry_point = 0x74437410 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 32827 start_va = 0x77620000 end_va = 0x7762efff monitored = 0 entry_point = 0x77622e40 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 32828 start_va = 0x75a90000 end_va = 0x75b7afff monitored = 0 entry_point = 0x75acd650 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 32829 start_va = 0x5e0000 end_va = 0x609fff monitored = 0 entry_point = 0x5e5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 32830 start_va = 0x790000 end_va = 0x917fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 32831 start_va = 0x774d0000 end_va = 0x774fafff monitored = 0 entry_point = 0x774d5680 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 32832 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 32833 start_va = 0x5e0000 end_va = 0x5e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 32834 start_va = 0x920000 end_va = 0xaa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000920000" filename = "" Region: id = 32835 start_va = 0xab0000 end_va = 0xb7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 32836 start_va = 0x1340000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001340000" filename = "" Region: id = 32841 start_va = 0x5f0000 end_va = 0x680fff monitored = 0 entry_point = 0x628cf0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 32842 start_va = 0x647c0000 end_va = 0x64801fff monitored = 1 entry_point = 0x647c1400 region_type = mapped_file name = "b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" filename = "\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") Region: id = 32843 start_va = 0x5f0000 end_va = 0x5f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 32844 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 32845 start_va = 0x600000 end_va = 0x607fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Thread: id = 949 os_tid = 0x116c [0301.285] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0301.285] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0301.288] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0301.288] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0301.288] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0301.288] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0301.289] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0301.289] GetProcAddress (hModule=0x75c80000, lpProcName="InitializeCriticalSectionEx") returned 0x75d3d740 [0301.290] GetProcessHeap () returned 0x690000 [0301.290] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0301.290] GetProcAddress (hModule=0x75c80000, lpProcName="FlsAlloc") returned 0x75d44490 [0301.290] GetLastError () returned 0x7e [0301.290] GetProcAddress (hModule=0x75c80000, lpProcName="FlsGetValue") returned 0x75d2f350 [0301.290] GetProcAddress (hModule=0x75c80000, lpProcName="FlsSetValue") returned 0x75d3d7a0 [0301.290] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x364) returned 0x6a0aa8 [0301.290] SetLastError (dwErrCode=0x7e) [0301.290] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xe00) returned 0x6a0e18 [0301.292] GetStartupInfoW (in: lpStartupInfo=0x18fa48 | out: lpStartupInfo=0x18fa48*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0301.292] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0301.292] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0301.292] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0301.292] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumTokenCertificateIds /fn_args=\"Install\"" [0301.292] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumTokenCertificateIds /fn_args=\"Install\"" [0301.292] GetACP () returned 0x4e4 [0301.292] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x0, Size=0x220) returned 0x6a1c20 [0301.292] IsValidCodePage (CodePage=0x4e4) returned 1 [0301.292] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fa68 | out: lpCPInfo=0x18fa68) returned 1 [0301.292] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f330 | out: lpCPInfo=0x18f330) returned 1 [0301.292] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f944, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0301.292] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f944, cbMultiByte=256, lpWideCharStr=0x18f0d8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0301.292] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f344 | out: lpCharType=0x18f344) returned 1 [0301.293] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f944, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0301.293] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f944, cbMultiByte=256, lpWideCharStr=0x18f088, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ") returned 256 [0301.293] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x75c80000 [0301.293] GetProcAddress (hModule=0x75c80000, lpProcName="LCMapStringEx") returned 0x75d295f0 [0301.293] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0301.293] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿᖉIJĀ", cchSrc=256, lpDestStr=0x18ee78, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0301.293] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18f844, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ²Q,Í\x80ú\x18", lpUsedDefaultChar=0x0) returned 256 [0301.293] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f944, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0301.293] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f944, cbMultiByte=256, lpWideCharStr=0x18f0a8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0301.293] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0301.293] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18ee98, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0301.293] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18f744, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ²Q,Í\x80ú\x18", lpUsedDefaultChar=0x0) returned 256 [0301.293] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x0, Size=0x80) returned 0x6938b0 [0301.293] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x132de10, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\sxnuff.exe")) returned 0x28 [0301.293] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x1b6) returned 0x6a1e48 [0301.294] RtlInitializeSListHead (in: ListHead=0x132dd40 | out: ListHead=0x132dd40) [0301.294] GetLastError () returned 0x0 [0301.294] SetLastError (dwErrCode=0x0) [0301.294] GetEnvironmentStringsW () returned 0x6a2008* [0301.294] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x0, Size=0xa8c) returned 0x6a2aa0 [0301.294] FreeEnvironmentStringsW (penv=0x6a2008) returned 1 [0301.294] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x90) returned 0x6945a0 [0301.294] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x3e) returned 0x69b0b8 [0301.294] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x5c) returned 0x698878 [0301.294] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x6e) returned 0x694668 [0301.294] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x78) returned 0x6a3ee0 [0301.294] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x62) returned 0x694a38 [0301.294] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x28) returned 0x693dd0 [0301.295] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x48) returned 0x694020 [0301.295] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x1a) returned 0x690570 [0301.295] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x3a) returned 0x69b070 [0301.295] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x62) returned 0x693c30 [0301.295] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x2a) returned 0x6986f0 [0301.295] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x2e) returned 0x698530 [0301.295] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x1c) returned 0x693e00 [0301.295] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x144) returned 0x699cf0 [0301.295] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x7c) returned 0x6980d8 [0301.295] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x36) returned 0x69e1f8 [0301.295] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x3a) returned 0x69af08 [0301.295] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x90) returned 0x6943d8 [0301.295] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x24) returned 0x693950 [0301.295] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x30) returned 0x698610 [0301.295] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x36) returned 0x69e238 [0301.295] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x48) returned 0x692930 [0301.295] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x52) returned 0x6904b8 [0301.295] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x3c) returned 0x69ac38 [0301.295] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0xd6) returned 0x699eb0 [0301.295] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x2e) returned 0x6984f8 [0301.295] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x1e) returned 0x692980 [0301.295] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x2c) returned 0x698798 [0301.295] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x54) returned 0x693e48 [0301.295] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x52) returned 0x6940a8 [0301.295] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x24) returned 0x693ea8 [0301.295] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x42) returned 0x694108 [0301.295] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x2c) returned 0x698450 [0301.295] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x44) returned 0x699fe0 [0301.295] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x24) returned 0x693980 [0301.297] HeapFree (in: hHeap=0x690000, dwFlags=0x0, lpMem=0x6a2aa0 | out: hHeap=0x690000) returned 1 [0301.297] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x8, Size=0x800) returned 0x6a2008 [0301.297] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0301.297] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13121d9) returned 0x0 [0301.297] GetStartupInfoW (in: lpStartupInfo=0x18faac | out: lpStartupInfo=0x18faac*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0301.297] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumTokenCertificateIds /fn_args=\"Install\"" [0301.297] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe\" /dll=\"C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll\" /fn_id=kkcs11h_certificate_enumTokenCertificateIds /fn_args=\"Install\"", pNumArgs=0x18fa98 | out: pNumArgs=0x18fa98) returned 0x6a2c58*="C:\\Users\\RDhJ0CNFevzX\\Desktop\\sXnufF.exe" [0301.298] LoadLibraryW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\b8e5e6f25a38fafe147ffa77f3d44a3323254797ebe8017b8a19de866a24daba.dll") returned 0x647c0000 [0301.300] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x0, Size=0x1000) returned 0x6a4540 [0301.300] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x0, Size=0x58) returned 0x69a728 [0301.300] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kkcs11h_certificate_enumTokenCertificateIds", cchWideChar=-1, lpMultiByteStr=0x69a728, cbMultiByte=88, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kkcs11h_certificate_enumTokenCertificateIds", lpUsedDefaultChar=0x0) returned 44 [0301.300] GetLastError () returned 0x0 [0301.300] SetLastError (dwErrCode=0x0) [0301.301] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_enumTokenCertificateIdsW") returned 0x0 [0301.301] GetLastError () returned 0x7f [0301.301] SetLastError (dwErrCode=0x7f) [0301.301] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_enumTokenCertificateIdsA") returned 0x0 [0301.301] GetProcAddress (hModule=0x647c0000, lpProcName="kkcs11h_certificate_enumTokenCertificateIds") returned 0x647c91d9 [0301.301] RtlAllocateHeap (HeapHandle=0x690000, Flags=0x0, Size=0x10) returned 0x69a290 [0301.301] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Install", cchWideChar=-1, lpMultiByteStr=0x69a290, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Install", lpUsedDefaultChar=0x0) returned 8 [0301.301] GetActiveWindow () returned 0x0 [0301.302] GetLastError () returned 0x7f [0301.302] SetLastError (dwErrCode=0x7f) Thread: id = 952 os_tid = 0xd1c